HDFS-3553. Hftp proxy tokens are broken (daryn)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1366471 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
b3b72482e4
commit
cbd59c1c50
|
@ -1411,6 +1411,8 @@ Release 0.23.3 - UNRELEASED
|
||||||
HDFS-3696. Set chunked streaming mode in WebHdfsFileSystem write operations
|
HDFS-3696. Set chunked streaming mode in WebHdfsFileSystem write operations
|
||||||
to get around a Java library bug causing OutOfMemoryError. (szetszwo)
|
to get around a Java library bug causing OutOfMemoryError. (szetszwo)
|
||||||
|
|
||||||
|
HDFS-3553. Hftp proxy tokens are broken (daryn)
|
||||||
|
|
||||||
Release 0.23.2 - UNRELEASED
|
Release 0.23.2 - UNRELEASED
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
|
|
@ -487,12 +487,17 @@ public class JspHelper {
|
||||||
*/
|
*/
|
||||||
public static UserGroupInformation getDefaultWebUser(Configuration conf
|
public static UserGroupInformation getDefaultWebUser(Configuration conf
|
||||||
) throws IOException {
|
) throws IOException {
|
||||||
|
return UserGroupInformation.createRemoteUser(getDefaultWebUserName(conf));
|
||||||
|
}
|
||||||
|
|
||||||
|
private static String getDefaultWebUserName(Configuration conf
|
||||||
|
) throws IOException {
|
||||||
String user = conf.get(
|
String user = conf.get(
|
||||||
HADOOP_HTTP_STATIC_USER, DEFAULT_HADOOP_HTTP_STATIC_USER);
|
HADOOP_HTTP_STATIC_USER, DEFAULT_HADOOP_HTTP_STATIC_USER);
|
||||||
if (user == null || user.length() == 0) {
|
if (user == null || user.length() == 0) {
|
||||||
throw new IOException("Cannot determine UGI from request or conf");
|
throw new IOException("Cannot determine UGI from request or conf");
|
||||||
}
|
}
|
||||||
return UserGroupInformation.createRemoteUser(user);
|
return user;
|
||||||
}
|
}
|
||||||
|
|
||||||
private static InetSocketAddress getNNServiceAddress(ServletContext context,
|
private static InetSocketAddress getNNServiceAddress(ServletContext context,
|
||||||
|
@ -538,64 +543,45 @@ public class JspHelper {
|
||||||
HttpServletRequest request, Configuration conf,
|
HttpServletRequest request, Configuration conf,
|
||||||
final AuthenticationMethod secureAuthMethod,
|
final AuthenticationMethod secureAuthMethod,
|
||||||
final boolean tryUgiParameter) throws IOException {
|
final boolean tryUgiParameter) throws IOException {
|
||||||
final UserGroupInformation ugi;
|
UserGroupInformation ugi = null;
|
||||||
final String usernameFromQuery = getUsernameFromQuery(request, tryUgiParameter);
|
final String usernameFromQuery = getUsernameFromQuery(request, tryUgiParameter);
|
||||||
final String doAsUserFromQuery = request.getParameter(DoAsParam.NAME);
|
final String doAsUserFromQuery = request.getParameter(DoAsParam.NAME);
|
||||||
|
final String remoteUser;
|
||||||
|
|
||||||
if(UserGroupInformation.isSecurityEnabled()) {
|
if (UserGroupInformation.isSecurityEnabled()) {
|
||||||
final String remoteUser = request.getRemoteUser();
|
remoteUser = request.getRemoteUser();
|
||||||
String tokenString = request.getParameter(DELEGATION_PARAMETER_NAME);
|
final String tokenString = request.getParameter(DELEGATION_PARAMETER_NAME);
|
||||||
if (tokenString != null) {
|
if (tokenString != null) {
|
||||||
Token<DelegationTokenIdentifier> token =
|
// Token-based connections need only verify the effective user, and
|
||||||
new Token<DelegationTokenIdentifier>();
|
// disallow proxying to different user. Proxy authorization checks
|
||||||
token.decodeFromUrlString(tokenString);
|
// are not required since the checks apply to issuing a token.
|
||||||
InetSocketAddress serviceAddress = getNNServiceAddress(context, request);
|
ugi = getTokenUGI(context, request, tokenString, conf);
|
||||||
if (serviceAddress != null) {
|
checkUsername(ugi.getShortUserName(), usernameFromQuery);
|
||||||
SecurityUtil.setTokenService(token, serviceAddress);
|
checkUsername(ugi.getShortUserName(), doAsUserFromQuery);
|
||||||
token.setKind(DelegationTokenIdentifier.HDFS_DELEGATION_KIND);
|
} else if (remoteUser == null) {
|
||||||
}
|
throw new IOException(
|
||||||
ByteArrayInputStream buf = new ByteArrayInputStream(token
|
"Security enabled but user not authenticated by filter");
|
||||||
.getIdentifier());
|
}
|
||||||
DataInputStream in = new DataInputStream(buf);
|
} else {
|
||||||
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
|
// Security's not on, pull from url or use default web user
|
||||||
id.readFields(in);
|
remoteUser = (usernameFromQuery == null)
|
||||||
if (context != null) {
|
? getDefaultWebUserName(conf) // not specified in request
|
||||||
final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(context);
|
: usernameFromQuery;
|
||||||
if (nn != null) {
|
}
|
||||||
// Verify the token.
|
|
||||||
nn.getNamesystem().verifyToken(id, token.getPassword());
|
if (ugi == null) { // security is off, or there's no token
|
||||||
}
|
ugi = UserGroupInformation.createRemoteUser(remoteUser);
|
||||||
}
|
checkUsername(ugi.getShortUserName(), usernameFromQuery);
|
||||||
ugi = id.getUser();
|
if (UserGroupInformation.isSecurityEnabled()) {
|
||||||
if (ugi.getRealUser() == null) {
|
|
||||||
//non-proxy case
|
|
||||||
checkUsername(ugi.getShortUserName(), usernameFromQuery);
|
|
||||||
checkUsername(null, doAsUserFromQuery);
|
|
||||||
} else {
|
|
||||||
//proxy case
|
|
||||||
checkUsername(ugi.getRealUser().getShortUserName(), usernameFromQuery);
|
|
||||||
checkUsername(ugi.getShortUserName(), doAsUserFromQuery);
|
|
||||||
ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
|
|
||||||
}
|
|
||||||
ugi.addToken(token);
|
|
||||||
} else {
|
|
||||||
if(remoteUser == null) {
|
|
||||||
throw new IOException("Security enabled but user not " +
|
|
||||||
"authenticated by filter");
|
|
||||||
}
|
|
||||||
final UserGroupInformation realUgi = UserGroupInformation.createRemoteUser(remoteUser);
|
|
||||||
checkUsername(realUgi.getShortUserName(), usernameFromQuery);
|
|
||||||
// This is not necessarily true, could have been auth'ed by user-facing
|
// This is not necessarily true, could have been auth'ed by user-facing
|
||||||
// filter
|
// filter
|
||||||
realUgi.setAuthenticationMethod(secureAuthMethod);
|
ugi.setAuthenticationMethod(secureAuthMethod);
|
||||||
ugi = initUGI(realUgi, doAsUserFromQuery, request, true, conf);
|
}
|
||||||
|
if (doAsUserFromQuery != null) {
|
||||||
|
// create and attempt to authorize a proxy user
|
||||||
|
ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
|
||||||
|
ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
|
||||||
}
|
}
|
||||||
} else { // Security's not on, pull from url
|
|
||||||
final UserGroupInformation realUgi = usernameFromQuery == null?
|
|
||||||
getDefaultWebUser(conf) // not specified in request
|
|
||||||
: UserGroupInformation.createRemoteUser(usernameFromQuery);
|
|
||||||
realUgi.setAuthenticationMethod(AuthenticationMethod.SIMPLE);
|
|
||||||
ugi = initUGI(realUgi, doAsUserFromQuery, request, false, conf);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if(LOG.isDebugEnabled())
|
if(LOG.isDebugEnabled())
|
||||||
|
@ -603,21 +589,34 @@ public class JspHelper {
|
||||||
return ugi;
|
return ugi;
|
||||||
}
|
}
|
||||||
|
|
||||||
private static UserGroupInformation initUGI(final UserGroupInformation realUgi,
|
private static UserGroupInformation getTokenUGI(ServletContext context,
|
||||||
final String doAsUserFromQuery, final HttpServletRequest request,
|
HttpServletRequest request,
|
||||||
final boolean isSecurityEnabled, final Configuration conf
|
String tokenString,
|
||||||
) throws AuthorizationException {
|
Configuration conf)
|
||||||
final UserGroupInformation ugi;
|
throws IOException {
|
||||||
if (doAsUserFromQuery == null) {
|
final Token<DelegationTokenIdentifier> token =
|
||||||
//non-proxy case
|
new Token<DelegationTokenIdentifier>();
|
||||||
ugi = realUgi;
|
token.decodeFromUrlString(tokenString);
|
||||||
} else {
|
InetSocketAddress serviceAddress = getNNServiceAddress(context, request);
|
||||||
//proxy case
|
if (serviceAddress != null) {
|
||||||
ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, realUgi);
|
SecurityUtil.setTokenService(token, serviceAddress);
|
||||||
ugi.setAuthenticationMethod(
|
token.setKind(DelegationTokenIdentifier.HDFS_DELEGATION_KIND);
|
||||||
isSecurityEnabled? AuthenticationMethod.PROXY: AuthenticationMethod.SIMPLE);
|
|
||||||
ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ByteArrayInputStream buf =
|
||||||
|
new ByteArrayInputStream(token.getIdentifier());
|
||||||
|
DataInputStream in = new DataInputStream(buf);
|
||||||
|
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
|
||||||
|
id.readFields(in);
|
||||||
|
if (context != null) {
|
||||||
|
final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(context);
|
||||||
|
if (nn != null) {
|
||||||
|
// Verify the token.
|
||||||
|
nn.getNamesystem().verifyToken(id, token.getPassword());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
UserGroupInformation ugi = id.getUser();
|
||||||
|
ugi.addToken(token);
|
||||||
return ugi;
|
return ugi;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -31,8 +31,13 @@ import org.apache.hadoop.hdfs.DFSConfigKeys;
|
||||||
import org.apache.hadoop.hdfs.HdfsConfiguration;
|
import org.apache.hadoop.hdfs.HdfsConfiguration;
|
||||||
import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
|
import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
|
||||||
import org.apache.hadoop.hdfs.server.namenode.NameNodeHttpServer;
|
import org.apache.hadoop.hdfs.server.namenode.NameNodeHttpServer;
|
||||||
|
import org.apache.hadoop.hdfs.web.resources.DoAsParam;
|
||||||
|
import org.apache.hadoop.hdfs.web.resources.UserParam;
|
||||||
import org.apache.hadoop.io.Text;
|
import org.apache.hadoop.io.Text;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
|
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
|
||||||
|
import org.apache.hadoop.security.authorize.AuthorizationException;
|
||||||
|
import org.apache.hadoop.security.authorize.ProxyUsers;
|
||||||
import org.apache.hadoop.security.token.Token;
|
import org.apache.hadoop.security.token.Token;
|
||||||
import org.apache.hadoop.security.token.TokenIdentifier;
|
import org.apache.hadoop.security.token.TokenIdentifier;
|
||||||
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
|
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
|
||||||
|
@ -136,4 +141,262 @@ public class TestJspHelper {
|
||||||
Assert.assertEquals("", delegationTokenParam);
|
Assert.assertEquals("", delegationTokenParam);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testGetUgiFromToken() throws IOException {
|
||||||
|
conf.set(DFSConfigKeys.FS_DEFAULT_NAME_KEY, "hdfs://localhost:4321/");
|
||||||
|
ServletContext context = mock(ServletContext.class);
|
||||||
|
String realUser = "TheDoctor";
|
||||||
|
String user = "TheNurse";
|
||||||
|
conf.set(DFSConfigKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
|
||||||
|
UserGroupInformation.setConfiguration(conf);
|
||||||
|
UserGroupInformation ugi;
|
||||||
|
HttpServletRequest request;
|
||||||
|
|
||||||
|
Text ownerText = new Text(user);
|
||||||
|
DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(
|
||||||
|
ownerText, ownerText, new Text(realUser));
|
||||||
|
Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(
|
||||||
|
dtId, new DummySecretManager(0, 0, 0, 0));
|
||||||
|
String tokenString = token.encodeToUrlString();
|
||||||
|
|
||||||
|
// token with no auth-ed user
|
||||||
|
request = getMockRequest(null, null, null);
|
||||||
|
when(request.getParameter(JspHelper.DELEGATION_PARAMETER_NAME)).thenReturn(
|
||||||
|
tokenString);
|
||||||
|
ugi = JspHelper.getUGI(context, request, conf);
|
||||||
|
Assert.assertNotNull(ugi.getRealUser());
|
||||||
|
Assert.assertEquals(ugi.getRealUser().getShortUserName(), realUser);
|
||||||
|
Assert.assertEquals(ugi.getShortUserName(), user);
|
||||||
|
checkUgiFromToken(ugi);
|
||||||
|
|
||||||
|
// token with auth-ed user
|
||||||
|
request = getMockRequest(realUser, null, null);
|
||||||
|
when(request.getParameter(JspHelper.DELEGATION_PARAMETER_NAME)).thenReturn(
|
||||||
|
tokenString);
|
||||||
|
ugi = JspHelper.getUGI(context, request, conf);
|
||||||
|
Assert.assertNotNull(ugi.getRealUser());
|
||||||
|
Assert.assertEquals(ugi.getRealUser().getShortUserName(), realUser);
|
||||||
|
Assert.assertEquals(ugi.getShortUserName(), user);
|
||||||
|
checkUgiFromToken(ugi);
|
||||||
|
|
||||||
|
// completely different user, token trumps auth
|
||||||
|
request = getMockRequest("rogue", null, null);
|
||||||
|
when(request.getParameter(JspHelper.DELEGATION_PARAMETER_NAME)).thenReturn(
|
||||||
|
tokenString);
|
||||||
|
ugi = JspHelper.getUGI(context, request, conf);
|
||||||
|
Assert.assertNotNull(ugi.getRealUser());
|
||||||
|
Assert.assertEquals(ugi.getRealUser().getShortUserName(), realUser);
|
||||||
|
Assert.assertEquals(ugi.getShortUserName(), user);
|
||||||
|
checkUgiFromToken(ugi);
|
||||||
|
|
||||||
|
// expected case
|
||||||
|
request = getMockRequest(null, user, null);
|
||||||
|
when(request.getParameter(JspHelper.DELEGATION_PARAMETER_NAME)).thenReturn(
|
||||||
|
tokenString);
|
||||||
|
ugi = JspHelper.getUGI(context, request, conf);
|
||||||
|
Assert.assertNotNull(ugi.getRealUser());
|
||||||
|
Assert.assertEquals(ugi.getRealUser().getShortUserName(), realUser);
|
||||||
|
Assert.assertEquals(ugi.getShortUserName(), user);
|
||||||
|
checkUgiFromToken(ugi);
|
||||||
|
|
||||||
|
// can't proxy with a token!
|
||||||
|
request = getMockRequest(null, null, "rogue");
|
||||||
|
when(request.getParameter(JspHelper.DELEGATION_PARAMETER_NAME)).thenReturn(
|
||||||
|
tokenString);
|
||||||
|
try {
|
||||||
|
JspHelper.getUGI(context, request, conf);
|
||||||
|
Assert.fail("bad request allowed");
|
||||||
|
} catch (IOException ioe) {
|
||||||
|
Assert.assertEquals(
|
||||||
|
"Usernames not matched: name=rogue != expected="+user,
|
||||||
|
ioe.getMessage());
|
||||||
|
}
|
||||||
|
|
||||||
|
// can't proxy with a token!
|
||||||
|
request = getMockRequest(null, user, "rogue");
|
||||||
|
when(request.getParameter(JspHelper.DELEGATION_PARAMETER_NAME)).thenReturn(
|
||||||
|
tokenString);
|
||||||
|
try {
|
||||||
|
JspHelper.getUGI(context, request, conf);
|
||||||
|
Assert.fail("bad request allowed");
|
||||||
|
} catch (IOException ioe) {
|
||||||
|
Assert.assertEquals(
|
||||||
|
"Usernames not matched: name=rogue != expected="+user,
|
||||||
|
ioe.getMessage());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testGetNonProxyUgi() throws IOException {
|
||||||
|
conf.set(DFSConfigKeys.FS_DEFAULT_NAME_KEY, "hdfs://localhost:4321/");
|
||||||
|
ServletContext context = mock(ServletContext.class);
|
||||||
|
String realUser = "TheDoctor";
|
||||||
|
String user = "TheNurse";
|
||||||
|
conf.set(DFSConfigKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
|
||||||
|
UserGroupInformation.setConfiguration(conf);
|
||||||
|
UserGroupInformation ugi;
|
||||||
|
HttpServletRequest request;
|
||||||
|
|
||||||
|
// have to be auth-ed with remote user
|
||||||
|
request = getMockRequest(null, null, null);
|
||||||
|
try {
|
||||||
|
JspHelper.getUGI(context, request, conf);
|
||||||
|
Assert.fail("bad request allowed");
|
||||||
|
} catch (IOException ioe) {
|
||||||
|
Assert.assertEquals(
|
||||||
|
"Security enabled but user not authenticated by filter",
|
||||||
|
ioe.getMessage());
|
||||||
|
}
|
||||||
|
request = getMockRequest(null, realUser, null);
|
||||||
|
try {
|
||||||
|
JspHelper.getUGI(context, request, conf);
|
||||||
|
Assert.fail("bad request allowed");
|
||||||
|
} catch (IOException ioe) {
|
||||||
|
Assert.assertEquals(
|
||||||
|
"Security enabled but user not authenticated by filter",
|
||||||
|
ioe.getMessage());
|
||||||
|
}
|
||||||
|
|
||||||
|
// ugi for remote user
|
||||||
|
request = getMockRequest(realUser, null, null);
|
||||||
|
ugi = JspHelper.getUGI(context, request, conf);
|
||||||
|
Assert.assertNull(ugi.getRealUser());
|
||||||
|
Assert.assertEquals(ugi.getShortUserName(), realUser);
|
||||||
|
checkUgiFromAuth(ugi);
|
||||||
|
|
||||||
|
// ugi for remote user = real user
|
||||||
|
request = getMockRequest(realUser, realUser, null);
|
||||||
|
ugi = JspHelper.getUGI(context, request, conf);
|
||||||
|
Assert.assertNull(ugi.getRealUser());
|
||||||
|
Assert.assertEquals(ugi.getShortUserName(), realUser);
|
||||||
|
checkUgiFromAuth(ugi);
|
||||||
|
|
||||||
|
// ugi for remote user != real user
|
||||||
|
request = getMockRequest(realUser, user, null);
|
||||||
|
try {
|
||||||
|
JspHelper.getUGI(context, request, conf);
|
||||||
|
Assert.fail("bad request allowed");
|
||||||
|
} catch (IOException ioe) {
|
||||||
|
Assert.assertEquals(
|
||||||
|
"Usernames not matched: name="+user+" != expected="+realUser,
|
||||||
|
ioe.getMessage());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testGetProxyUgi() throws IOException {
|
||||||
|
conf.set(DFSConfigKeys.FS_DEFAULT_NAME_KEY, "hdfs://localhost:4321/");
|
||||||
|
ServletContext context = mock(ServletContext.class);
|
||||||
|
String realUser = "TheDoctor";
|
||||||
|
String user = "TheNurse";
|
||||||
|
conf.set(DFSConfigKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
|
||||||
|
|
||||||
|
conf.set(ProxyUsers.CONF_HADOOP_PROXYUSER+realUser+".groups", "*");
|
||||||
|
conf.set(ProxyUsers.CONF_HADOOP_PROXYUSER+realUser+".hosts", "*");
|
||||||
|
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
|
||||||
|
UserGroupInformation.setConfiguration(conf);
|
||||||
|
UserGroupInformation ugi;
|
||||||
|
HttpServletRequest request;
|
||||||
|
|
||||||
|
// have to be auth-ed with remote user
|
||||||
|
request = getMockRequest(null, null, user);
|
||||||
|
try {
|
||||||
|
JspHelper.getUGI(context, request, conf);
|
||||||
|
Assert.fail("bad request allowed");
|
||||||
|
} catch (IOException ioe) {
|
||||||
|
Assert.assertEquals(
|
||||||
|
"Security enabled but user not authenticated by filter",
|
||||||
|
ioe.getMessage());
|
||||||
|
}
|
||||||
|
request = getMockRequest(null, realUser, user);
|
||||||
|
try {
|
||||||
|
JspHelper.getUGI(context, request, conf);
|
||||||
|
Assert.fail("bad request allowed");
|
||||||
|
} catch (IOException ioe) {
|
||||||
|
Assert.assertEquals(
|
||||||
|
"Security enabled but user not authenticated by filter",
|
||||||
|
ioe.getMessage());
|
||||||
|
}
|
||||||
|
|
||||||
|
// proxy ugi for user via remote user
|
||||||
|
request = getMockRequest(realUser, null, user);
|
||||||
|
ugi = JspHelper.getUGI(context, request, conf);
|
||||||
|
Assert.assertNotNull(ugi.getRealUser());
|
||||||
|
Assert.assertEquals(ugi.getRealUser().getShortUserName(), realUser);
|
||||||
|
Assert.assertEquals(ugi.getShortUserName(), user);
|
||||||
|
checkUgiFromAuth(ugi);
|
||||||
|
|
||||||
|
// proxy ugi for user vi a remote user = real user
|
||||||
|
request = getMockRequest(realUser, realUser, user);
|
||||||
|
ugi = JspHelper.getUGI(context, request, conf);
|
||||||
|
Assert.assertNotNull(ugi.getRealUser());
|
||||||
|
Assert.assertEquals(ugi.getRealUser().getShortUserName(), realUser);
|
||||||
|
Assert.assertEquals(ugi.getShortUserName(), user);
|
||||||
|
checkUgiFromAuth(ugi);
|
||||||
|
|
||||||
|
// proxy ugi for user via remote user != real user
|
||||||
|
request = getMockRequest(realUser, user, user);
|
||||||
|
try {
|
||||||
|
JspHelper.getUGI(context, request, conf);
|
||||||
|
Assert.fail("bad request allowed");
|
||||||
|
} catch (IOException ioe) {
|
||||||
|
Assert.assertEquals(
|
||||||
|
"Usernames not matched: name="+user+" != expected="+realUser,
|
||||||
|
ioe.getMessage());
|
||||||
|
}
|
||||||
|
|
||||||
|
// try to get get a proxy user with unauthorized user
|
||||||
|
try {
|
||||||
|
request = getMockRequest(user, null, realUser);
|
||||||
|
JspHelper.getUGI(context, request, conf);
|
||||||
|
Assert.fail("bad proxy request allowed");
|
||||||
|
} catch (AuthorizationException ae) {
|
||||||
|
Assert.assertEquals(
|
||||||
|
"User: " + user + " is not allowed to impersonate " + realUser,
|
||||||
|
ae.getMessage());
|
||||||
|
}
|
||||||
|
try {
|
||||||
|
request = getMockRequest(user, user, realUser);
|
||||||
|
JspHelper.getUGI(context, request, conf);
|
||||||
|
Assert.fail("bad proxy request allowed");
|
||||||
|
} catch (AuthorizationException ae) {
|
||||||
|
Assert.assertEquals(
|
||||||
|
"User: " + user + " is not allowed to impersonate " + realUser,
|
||||||
|
ae.getMessage());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private HttpServletRequest getMockRequest(String remoteUser, String user, String doAs) {
|
||||||
|
HttpServletRequest request = mock(HttpServletRequest.class);
|
||||||
|
when(request.getParameter(UserParam.NAME)).thenReturn(user);
|
||||||
|
if (doAs != null) {
|
||||||
|
when(request.getParameter(DoAsParam.NAME)).thenReturn(doAs);
|
||||||
|
}
|
||||||
|
when(request.getRemoteUser()).thenReturn(remoteUser);
|
||||||
|
return request;
|
||||||
|
}
|
||||||
|
|
||||||
|
private void checkUgiFromAuth(UserGroupInformation ugi) {
|
||||||
|
if (ugi.getRealUser() != null) {
|
||||||
|
Assert.assertEquals(AuthenticationMethod.PROXY,
|
||||||
|
ugi.getAuthenticationMethod());
|
||||||
|
Assert.assertEquals(AuthenticationMethod.KERBEROS_SSL,
|
||||||
|
ugi.getRealUser().getAuthenticationMethod());
|
||||||
|
} else {
|
||||||
|
Assert.assertEquals(AuthenticationMethod.KERBEROS_SSL,
|
||||||
|
ugi.getAuthenticationMethod());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private void checkUgiFromToken(UserGroupInformation ugi) {
|
||||||
|
if (ugi.getRealUser() != null) {
|
||||||
|
Assert.assertEquals(AuthenticationMethod.PROXY,
|
||||||
|
ugi.getAuthenticationMethod());
|
||||||
|
Assert.assertEquals(AuthenticationMethod.TOKEN,
|
||||||
|
ugi.getRealUser().getAuthenticationMethod());
|
||||||
|
} else {
|
||||||
|
Assert.assertEquals(AuthenticationMethod.TOKEN,
|
||||||
|
ugi.getAuthenticationMethod());
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue