HADOOP-9968. Makes ProxyUsers to work with NetGroups. Contributed by Benoy Antony.
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1570934 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
84425fb435
commit
ec23bf46e4
|
@ -124,6 +124,8 @@ Trunk (Unreleased)
|
||||||
HADOOP-10342. Add a new method to UGI to use a Kerberos login subject to
|
HADOOP-10342. Add a new method to UGI to use a Kerberos login subject to
|
||||||
build a new UGI. (Larry McCay via omalley)
|
build a new UGI. (Larry McCay via omalley)
|
||||||
|
|
||||||
|
HADOOP-9968. Makes ProxyUsers to work with NetGroups (Benoy Antony via ddas)
|
||||||
|
|
||||||
BUG FIXES
|
BUG FIXES
|
||||||
|
|
||||||
HADOOP-9451. Fault single-layer config if node group topology is enabled.
|
HADOOP-9451. Fault single-layer config if node group topology is enabled.
|
||||||
|
|
|
@ -20,6 +20,7 @@ package org.apache.hadoop.security.authorize;
|
||||||
|
|
||||||
import java.net.InetAddress;
|
import java.net.InetAddress;
|
||||||
import java.net.UnknownHostException;
|
import java.net.UnknownHostException;
|
||||||
|
import java.util.ArrayList;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
@ -27,6 +28,7 @@ import java.util.Map.Entry;
|
||||||
|
|
||||||
import org.apache.hadoop.classification.InterfaceAudience;
|
import org.apache.hadoop.classification.InterfaceAudience;
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.security.Groups;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.util.StringUtils;
|
import org.apache.hadoop.util.StringUtils;
|
||||||
|
|
||||||
|
@ -68,8 +70,11 @@ public class ProxyUsers {
|
||||||
String regex = CONF_HADOOP_PROXYUSER_RE+"[^.]*\\"+CONF_GROUPS;
|
String regex = CONF_HADOOP_PROXYUSER_RE+"[^.]*\\"+CONF_GROUPS;
|
||||||
Map<String,String> allMatchKeys = conf.getValByRegex(regex);
|
Map<String,String> allMatchKeys = conf.getValByRegex(regex);
|
||||||
for(Entry<String, String> entry : allMatchKeys.entrySet()) {
|
for(Entry<String, String> entry : allMatchKeys.entrySet()) {
|
||||||
proxyGroups.put(entry.getKey(),
|
Collection<String> groups = StringUtils.getStringCollection(entry.getValue());
|
||||||
StringUtils.getStringCollection(entry.getValue()));
|
proxyGroups.put(entry.getKey(), groups );
|
||||||
|
//cache the groups. This is needed for NetGroups
|
||||||
|
Groups.getUserToGroupsMappingService(conf).cacheGroupsAdd(
|
||||||
|
new ArrayList<String>(groups));
|
||||||
}
|
}
|
||||||
|
|
||||||
// now hosts
|
// now hosts
|
||||||
|
|
|
@ -17,23 +17,113 @@
|
||||||
*/
|
*/
|
||||||
package org.apache.hadoop.security.authorize;
|
package org.apache.hadoop.security.authorize;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
|
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.apache.commons.logging.LogFactory;
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
|
||||||
|
import org.apache.hadoop.util.NativeCodeLoader;
|
||||||
import org.apache.hadoop.util.StringUtils;
|
import org.apache.hadoop.util.StringUtils;
|
||||||
|
import org.apache.hadoop.security.Groups;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
|
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
import static org.junit.Assert.*;
|
import static org.junit.Assert.*;
|
||||||
|
|
||||||
|
|
||||||
public class TestProxyUsers {
|
public class TestProxyUsers {
|
||||||
|
private static final Log LOG =
|
||||||
|
LogFactory.getLog(TestProxyUsers.class);
|
||||||
private static final String REAL_USER_NAME = "proxier";
|
private static final String REAL_USER_NAME = "proxier";
|
||||||
private static final String PROXY_USER_NAME = "proxied_user";
|
private static final String PROXY_USER_NAME = "proxied_user";
|
||||||
private static final String[] GROUP_NAMES =
|
private static final String[] GROUP_NAMES =
|
||||||
new String[] { "foo_group" };
|
new String[] { "foo_group" };
|
||||||
|
private static final String[] NETGROUP_NAMES =
|
||||||
|
new String[] { "@foo_group" };
|
||||||
private static final String[] OTHER_GROUP_NAMES =
|
private static final String[] OTHER_GROUP_NAMES =
|
||||||
new String[] { "bar_group" };
|
new String[] { "bar_group" };
|
||||||
private static final String PROXY_IP = "1.2.3.4";
|
private static final String PROXY_IP = "1.2.3.4";
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test the netgroups (groups in ACL rules that start with @)
|
||||||
|
*
|
||||||
|
* This is a manual test because it requires:
|
||||||
|
* - host setup
|
||||||
|
* - native code compiled
|
||||||
|
* - specify the group mapping class
|
||||||
|
*
|
||||||
|
* Host setup:
|
||||||
|
*
|
||||||
|
* /etc/nsswitch.conf should have a line like this:
|
||||||
|
* netgroup: files
|
||||||
|
*
|
||||||
|
* /etc/netgroup should be (the whole file):
|
||||||
|
* foo_group (,proxied_user,)
|
||||||
|
*
|
||||||
|
* To run this test:
|
||||||
|
*
|
||||||
|
* export JAVA_HOME='path/to/java'
|
||||||
|
* mvn test \
|
||||||
|
* -Dtest=TestProxyUsers \
|
||||||
|
* -DTestProxyUsersGroupMapping=$className \
|
||||||
|
*
|
||||||
|
* where $className is one of the classes that provide group
|
||||||
|
* mapping services, i.e. classes that implement
|
||||||
|
* GroupMappingServiceProvider interface, at this time:
|
||||||
|
* - org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping
|
||||||
|
* - org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testNetgroups () throws IOException{
|
||||||
|
|
||||||
|
if(!NativeCodeLoader.isNativeCodeLoaded()) {
|
||||||
|
LOG.info("Not testing netgroups, " +
|
||||||
|
"this test only runs when native code is compiled");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
String groupMappingClassName =
|
||||||
|
System.getProperty("TestProxyUsersGroupMapping");
|
||||||
|
|
||||||
|
if(groupMappingClassName == null) {
|
||||||
|
LOG.info("Not testing netgroups, no group mapping class specified, " +
|
||||||
|
"use -DTestProxyUsersGroupMapping=$className to specify " +
|
||||||
|
"group mapping class (must implement GroupMappingServiceProvider " +
|
||||||
|
"interface and support netgroups)");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
LOG.info("Testing netgroups using: " + groupMappingClassName);
|
||||||
|
|
||||||
|
Configuration conf = new Configuration();
|
||||||
|
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_GROUP_MAPPING,
|
||||||
|
groupMappingClassName);
|
||||||
|
|
||||||
|
conf.set(
|
||||||
|
ProxyUsers.getProxySuperuserGroupConfKey(REAL_USER_NAME),
|
||||||
|
StringUtils.join(",", Arrays.asList(NETGROUP_NAMES)));
|
||||||
|
conf.set(
|
||||||
|
ProxyUsers.getProxySuperuserIpConfKey(REAL_USER_NAME),
|
||||||
|
PROXY_IP);
|
||||||
|
|
||||||
|
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
|
||||||
|
Groups groups = Groups.getUserToGroupsMappingService(conf);
|
||||||
|
|
||||||
|
// try proxying a group that's allowed
|
||||||
|
UserGroupInformation realUserUgi = UserGroupInformation
|
||||||
|
.createRemoteUser(REAL_USER_NAME);
|
||||||
|
|
||||||
|
UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
|
||||||
|
PROXY_USER_NAME, realUserUgi, groups.getGroups(PROXY_USER_NAME).toArray(
|
||||||
|
new String[groups.getGroups(PROXY_USER_NAME).size()]));
|
||||||
|
|
||||||
|
assertAuthorized(proxyUserUgi, PROXY_IP);
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testProxyUsers() throws Exception {
|
public void testProxyUsers() throws Exception {
|
||||||
Configuration conf = new Configuration();
|
Configuration conf = new Configuration();
|
||||||
|
|
Loading…
Reference in New Issue