View Javadoc

1   /*
2    *
3    * Licensed to the Apache Software Foundation (ASF) under one
4    * or more contributor license agreements.  See the NOTICE file
5    * distributed with this work for additional information
6    * regarding copyright ownership.  The ASF licenses this file
7    * to you under the Apache License, Version 2.0 (the
8    * "License"); you may not use this file except in compliance
9    * with the License.  You may obtain a copy of the License at
10   *
11   *     http://www.apache.org/licenses/LICENSE-2.0
12   *
13   * Unless required by applicable law or agreed to in writing, software
14   * distributed under the License is distributed on an "AS IS" BASIS,
15   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16   * See the License for the specific language governing permissions and
17   * limitations under the License.
18   */
19  package org.apache.hadoop.hbase.security;
20  
21  import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.getConfigurationWoPrincipal;
22  import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.getKeytabFileForTesting;
23  import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.getPrincipalForTesting;
24  import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.getSecuredConfiguration;
25  import static org.junit.Assert.assertFalse;
26  import static org.junit.Assert.assertNotNull;
27  import static org.junit.Assert.assertTrue;
28  
29  import java.io.File;
30  import java.io.IOException;
31  
32  import org.apache.hadoop.conf.Configuration;
33  import org.apache.hadoop.hbase.HBaseTestingUtility;
34  import org.apache.hadoop.hbase.testclassification.SmallTests;
35  import org.apache.hadoop.minikdc.MiniKdc;
36  import org.apache.hadoop.security.UserGroupInformation;
37  import org.junit.AfterClass;
38  import org.junit.BeforeClass;
39  import org.junit.Test;
40  import org.junit.experimental.categories.Category;
41  
42  @Category(SmallTests.class)
43  public class TestUsersOperationsWithSecureHadoop {
44  
45    private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
46    private static final File KEYTAB_FILE = new File(TEST_UTIL.getDataTestDir("keytab").toUri()
47        .getPath());
48  
49    private static MiniKdc KDC;
50  
51    private static String HOST = "localhost";
52  
53    private static String PRINCIPAL;
54  
55    @BeforeClass
56    public static void setUp() throws Exception {
57      KDC = TEST_UTIL.setupMiniKdc(KEYTAB_FILE);
58      PRINCIPAL = "hbase/" + HOST;
59      KDC.createPrincipal(KEYTAB_FILE, PRINCIPAL);
60      HBaseKerberosUtils.setPrincipalForTesting(PRINCIPAL + "@" + KDC.getRealm());
61    }
62  
63    @AfterClass
64    public static void tearDown() throws IOException {
65      if (KDC != null) {
66        KDC.stop();
67      }
68      TEST_UTIL.cleanupTestDir();
69    }
70  
71    /**
72     * test login with security enabled configuration To run this test, we must specify the following
73     * system properties:
74     * <p>
75     * <b> hbase.regionserver.kerberos.principal </b>
76     * <p>
77     * <b> hbase.regionserver.keytab.file </b>
78     * @throws IOException
79     */
80    @Test
81    public void testUserLoginInSecureHadoop() throws Exception {
82      UserGroupInformation defaultLogin = UserGroupInformation.getLoginUser();
83      Configuration conf = getConfigurationWoPrincipal();
84      User.login(conf, HBaseKerberosUtils.KRB_KEYTAB_FILE, HBaseKerberosUtils.KRB_PRINCIPAL,
85        "localhost");
86  
87      UserGroupInformation failLogin = UserGroupInformation.getLoginUser();
88      assertTrue("ugi should be the same in case fail login", defaultLogin.equals(failLogin));
89  
90      String nnKeyTab = getKeytabFileForTesting();
91      String dnPrincipal = getPrincipalForTesting();
92  
93      assertNotNull("KerberosKeytab was not specified", nnKeyTab);
94      assertNotNull("KerberosPrincipal was not specified", dnPrincipal);
95  
96      conf = getSecuredConfiguration();
97      UserGroupInformation.setConfiguration(conf);
98  
99      User.login(conf, HBaseKerberosUtils.KRB_KEYTAB_FILE, HBaseKerberosUtils.KRB_PRINCIPAL,
100       "localhost");
101     UserGroupInformation successLogin = UserGroupInformation.getLoginUser();
102     assertFalse("ugi should be different in in case success login",
103       defaultLogin.equals(successLogin));
104   }
105 }