2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
18 package org
.apache
.hadoop
.hbase
.security
;
20 import static org
.apache
.hadoop
.hbase
.security
.HBaseKerberosUtils
.getClientKeytabForTesting
;
21 import static org
.apache
.hadoop
.hbase
.security
.HBaseKerberosUtils
.getClientPrincipalForTesting
;
22 import static org
.apache
.hadoop
.hbase
.security
.HBaseKerberosUtils
.getKeytabFileForTesting
;
23 import static org
.apache
.hadoop
.hbase
.security
.HBaseKerberosUtils
.getPrincipalForTesting
;
24 import static org
.apache
.hadoop
.hbase
.security
.HBaseKerberosUtils
.getSecuredConfiguration
;
25 import static org
.junit
.Assert
.assertEquals
;
26 import static org
.junit
.Assert
.assertFalse
;
27 import static org
.junit
.Assert
.assertNotNull
;
28 import static org
.junit
.Assert
.assertTrue
;
31 import java
.io
.IOException
;
33 import org
.apache
.hadoop
.conf
.Configuration
;
34 import org
.apache
.hadoop
.hbase
.AuthUtil
;
35 import org
.apache
.hadoop
.hbase
.HBaseClassTestRule
;
36 import org
.apache
.hadoop
.hbase
.HBaseTestingUtil
;
37 import org
.apache
.hadoop
.hbase
.testclassification
.SecurityTests
;
38 import org
.apache
.hadoop
.hbase
.testclassification
.SmallTests
;
39 import org
.apache
.hadoop
.minikdc
.MiniKdc
;
40 import org
.apache
.hadoop
.security
.UserGroupInformation
;
41 import org
.junit
.AfterClass
;
42 import org
.junit
.BeforeClass
;
43 import org
.junit
.ClassRule
;
44 import org
.junit
.Test
;
45 import org
.junit
.experimental
.categories
.Category
;
47 @Category({ SecurityTests
.class, SmallTests
.class })
48 public class TestUsersOperationsWithSecureHadoop
{
51 public static final HBaseClassTestRule CLASS_RULE
=
52 HBaseClassTestRule
.forClass(TestUsersOperationsWithSecureHadoop
.class);
54 private static final HBaseTestingUtil TEST_UTIL
= new HBaseTestingUtil();
55 private static final File KEYTAB_FILE
= new File(TEST_UTIL
.getDataTestDir("keytab").toUri()
58 private static MiniKdc KDC
;
60 private static String HOST
= "localhost";
62 private static String PRINCIPAL
;
64 private static String CLIENT_NAME
;
67 public static void setUp() throws Exception
{
68 KDC
= TEST_UTIL
.setupMiniKdc(KEYTAB_FILE
);
69 PRINCIPAL
= "hbase/" + HOST
;
71 KDC
.createPrincipal(KEYTAB_FILE
, PRINCIPAL
, CLIENT_NAME
);
72 HBaseKerberosUtils
.setPrincipalForTesting(PRINCIPAL
+ "@" + KDC
.getRealm());
73 HBaseKerberosUtils
.setKeytabFileForTesting(KEYTAB_FILE
.getAbsolutePath());
74 HBaseKerberosUtils
.setClientPrincipalForTesting(CLIENT_NAME
+ "@" + KDC
.getRealm());
75 HBaseKerberosUtils
.setClientKeytabForTesting(KEYTAB_FILE
.getAbsolutePath());
79 public static void tearDown() throws IOException
{
83 TEST_UTIL
.cleanupTestDir();
87 * test login with security enabled configuration To run this test, we must specify the following
90 * <b> hbase.regionserver.kerberos.principal </b>
92 * <b> hbase.regionserver.keytab.file </b>
96 public void testUserLoginInSecureHadoop() throws Exception
{
97 // Default login is system user.
98 UserGroupInformation defaultLogin
= UserGroupInformation
.getCurrentUser();
100 String nnKeyTab
= getKeytabFileForTesting();
101 String dnPrincipal
= getPrincipalForTesting();
103 assertNotNull("KerberosKeytab was not specified", nnKeyTab
);
104 assertNotNull("KerberosPrincipal was not specified", dnPrincipal
);
106 Configuration conf
= getSecuredConfiguration();
107 UserGroupInformation
.setConfiguration(conf
);
109 User
.login(conf
, HBaseKerberosUtils
.KRB_KEYTAB_FILE
, HBaseKerberosUtils
.KRB_PRINCIPAL
,
111 UserGroupInformation successLogin
= UserGroupInformation
.getLoginUser();
112 assertFalse("ugi should be different in in case success login",
113 defaultLogin
.equals(successLogin
));
117 public void testLoginWithUserKeytabAndPrincipal() throws Exception
{
118 String clientKeytab
= getClientKeytabForTesting();
119 String clientPrincipal
= getClientPrincipalForTesting();
120 assertNotNull("Path for client keytab is not specified.", clientKeytab
);
121 assertNotNull("Client principal is not specified.", clientPrincipal
);
123 Configuration conf
= getSecuredConfiguration();
124 conf
.set(AuthUtil
.HBASE_CLIENT_KEYTAB_FILE
, clientKeytab
);
125 conf
.set(AuthUtil
.HBASE_CLIENT_KERBEROS_PRINCIPAL
, clientPrincipal
);
126 UserGroupInformation
.setConfiguration(conf
);
128 UserProvider provider
= UserProvider
.instantiate(conf
);
129 assertTrue("Client principal or keytab is empty", provider
.shouldLoginFromKeytab());
131 provider
.login(AuthUtil
.HBASE_CLIENT_KEYTAB_FILE
, AuthUtil
.HBASE_CLIENT_KERBEROS_PRINCIPAL
);
132 User loginUser
= provider
.getCurrent();
133 assertEquals(CLIENT_NAME
, loginUser
.getShortName());
134 assertEquals(getClientPrincipalForTesting(), loginUser
.getName());
138 public void testAuthUtilLogin() throws Exception
{
139 String clientKeytab
= getClientKeytabForTesting();
140 String clientPrincipal
= getClientPrincipalForTesting();
141 Configuration conf
= getSecuredConfiguration();
142 conf
.set(AuthUtil
.HBASE_CLIENT_KEYTAB_FILE
, clientKeytab
);
143 conf
.set(AuthUtil
.HBASE_CLIENT_KERBEROS_PRINCIPAL
, clientPrincipal
);
144 UserGroupInformation
.setConfiguration(conf
);
146 User user
= AuthUtil
.loginClient(conf
);
147 assertTrue(user
.isLoginFromKeytab());
148 assertEquals(CLIENT_NAME
, user
.getShortName());
149 assertEquals(getClientPrincipalForTesting(), user
.getName());
