You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by tu...@apache.org on 2014/07/18 21:43:39 UTC
svn commit: r1611781 - in
/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common: ./
src/main/java/org/apache/hadoop/security/authorize/
src/test/java/org/apache/hadoop/ipc/
src/test/java/org/apache/hadoop/security/ src/test/java/org/apac...
Author: tucu
Date: Fri Jul 18 19:43:38 2014
New Revision: 1611781
URL: http://svn.apache.org/r1611781
Log:
HADOOP-10817. ProxyUsers configuration should support configurable prefixes. (tucu)
Modified:
hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/CHANGES.txt
hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java
hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ImpersonationProvider.java
hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ProxyUsers.java
hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/MiniRPCBenchmark.java
hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java
hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java
Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/CHANGES.txt?rev=1611781&r1=1611780&r2=1611781&view=diff
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/CHANGES.txt (original)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/CHANGES.txt Fri Jul 18 19:43:38 2014
@@ -36,6 +36,9 @@ Release 2.6.0 - UNRELEASED
HADOOP-10610. Upgrade S3n s3.fs.buffer.dir to support multi directories.
(Ted Malaska via atm)
+ HADOOP-10817. ProxyUsers configuration should support configurable
+ prefixes. (tucu)
+
OPTIMIZATIONS
BUG FIXES
Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java?rev=1611781&r1=1611780&r2=1611781&view=diff
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java (original)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java Fri Jul 18 19:43:38 2014
@@ -24,37 +24,64 @@ import java.util.Map;
import java.util.Map.Entry;
import java.util.regex.Pattern;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.MachineList;
import com.google.common.annotations.VisibleForTesting;
+@InterfaceStability.Unstable
+@InterfaceAudience.Public
public class DefaultImpersonationProvider implements ImpersonationProvider {
private static final String CONF_HOSTS = ".hosts";
private static final String CONF_USERS = ".users";
private static final String CONF_GROUPS = ".groups";
- private static final String CONF_HADOOP_PROXYUSER = "hadoop.proxyuser.";
- private static final String CONF_HADOOP_PROXYUSER_RE = "hadoop\\.proxyuser\\.";
- private static final String CONF_HADOOP_PROXYUSER_RE_USERS_GROUPS =
- CONF_HADOOP_PROXYUSER_RE+"[^.]*(" + Pattern.quote(CONF_USERS) +
- "|" + Pattern.quote(CONF_GROUPS) + ")";
- private static final String CONF_HADOOP_PROXYUSER_RE_HOSTS =
- CONF_HADOOP_PROXYUSER_RE+"[^.]*"+ Pattern.quote(CONF_HOSTS);
// acl and list of hosts per proxyuser
private Map<String, AccessControlList> proxyUserAcl =
new HashMap<String, AccessControlList>();
- private static Map<String, MachineList> proxyHosts =
+ private Map<String, MachineList> proxyHosts =
new HashMap<String, MachineList>();
private Configuration conf;
+
+ private static DefaultImpersonationProvider testProvider;
+
+ public static synchronized DefaultImpersonationProvider getTestProvider() {
+ if (testProvider == null) {
+ testProvider = new DefaultImpersonationProvider();
+ testProvider.setConf(new Configuration());
+ testProvider.init(ProxyUsers.CONF_HADOOP_PROXYUSER);
+ }
+ return testProvider;
+ }
+
@Override
public void setConf(Configuration conf) {
this.conf = conf;
+ }
+
+ private String configPrefix;
+
+ @Override
+ public void init(String configurationPrefix) {
+ configPrefix = configurationPrefix +
+ (configurationPrefix.endsWith(".") ? "" : ".");
+
+ // constructing regex to match the following patterns:
+ // $configPrefix.[ANY].users
+ // $configPrefix.[ANY].groups
+ // $configPrefix.[ANY].hosts
+ //
+ String prefixRegEx = configPrefix.replace(".", "\\.");
+ String usersGroupsRegEx = prefixRegEx + "[^.]*(" +
+ Pattern.quote(CONF_USERS) + "|" + Pattern.quote(CONF_GROUPS) + ")";
+ String hostsRegEx = prefixRegEx + "[^.]*" + Pattern.quote(CONF_HOSTS);
- // get list of users and groups per proxyuser
+ // get list of users and groups per proxyuser
Map<String,String> allMatchKeys =
- conf.getValByRegex(CONF_HADOOP_PROXYUSER_RE_USERS_GROUPS);
+ conf.getValByRegex(usersGroupsRegEx);
for(Entry<String, String> entry : allMatchKeys.entrySet()) {
String aclKey = getAclKey(entry.getKey());
if (!proxyUserAcl.containsKey(aclKey)) {
@@ -65,7 +92,7 @@ public class DefaultImpersonationProvide
}
// get hosts per proxyuser
- allMatchKeys = conf.getValByRegex(CONF_HADOOP_PROXYUSER_RE_HOSTS);
+ allMatchKeys = conf.getValByRegex(hostsRegEx);
for(Entry<String, String> entry : allMatchKeys.entrySet()) {
proxyHosts.put(entry.getKey(),
new MachineList(entry.getValue()));
@@ -86,8 +113,8 @@ public class DefaultImpersonationProvide
return;
}
- AccessControlList acl = proxyUserAcl.get(
- CONF_HADOOP_PROXYUSER+realUser.getShortUserName());
+ AccessControlList acl = proxyUserAcl.get(configPrefix +
+ realUser.getShortUserName());
if (acl == null || !acl.isUserAllowed(user)) {
throw new AuthorizationException("User: " + realUser.getUserName()
+ " is not allowed to impersonate " + user.getUserName());
@@ -116,8 +143,8 @@ public class DefaultImpersonationProvide
* @param userName name of the superuser
* @return configuration key for superuser usergroups
*/
- public static String getProxySuperuserUserConfKey(String userName) {
- return CONF_HADOOP_PROXYUSER+userName+CONF_USERS;
+ public String getProxySuperuserUserConfKey(String userName) {
+ return configPrefix + userName + CONF_USERS;
}
/**
@@ -126,8 +153,8 @@ public class DefaultImpersonationProvide
* @param userName name of the superuser
* @return configuration key for superuser groups
*/
- public static String getProxySuperuserGroupConfKey(String userName) {
- return CONF_HADOOP_PROXYUSER+userName+CONF_GROUPS;
+ public String getProxySuperuserGroupConfKey(String userName) {
+ return configPrefix + userName + CONF_GROUPS;
}
/**
@@ -136,8 +163,8 @@ public class DefaultImpersonationProvide
* @param userName name of the superuser
* @return configuration key for superuser ip-addresses
*/
- public static String getProxySuperuserIpConfKey(String userName) {
- return CONF_HADOOP_PROXYUSER+userName+CONF_HOSTS;
+ public String getProxySuperuserIpConfKey(String userName) {
+ return configPrefix + userName + CONF_HOSTS;
}
@VisibleForTesting
Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ImpersonationProvider.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ImpersonationProvider.java?rev=1611781&r1=1611780&r2=1611781&view=diff
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ImpersonationProvider.java (original)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ImpersonationProvider.java Fri Jul 18 19:43:38 2014
@@ -18,10 +18,25 @@
package org.apache.hadoop.security.authorize;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configurable;
import org.apache.hadoop.security.UserGroupInformation;
+@InterfaceStability.Unstable
+@InterfaceAudience.Public
public interface ImpersonationProvider extends Configurable {
+
+
+ /**
+ * Specifies the configuration prefix for the proxy user properties and
+ * initializes the provider.
+ *
+ * @param configurationPrefix the configuration prefix for the proxy user
+ * properties
+ */
+ public void init(String configurationPrefix);
+
/**
* Authorize the superuser which is doing doAs
*
Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ProxyUsers.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ProxyUsers.java?rev=1611781&r1=1611780&r2=1611781&view=diff
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ProxyUsers.java (original)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ProxyUsers.java Fri Jul 18 19:43:38 2014
@@ -18,7 +18,9 @@
package org.apache.hadoop.security.authorize;
+import com.google.common.base.Preconditions;
import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.security.UserGroupInformation;
@@ -26,9 +28,12 @@ import org.apache.hadoop.util.Reflection
import com.google.common.annotations.VisibleForTesting;
+@InterfaceStability.Unstable
@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce", "HBase", "Hive"})
public class ProxyUsers {
+ public static final String CONF_HADOOP_PROXYUSER = "hadoop.proxyuser";
+
private static volatile ImpersonationProvider sip ;
/**
@@ -54,15 +59,31 @@ public class ProxyUsers {
}
/**
- * refresh configuration
- * @param conf
+ * Refreshes configuration using the specified Proxy user prefix for
+ * properties.
+ *
+ * @param conf configuration
+ * @param proxyUserPrefix proxy user configuration prefix
*/
- public static void refreshSuperUserGroupsConfiguration(Configuration conf) {
+ public static void refreshSuperUserGroupsConfiguration(Configuration conf,
+ String proxyUserPrefix) {
+ Preconditions.checkArgument(proxyUserPrefix != null &&
+ !proxyUserPrefix.isEmpty(), "prefix cannot be NULL or empty");
// sip is volatile. Any assignment to it as well as the object's state
// will be visible to all the other threads.
- sip = getInstance(conf);
+ ImpersonationProvider ip = getInstance(conf);
+ ip.init(proxyUserPrefix);
+ sip = ip;
ProxyServers.refresh(conf);
}
+
+ /**
+ * Refreshes configuration using the default Proxy user prefix for properties.
+ * @param conf configuration
+ */
+ public static void refreshSuperUserGroupsConfiguration(Configuration conf) {
+ refreshSuperUserGroupsConfiguration(conf, CONF_HADOOP_PROXYUSER);
+ }
/**
* Authorize the superuser which is doing doAs
Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/MiniRPCBenchmark.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/MiniRPCBenchmark.java?rev=1611781&r1=1611780&r2=1611781&view=diff
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/MiniRPCBenchmark.java (original)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/MiniRPCBenchmark.java Fri Jul 18 19:43:38 2014
@@ -327,8 +327,8 @@ public class MiniRPCBenchmark {
String shortUserName =
UserGroupInformation.createRemoteUser(user).getShortUserName();
try {
- conf.setStrings(DefaultImpersonationProvider.getProxySuperuserGroupConfKey(shortUserName),
- GROUP_NAME_1);
+ conf.setStrings(DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserGroupConfKey(shortUserName), GROUP_NAME_1);
configureSuperUserIPAddresses(conf, shortUserName);
// start the server
miniServer = new MiniServer(conf, user, keytabFile);
@@ -411,7 +411,7 @@ public class MiniRPCBenchmark {
}
builder.append("127.0.1.1,");
builder.append(InetAddress.getLocalHost().getCanonicalHostName());
- conf.setStrings(DefaultImpersonationProvider.getProxySuperuserIpConfKey(superUserShortName),
- builder.toString());
+ conf.setStrings(DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserIpConfKey(superUserShortName), builder.toString());
}
}
Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java?rev=1611781&r1=1611780&r2=1611781&view=diff
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java (original)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java Fri Jul 18 19:43:38 2014
@@ -101,7 +101,8 @@ public class TestDoAsEffectiveUser {
builder.append("127.0.1.1,");
builder.append(InetAddress.getLocalHost().getCanonicalHostName());
LOG.info("Local Ip addresses: "+builder.toString());
- conf.setStrings(DefaultImpersonationProvider.getProxySuperuserIpConfKey(superUserShortName),
+ conf.setStrings(DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserIpConfKey(superUserShortName),
builder.toString());
}
@@ -181,8 +182,8 @@ public class TestDoAsEffectiveUser {
@Test(timeout=4000)
public void testRealUserSetup() throws IOException {
final Configuration conf = new Configuration();
- conf.setStrings(DefaultImpersonationProvider
- .getProxySuperuserGroupConfKey(REAL_USER_SHORT_NAME), "group1");
+ conf.setStrings(DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserGroupConfKey(REAL_USER_SHORT_NAME), "group1");
configureSuperUserIPAddresses(conf, REAL_USER_SHORT_NAME);
Server server = new RPC.Builder(conf).setProtocol(TestProtocol.class)
.setInstance(new TestImpl()).setBindAddress(ADDRESS).setPort(0)
@@ -214,7 +215,8 @@ public class TestDoAsEffectiveUser {
public void testRealUserAuthorizationSuccess() throws IOException {
final Configuration conf = new Configuration();
configureSuperUserIPAddresses(conf, REAL_USER_SHORT_NAME);
- conf.setStrings(DefaultImpersonationProvider.getProxySuperuserGroupConfKey(REAL_USER_SHORT_NAME),
+ conf.setStrings(DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserGroupConfKey(REAL_USER_SHORT_NAME),
"group1");
Server server = new RPC.Builder(conf).setProtocol(TestProtocol.class)
.setInstance(new TestImpl()).setBindAddress(ADDRESS).setPort(0)
@@ -248,9 +250,11 @@ public class TestDoAsEffectiveUser {
@Test
public void testRealUserIPAuthorizationFailure() throws IOException {
final Configuration conf = new Configuration();
- conf.setStrings(DefaultImpersonationProvider.getProxySuperuserIpConfKey(REAL_USER_SHORT_NAME),
+ conf.setStrings(DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserIpConfKey(REAL_USER_SHORT_NAME),
"20.20.20.20"); //Authorized IP address
- conf.setStrings(DefaultImpersonationProvider.getProxySuperuserGroupConfKey(REAL_USER_SHORT_NAME),
+ conf.setStrings(DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserGroupConfKey(REAL_USER_SHORT_NAME),
"group1");
Server server = new RPC.Builder(conf).setProtocol(TestProtocol.class)
.setInstance(new TestImpl()).setBindAddress(ADDRESS).setPort(0)
@@ -293,8 +297,8 @@ public class TestDoAsEffectiveUser {
@Test
public void testRealUserIPNotSpecified() throws IOException {
final Configuration conf = new Configuration();
- conf.setStrings(DefaultImpersonationProvider
- .getProxySuperuserGroupConfKey(REAL_USER_SHORT_NAME), "group1");
+ conf.setStrings(DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserGroupConfKey(REAL_USER_SHORT_NAME), "group1");
Server server = new RPC.Builder(conf).setProtocol(TestProtocol.class)
.setInstance(new TestImpl()).setBindAddress(ADDRESS).setPort(0)
.setNumHandlers(2).setVerbose(false).build();
@@ -377,7 +381,8 @@ public class TestDoAsEffectiveUser {
public void testRealUserGroupAuthorizationFailure() throws IOException {
final Configuration conf = new Configuration();
configureSuperUserIPAddresses(conf, REAL_USER_SHORT_NAME);
- conf.setStrings(DefaultImpersonationProvider.getProxySuperuserGroupConfKey(REAL_USER_SHORT_NAME),
+ conf.setStrings(DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserGroupConfKey(REAL_USER_SHORT_NAME),
"group3");
Server server = new RPC.Builder(conf).setProtocol(TestProtocol.class)
.setInstance(new TestImpl()).setBindAddress(ADDRESS).setPort(0)
Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java?rev=1611781&r1=1611780&r2=1611781&view=diff
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java (original)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java Fri Jul 18 19:43:38 2014
@@ -111,10 +111,12 @@ public class TestProxyUsers {
groupMappingClassName);
conf.set(
- DefaultImpersonationProvider.getProxySuperuserGroupConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserGroupConfKey(REAL_USER_NAME),
StringUtils.join(",", Arrays.asList(NETGROUP_NAMES)));
conf.set(
- DefaultImpersonationProvider.getProxySuperuserIpConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserIpConfKey(REAL_USER_NAME),
PROXY_IP);
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
@@ -135,10 +137,12 @@ public class TestProxyUsers {
public void testProxyUsers() throws Exception {
Configuration conf = new Configuration();
conf.set(
- DefaultImpersonationProvider.getProxySuperuserGroupConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserGroupConfKey(REAL_USER_NAME),
StringUtils.join(",", Arrays.asList(GROUP_NAMES)));
conf.set(
- DefaultImpersonationProvider.getProxySuperuserIpConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserIpConfKey(REAL_USER_NAME),
PROXY_IP);
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
@@ -168,10 +172,12 @@ public class TestProxyUsers {
public void testProxyUsersWithUserConf() throws Exception {
Configuration conf = new Configuration();
conf.set(
- DefaultImpersonationProvider.getProxySuperuserUserConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserUserConfKey(REAL_USER_NAME),
StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME)));
conf.set(
- DefaultImpersonationProvider.getProxySuperuserIpConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserIpConfKey(REAL_USER_NAME),
PROXY_IP);
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
@@ -202,10 +208,12 @@ public class TestProxyUsers {
public void testWildcardGroup() {
Configuration conf = new Configuration();
conf.set(
- DefaultImpersonationProvider.getProxySuperuserGroupConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserGroupConfKey(REAL_USER_NAME),
"*");
conf.set(
- DefaultImpersonationProvider.getProxySuperuserIpConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserIpConfKey(REAL_USER_NAME),
PROXY_IP);
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
@@ -236,10 +244,12 @@ public class TestProxyUsers {
public void testWildcardUser() {
Configuration conf = new Configuration();
conf.set(
- DefaultImpersonationProvider.getProxySuperuserUserConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserUserConfKey(REAL_USER_NAME),
"*");
conf.set(
- DefaultImpersonationProvider.getProxySuperuserIpConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserIpConfKey(REAL_USER_NAME),
PROXY_IP);
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
@@ -270,10 +280,12 @@ public class TestProxyUsers {
public void testWildcardIP() {
Configuration conf = new Configuration();
conf.set(
- DefaultImpersonationProvider.getProxySuperuserGroupConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserGroupConfKey(REAL_USER_NAME),
StringUtils.join(",", Arrays.asList(GROUP_NAMES)));
conf.set(
- DefaultImpersonationProvider.getProxySuperuserIpConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserIpConfKey(REAL_USER_NAME),
"*");
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
@@ -301,10 +313,12 @@ public class TestProxyUsers {
public void testIPRange() {
Configuration conf = new Configuration();
conf.set(
- DefaultImpersonationProvider.getProxySuperuserGroupConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserGroupConfKey(REAL_USER_NAME),
"*");
conf.set(
- DefaultImpersonationProvider.getProxySuperuserIpConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserIpConfKey(REAL_USER_NAME),
PROXY_IP_RANGE);
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
@@ -324,16 +338,19 @@ public class TestProxyUsers {
public void testWithDuplicateProxyGroups() throws Exception {
Configuration conf = new Configuration();
conf.set(
- DefaultImpersonationProvider.getProxySuperuserGroupConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserGroupConfKey(REAL_USER_NAME),
StringUtils.join(",", Arrays.asList(GROUP_NAMES,GROUP_NAMES)));
conf.set(
- DefaultImpersonationProvider.getProxySuperuserIpConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserIpConfKey(REAL_USER_NAME),
PROXY_IP);
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
Collection<String> groupsToBeProxied =
ProxyUsers.getDefaultImpersonationProvider().getProxyGroups().get(
- DefaultImpersonationProvider.getProxySuperuserGroupConfKey(REAL_USER_NAME));
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserGroupConfKey(REAL_USER_NAME));
assertEquals (1,groupsToBeProxied.size());
}
@@ -342,16 +359,19 @@ public class TestProxyUsers {
public void testWithDuplicateProxyHosts() throws Exception {
Configuration conf = new Configuration();
conf.set(
- DefaultImpersonationProvider.getProxySuperuserGroupConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider()
+ .getProxySuperuserGroupConfKey(REAL_USER_NAME),
StringUtils.join(",", Arrays.asList(GROUP_NAMES)));
conf.set(
- DefaultImpersonationProvider.getProxySuperuserIpConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserIpConfKey(REAL_USER_NAME),
StringUtils.join(",", Arrays.asList(PROXY_IP,PROXY_IP)));
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
Collection<String> hosts =
ProxyUsers.getDefaultImpersonationProvider().getProxyHosts().get(
- DefaultImpersonationProvider.getProxySuperuserIpConfKey(REAL_USER_NAME));
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserIpConfKey(REAL_USER_NAME));
assertEquals (1,hosts.size());
}
@@ -391,26 +411,73 @@ public class TestProxyUsers {
public void testWithProxyGroupsAndUsersWithSpaces() throws Exception {
Configuration conf = new Configuration();
conf.set(
- DefaultImpersonationProvider.getProxySuperuserUserConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserUserConfKey(REAL_USER_NAME),
StringUtils.join(",", Arrays.asList(PROXY_USER_NAME + " ",AUTHORIZED_PROXY_USER_NAME, "ONEMORE")));
conf.set(
- DefaultImpersonationProvider.getProxySuperuserGroupConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserGroupConfKey(REAL_USER_NAME),
StringUtils.join(",", Arrays.asList(GROUP_NAMES)));
conf.set(
- DefaultImpersonationProvider.getProxySuperuserIpConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserIpConfKey(REAL_USER_NAME),
PROXY_IP);
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
Collection<String> groupsToBeProxied =
ProxyUsers.getDefaultImpersonationProvider().getProxyGroups().get(
- DefaultImpersonationProvider.getProxySuperuserGroupConfKey(REAL_USER_NAME));
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserGroupConfKey(REAL_USER_NAME));
assertEquals (GROUP_NAMES.length, groupsToBeProxied.size());
}
+ @Test(expected = IllegalArgumentException.class)
+ public void testProxyUsersWithNullPrefix() throws Exception {
+ ProxyUsers.refreshSuperUserGroupsConfiguration(new Configuration(false),
+ null);
+ }
+
+ @Test(expected = IllegalArgumentException.class)
+ public void testProxyUsersWithEmptyPrefix() throws Exception {
+ ProxyUsers.refreshSuperUserGroupsConfiguration(new Configuration(false),
+ "");
+ }
+
+ @Test
+ public void testProxyUsersWithCustomPrefix() throws Exception {
+ Configuration conf = new Configuration(false);
+ conf.set("x." + REAL_USER_NAME + ".users",
+ StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME)));
+ conf.set("x." + REAL_USER_NAME+ ".hosts", PROXY_IP);
+ ProxyUsers.refreshSuperUserGroupsConfiguration(conf, "x");
+
+
+ // First try proxying a user that's allowed
+ UserGroupInformation realUserUgi = UserGroupInformation
+ .createRemoteUser(REAL_USER_NAME);
+ UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
+ AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES);
+
+ // From good IP
+ assertAuthorized(proxyUserUgi, "1.2.3.4");
+ // From bad IP
+ assertNotAuthorized(proxyUserUgi, "1.2.3.5");
+
+ // Now try proxying a user that's not allowed
+ realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME);
+ proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
+ PROXY_USER_NAME, realUserUgi, GROUP_NAMES);
+
+ // From good IP
+ assertNotAuthorized(proxyUserUgi, "1.2.3.4");
+ // From bad IP
+ assertNotAuthorized(proxyUserUgi, "1.2.3.5");
+ }
+
private void assertNotAuthorized(UserGroupInformation proxyUgi, String host) {
try {
@@ -430,6 +497,11 @@ public class TestProxyUsers {
}
static class TestDummyImpersonationProvider implements ImpersonationProvider {
+
+ @Override
+ public void init(String configurationPrefix) {
+ }
+
/**
* Authorize a user (superuser) to impersonate another user (user1) if the
* superuser belongs to the group "sudo_user1" .
@@ -460,11 +532,13 @@ public class TestProxyUsers {
public static void loadTest(String ipString, int testRange) {
Configuration conf = new Configuration();
conf.set(
- DefaultImpersonationProvider.getProxySuperuserGroupConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserGroupConfKey(REAL_USER_NAME),
StringUtils.join(",", Arrays.asList(GROUP_NAMES)));
conf.set(
- DefaultImpersonationProvider.getProxySuperuserIpConfKey(REAL_USER_NAME),
+ DefaultImpersonationProvider.getTestProvider().
+ getProxySuperuserIpConfKey(REAL_USER_NAME),
ipString
);
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);