You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@slider.apache.org by st...@apache.org on 2015/12/16 20:04:39 UTC
[3/5] incubator-slider git commit: SLIDER-1027 kdiag adds validation
that user has kerberos credentials;
doesn't fail on an insecure cluster, and adds a kdiagIT test to verify the
kerberos bindings for the IT Test run
SLIDER-1027 kdiag adds validation that user has kerberos credentials; doesn't fail on an insecure cluster, and adds a kdiagIT test to verify the kerberos bindings for the IT Test run
Project: http://git-wip-us.apache.org/repos/asf/incubator-slider/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-slider/commit/819b127e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-slider/tree/819b127e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-slider/diff/819b127e
Branch: refs/heads/develop
Commit: 819b127e49fdadd832f6289b05b31fd98e1cee58
Parents: a36b25d
Author: Steve Loughran <st...@apache.org>
Authored: Wed Dec 16 16:27:31 2015 +0000
Committer: Steve Loughran <st...@apache.org>
Committed: Wed Dec 16 16:30:17 2015 +0000
----------------------------------------------------------------------
.../apache/hadoop/security/KerberosDiags.java | 46 ++++++++++++++-----
.../org/apache/slider/common/Constants.java | 11 +++++
.../funtest/framework/CommandTestBase.groovy | 10 +++++
.../funtest/framework/FuntestProperties.groovy | 2 +-
.../slider/funtest/framework/SliderShell.groovy | 9 ++++
.../funtest/commands/KDiagCommandIT.groovy | 47 ++++++++++++++++++++
6 files changed, 113 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/819b127e/slider-core/src/main/java/org/apache/hadoop/security/KerberosDiags.java
----------------------------------------------------------------------
diff --git a/slider-core/src/main/java/org/apache/hadoop/security/KerberosDiags.java b/slider-core/src/main/java/org/apache/hadoop/security/KerberosDiags.java
index 3d12857..93b09a7 100644
--- a/slider-core/src/main/java/org/apache/hadoop/security/KerberosDiags.java
+++ b/slider-core/src/main/java/org/apache/hadoop/security/KerberosDiags.java
@@ -54,7 +54,7 @@ import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.*;
*/
public class KerberosDiags implements Closeable {
- private static final Logger LOG= LoggerFactory.getLogger(KerberosDiags.class);
+ private static final Logger LOG = LoggerFactory.getLogger(KerberosDiags.class);
public static final String KRB5_CCNAME = "KRB5CCNAME";
public static final String JAVA_SECURITY_KRB5_CONF
= "java.security.krb5.conf";
@@ -102,6 +102,7 @@ public class KerberosDiags implements Closeable {
private void title(String format, Object... args) {
println("");
+ println("");
println(format, args);
println("");
}
@@ -136,14 +137,20 @@ public class KerberosDiags implements Closeable {
* <li>A way to enable JAAS debug programatically</li>
* <li>Acess to the TGT</li>
* </ol>
- * @throws Exception
+ * @return true if security was enabled and all probes were successful
+ * @throws KerberosDiagsFailure explicitly raised failure
+ * @throws Exception other security problems
*/
- public void execute() throws Exception {
+ @SuppressWarnings("deprecation")
+ public boolean execute() throws Exception {
title("Kerberos Diagnostics scan at %s",
new Date(System.currentTimeMillis()));
boolean securityDisabled = SecurityUtil.getAuthenticationMethod(conf)
.equals(UserGroupInformation.AuthenticationMethod.SIMPLE);
- failif(securityDisabled, "security disabled");
+ if(securityDisabled) {
+ println("security disabled");
+ return false;
+ }
title("System Properties");
for (String prop : new String[]{
JAVA_SECURITY_KRB5_CONF,
@@ -179,11 +186,15 @@ public class KerberosDiags implements Closeable {
printConfOpt(prop);
}
- System.setProperty("sun.security.krb5.debug", "true");
- System.setProperty("sun.security.spnego.debug", "true");
+ System.setProperty(SUN_SECURITY_KRB5_DEBUG, "true");
+ System.setProperty(SUN_SECURITY_SPNEGO_DEBUG, "true");
title("Logging in");
- dumpUser("Log in user", getLoginUser());
+ UserGroupInformation loginUser = getLoginUser();
+ dumpUser("Log in user", loginUser);
+ println("Ticket based login: %b", isLoginTicketBased());
+ println("Keytab based login: %b", isLoginKeytabBased());
+ validateUser("Login user", loginUser);
// locate KDC and dump it
if (!Shell.WINDOWS) {
@@ -225,6 +236,8 @@ public class KerberosDiags implements Closeable {
failif(StringUtils.isEmpty(principal), "No principal defined");
ugi = loginUserFromKeytabAndReturnUGI(principal, kt.getPath());
dumpUser(identity, ugi);
+ validateUser(principal, ugi);
+
title("Attempting to log in from keytab again");
// package scoped -hence the reason why this class must be in the
// hadoop.security package
@@ -234,14 +247,18 @@ public class KerberosDiags implements Closeable {
// dumpUser("Updated User", ugi);
} else {
println("No keytab: logging is as current user");
- ugi = getLoginUser();
- identity = "Login User";
}
+ return true;
}
- private void dumpUser(String message, UserGroupInformation ugi) {
+ private void dumpUser(String message, UserGroupInformation ugi)
+ throws IOException {
title(message);
println("UGI=%s", ugi);
+ println("Has kerberos credentials: %b", ugi.hasKerberosCredentials());
+ println("Authentication method: %s", ugi.getAuthenticationMethod());
+ println("Real Authentication method: %s",
+ ugi.getRealAuthenticationMethod());
title("Group names");
for (String name : ugi.getGroupNames()) {
println(name);
@@ -270,6 +287,13 @@ public class KerberosDiags implements Closeable {
}
}
+ private void validateUser(String message, UserGroupInformation user) {
+ failif(!user.hasKerberosCredentials(),
+ "%s: No kerberos credentials for %s", message, user);
+ failif(user.getAuthenticationMethod() == null,
+ "%s: Null AuthenticationMethod for %s", message, user);
+ }
+
private void fail(String message, Object... args)
throws KerberosDiagsFailure {
throw new KerberosDiagsFailure(message, args);
@@ -278,7 +302,7 @@ public class KerberosDiags implements Closeable {
private void failif(boolean condition, String message, Object... args)
throws KerberosDiagsFailure {
if (condition) {
- throw new KerberosDiagsFailure(message, args);
+ fail(message, args);
}
}
http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/819b127e/slider-core/src/main/java/org/apache/slider/common/Constants.java
----------------------------------------------------------------------
diff --git a/slider-core/src/main/java/org/apache/slider/common/Constants.java b/slider-core/src/main/java/org/apache/slider/common/Constants.java
index 868ea57..fdb3452 100644
--- a/slider-core/src/main/java/org/apache/slider/common/Constants.java
+++ b/slider-core/src/main/java/org/apache/slider/common/Constants.java
@@ -21,4 +21,15 @@ package org.apache.slider.common;
public class Constants {
public static final int CONNECT_TIMEOUT = 10000;
public static final int RPC_TIMEOUT = 15000;
+
+ public static final String ENV_JAAS_DEBUG = "HADOOP_JAAS_DEBUG";
+ public static final String KRB5_CCNAME = "KRB5CCNAME";
+ public static final String JAVA_SECURITY_KRB5_CONF
+ = "java.security.krb5.conf";
+ public static final String JAVA_SECURITY_KRB5_REALM
+ = "java.security.krb5.realm";
+ public static final String SUN_SECURITY_KRB5_DEBUG
+ = "sun.security.krb5.debug";
+ public static final String SUN_SECURITY_SPNEGO_DEBUG
+ = "sun.security.spnego.debug";
}
http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/819b127e/slider-funtest/src/main/groovy/org/apache/slider/funtest/framework/CommandTestBase.groovy
----------------------------------------------------------------------
diff --git a/slider-funtest/src/main/groovy/org/apache/slider/funtest/framework/CommandTestBase.groovy b/slider-funtest/src/main/groovy/org/apache/slider/funtest/framework/CommandTestBase.groovy
index 5fa4c2a..46fefff 100644
--- a/slider-funtest/src/main/groovy/org/apache/slider/funtest/framework/CommandTestBase.groovy
+++ b/slider-funtest/src/main/groovy/org/apache/slider/funtest/framework/CommandTestBase.groovy
@@ -238,6 +238,16 @@ abstract class CommandTestBase extends SliderTestUtils {
}
/**
+ * used enough in setting properties it's worth pulling out
+ * @param key sysprop/conf definition
+ * @param val value
+ * @return the concatenated string
+ */
+ static String define(String key, String val) {
+ key + "=" + val
+ }
+
+ /**
* Print to system out
* @param string
*/
http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/819b127e/slider-funtest/src/main/groovy/org/apache/slider/funtest/framework/FuntestProperties.groovy
----------------------------------------------------------------------
diff --git a/slider-funtest/src/main/groovy/org/apache/slider/funtest/framework/FuntestProperties.groovy b/slider-funtest/src/main/groovy/org/apache/slider/funtest/framework/FuntestProperties.groovy
index 3bc9263..200da80 100644
--- a/slider-funtest/src/main/groovy/org/apache/slider/funtest/framework/FuntestProperties.groovy
+++ b/slider-funtest/src/main/groovy/org/apache/slider/funtest/framework/FuntestProperties.groovy
@@ -53,7 +53,7 @@ public interface FuntestProperties extends SliderXMLConfKeysForTesting {
String ENV_SLIDER_CONF_DIR = "SLIDER_CONF_DIR"
String ENV_HADOOP_CONF_DIR = "HADOOP_CONF_DIR"
String ENV_SLIDER_CLASSPATH_EXTRA = "SLIDER_CLASSPATH_EXTRA"
-
+
String SCRIPT_NAME = "slider"
String KEY_TEST_CONF_XML = "slider.test.conf.xml"
String KEY_TEST_CONF_DIR = "slider.test.conf.dir"
http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/819b127e/slider-funtest/src/main/groovy/org/apache/slider/funtest/framework/SliderShell.groovy
----------------------------------------------------------------------
diff --git a/slider-funtest/src/main/groovy/org/apache/slider/funtest/framework/SliderShell.groovy b/slider-funtest/src/main/groovy/org/apache/slider/funtest/framework/SliderShell.groovy
index 9270e8c..b25264a 100644
--- a/slider-funtest/src/main/groovy/org/apache/slider/funtest/framework/SliderShell.groovy
+++ b/slider-funtest/src/main/groovy/org/apache/slider/funtest/framework/SliderShell.groovy
@@ -55,6 +55,15 @@ class SliderShell extends ShellBase {
}
/**
+ * Build the command
+ * @param commands
+ * @param map of environment variables to set
+ */
+ SliderShell(Collection<String> commands, Map<String, String> env) {
+ this(commands)
+ env.entrySet().each { setEnv(it.key, it.value)}
+ }
+ /**
* Exec any slider command
* @param conf
* @param commands
http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/819b127e/slider-funtest/src/test/groovy/org/apache/slider/funtest/commands/KDiagCommandIT.groovy
----------------------------------------------------------------------
diff --git a/slider-funtest/src/test/groovy/org/apache/slider/funtest/commands/KDiagCommandIT.groovy b/slider-funtest/src/test/groovy/org/apache/slider/funtest/commands/KDiagCommandIT.groovy
new file mode 100644
index 0000000..8d05df6
--- /dev/null
+++ b/slider-funtest/src/test/groovy/org/apache/slider/funtest/commands/KDiagCommandIT.groovy
@@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.slider.funtest.commands
+
+import groovy.transform.CompileStatic
+import groovy.util.logging.Slf4j
+import org.apache.slider.common.params.Arguments
+import org.apache.slider.common.params.SliderActions
+import org.apache.slider.funtest.framework.CommandTestBase
+import org.apache.slider.funtest.framework.SliderShell
+import org.junit.Test
+import static org.apache.slider.common.Constants.*
+
+@CompileStatic
+@Slf4j
+public class KDiagCommandIT extends CommandTestBase implements Arguments {
+
+ @Test
+ public void testKdiag() throws Throwable {
+ SliderShell shell = new SliderShell([
+ SliderActions.ACTION_KDIAG,
+ ARG_FAIL,
+ ARG_SYSPROP, define(SUN_SECURITY_KRB5_DEBUG, "true")
+ ],
+ [(ENV_JAAS_DEBUG): "true"]
+ )
+ shell.execute()
+ assertSuccess(shell)
+ }
+
+}