You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by iw...@apache.org on 2020/09/14 12:58:11 UTC
[hadoop] 01/02: Revert "HADOOP-13119. Add ability to secure log
servlet using proxy users. Contribute by Yuanbo Liu."
This is an automated email from the ASF dual-hosted git repository.
iwasakims pushed a commit to branch branch-2.10
in repository https://gitbox.apache.org/repos/asf/hadoop.git
commit ca65409836d2949e9a9408d40bec0177b414cd5d
Author: Owen O'Malley <om...@apache.org>
AuthorDate: Thu Mar 1 10:15:22 2018 -0800
Revert "HADOOP-13119. Add ability to secure log servlet using proxy users. Contribute by Yuanbo Liu."
This reverts commit a847903b6e64c6edb11d852b91f2c816b1253eb3.
Change-Id: I3122a2142f5bdf8507dece930e447556a43cd9ae
(cherry picked from commit 8fad3ec76070ccfcd3ed80feaba4355077bc6f5c)
(cherry picked from commit fa6a8b78d481d3b4d355e1bf078f30dd5e09850d)
Conflicts:
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationWithProxyUserFilter.java
---
.../security/AuthenticationFilterInitializer.java | 9 +-
.../AuthenticationWithProxyUserFilter.java | 119 -----
.../hadoop/http/TestHttpServerWithSpengo.java | 480 ---------------------
.../hadoop/security/TestAuthenticationFilter.java | 13 +-
.../TestAuthenticationWithProxyUserFilter.java | 78 ----
5 files changed, 13 insertions(+), 686 deletions(-)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
index 65d2211..ca221f5 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
@@ -29,9 +29,8 @@ import java.util.HashMap;
import java.util.Map;
/**
- * Initializes {@link AuthenticationWithProxyUserFilter}
- * which provides support for Kerberos HTTP SPNEGO authentication
- * and proxy user authentication.
+ * Initializes hadoop-auth AuthenticationFilter which provides support for
+ * Kerberos HTTP SPNEGO authentication.
* <p/>
* It enables anonymous access, simple/speudo and Kerberos HTTP SPNEGO
* authentication for Hadoop JobTracker, NameNode, DataNodes and
@@ -59,10 +58,8 @@ public class AuthenticationFilterInitializer extends FilterInitializer {
public void initFilter(FilterContainer container, Configuration conf) {
Map<String, String> filterConfig = getFilterConfigMap(conf, PREFIX);
- // extend AuthenticationFilter's feature to
- // support proxy user operation.
container.addFilter("authentication",
- AuthenticationWithProxyUserFilter.class.getName(),
+ AuthenticationFilter.class.getName(),
filterConfig);
}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java
deleted file mode 100644
index ea9b282..0000000
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java
+++ /dev/null
@@ -1,119 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- * <p>
- * http://www.apache.org/licenses/LICENSE-2.0
- * <p>
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.security;
-
-import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
-import org.apache.hadoop.security.authorize.AuthorizationException;
-import org.apache.hadoop.security.authorize.ProxyUsers;
-import org.apache.hadoop.util.HttpExceptionUtils;
-import org.apache.http.NameValuePair;
-import org.apache.http.client.utils.URLEncodedUtils;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.nio.charset.Charset;
-import java.util.List;
-
-/**
- * Extend the function of {@link AuthenticationFilter} to
- * support authorizing proxy user. If the query string
- * contains doAs parameter, then check the proxy user,
- * otherwise do the next filter.
- */
-public class AuthenticationWithProxyUserFilter extends AuthenticationFilter {
-
- /**
- * Constant used in URL's query string to perform a proxy user request, the
- * value of the <code>DO_AS</code> parameter is the user the request will be
- * done on behalf of.
- */
- private static final String DO_AS = "doAs";
-
- private static final Charset UTF8_CHARSET = Charset.forName("UTF-8");
-
-
- /**
- * This method provide the ability to do pre/post tasks
- * in filter chain. Override this method to authorize
- * proxy user between AuthenticationFilter and next filter.
- * @param filterChain the filter chain object.
- * @param request the request object.
- * @param response the response object.
- *
- * @throws IOException
- * @throws ServletException
- */
- @Override
- protected void doFilter(FilterChain filterChain, HttpServletRequest request,
- HttpServletResponse response) throws IOException, ServletException {
-
- // authorize proxy user before calling next filter.
- String proxyUser = getDoAs(request);
- if (proxyUser != null) {
- UserGroupInformation realUser =
- UserGroupInformation.createRemoteUser(request.getRemoteUser());
- UserGroupInformation proxyUserInfo =
- UserGroupInformation.createProxyUser(proxyUser, realUser);
-
- try {
- ProxyUsers.authorize(proxyUserInfo, request.getRemoteAddr());
- } catch (AuthorizationException ex) {
- HttpExceptionUtils.createServletExceptionResponse(response,
- HttpServletResponse.SC_FORBIDDEN, ex);
- // stop filter chain if there is an Authorization Exception.
- return;
- }
-
- final UserGroupInformation finalProxyUser = proxyUserInfo;
- // Change the remote user after proxy user is authorized.
- request = new HttpServletRequestWrapper(request) {
- @Override
- public String getRemoteUser() {
- return finalProxyUser.getUserName();
- }
- };
-
- }
- filterChain.doFilter(request, response);
- }
-
- /**
- * Get proxy user from query string.
- * @param request the request object
- * @return proxy user
- */
- public static String getDoAs(HttpServletRequest request) {
- String queryString = request.getQueryString();
- if (queryString == null) {
- return null;
- }
- List<NameValuePair> list = URLEncodedUtils.parse(queryString, UTF8_CHARSET);
- if (list != null) {
- for (NameValuePair nv : list) {
- if (DO_AS.equalsIgnoreCase(nv.getName())) {
- return nv.getValue();
- }
- }
- }
- return null;
- }
-}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java
deleted file mode 100644
index 7ef53b6..0000000
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java
+++ /dev/null
@@ -1,480 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- * <p>
- * http://www.apache.org/licenses/LICENSE-2.0
- * <p>
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.http;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.CommonConfigurationKeys;
-import org.apache.hadoop.minikdc.MiniKdc;
-import org.apache.hadoop.net.NetUtils;
-import org.apache.hadoop.security.AuthenticationFilterInitializer;
-import org.apache.hadoop.security.SecurityUtil;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
-import org.apache.hadoop.security.authentication.KerberosTestUtils;
-import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
-import org.apache.hadoop.security.authentication.client.AuthenticationException;
-import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
-import org.apache.hadoop.security.authentication.server.AuthenticationToken;
-import org.apache.hadoop.security.authentication.util.Signer;
-import org.apache.hadoop.security.authentication.util.SignerSecretProvider;
-import org.apache.hadoop.security.authentication.util.StringSignerSecretProviderCreator;
-import org.apache.hadoop.security.authorize.AccessControlList;
-import org.apache.hadoop.security.authorize.ProxyUsers;
-import org.ietf.jgss.GSSException;
-import org.junit.AfterClass;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.junit.Assert;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.File;
-import java.io.FileWriter;
-import java.io.Writer;
-import java.net.HttpURLConnection;
-import java.net.URI;
-import java.net.URL;
-import java.security.AccessController;
-import java.security.PrivilegedExceptionAction;
-import java.util.HashSet;
-import java.util.Properties;
-import java.util.Set;
-import javax.security.auth.Subject;
-import javax.servlet.ServletContext;
-
-import static org.junit.Assert.assertTrue;
-
-/**
- * This class is tested for http server with SPENGO authentication.
- */
-public class TestHttpServerWithSpengo {
-
- static final Logger LOG =
- LoggerFactory.getLogger(TestHttpServerWithSpengo.class);
-
- private static final String SECRET_STR = "secret";
- private static final String HTTP_USER = "HTTP";
- private static final String PREFIX = "hadoop.http.authentication.";
- private static final long TIMEOUT = 20000;
-
- private static File httpSpnegoKeytabFile = new File(
- KerberosTestUtils.getKeytabFile());
- private static String httpSpnegoPrincipal =
- KerberosTestUtils.getServerPrincipal();
- private static String realm = KerberosTestUtils.getRealm();
-
- private static File testRootDir = new File("target",
- TestHttpServerWithSpengo.class.getName() + "-root");
- private static MiniKdc testMiniKDC;
- private static File secretFile = new File(testRootDir, SECRET_STR);
-
- private static UserGroupInformation authUgi;
-
- @BeforeClass
- public static void setUp() throws Exception {
- try {
- testMiniKDC = new MiniKdc(MiniKdc.createConf(), testRootDir);
- testMiniKDC.start();
- testMiniKDC.createPrincipal(
- httpSpnegoKeytabFile, HTTP_USER + "/localhost", "keytab-user");
- } catch (Exception e) {
- assertTrue("Couldn't setup MiniKDC", false);
- }
-
- System.setProperty("sun.security.krb5.debug", "true");
- Configuration conf = new Configuration();
- SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, conf);
- UserGroupInformation.setConfiguration(conf);
- authUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
- "keytab-user", httpSpnegoKeytabFile.toString());
- Writer w = new FileWriter(secretFile);
- w.write("secret");
- w.close();
- }
-
- @AfterClass
- public static void tearDown() {
- if (testMiniKDC != null) {
- testMiniKDC.stop();
- }
- }
-
- /**
- * groupA
- * - userA
- * groupB
- * - userA, userB
- * groupC
- * - userC
- * SPNEGO filter has been enabled.
- * userA has the privilege to impersonate users in groupB.
- * userA has admin access to all default servlets, but userB
- * and userC don't have. So "/logs" can only be accessed by userA.
- * @throws Exception
- */
- @Test
- public void testAuthenticationWithProxyUser() throws Exception {
-
- Configuration spengoConf = getSpengoConf(new Configuration());
-
- //setup logs dir
- System.setProperty("hadoop.log.dir", testRootDir.getAbsolutePath());
-
- // Setup user group
- UserGroupInformation.createUserForTesting("userA",
- new String[]{"groupA", "groupB"});
- UserGroupInformation.createUserForTesting("userB",
- new String[]{"groupB"});
- UserGroupInformation.createUserForTesting("userC",
- new String[]{"groupC"});
-
- // Make userA impersonate users in groupB
- spengoConf.set("hadoop.proxyuser.userA.hosts", "*");
- spengoConf.set("hadoop.proxyuser.userA.groups", "groupB");
- ProxyUsers.refreshSuperUserGroupsConfiguration(spengoConf);
-
- HttpServer2 httpServer = null;
- try {
- // Create http server to test.
- httpServer = getCommonBuilder()
- .setConf(spengoConf)
- .setACL(new AccessControlList("userA groupA"))
- .build();
- httpServer.start();
-
- // Get signer to encrypt token
- Signer signer = getSignerToEncrypt();
-
- // setup auth token for userA
- AuthenticatedURL.Token token = getEncryptedAuthToken(signer, "userA");
-
- String serverURL = "http://" +
- NetUtils.getHostPortString(httpServer.getConnectorAddress(0)) + "/";
-
- // The default authenticator is kerberos.
- AuthenticatedURL authUrl = new AuthenticatedURL();
-
- // userA impersonates userB, it's allowed.
- for (String servlet :
- new String[]{"stacks", "jmx", "conf"}) {
- HttpURLConnection conn = authUrl
- .openConnection(new URL(serverURL + servlet + "?doAs=userB"),
- token);
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- }
-
- // userA cannot impersonate userC, it fails.
- for (String servlet :
- new String[]{"stacks", "jmx", "conf"}){
- HttpURLConnection conn = authUrl
- .openConnection(new URL(serverURL + servlet + "?doAs=userC"),
- token);
- Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN,
- conn.getResponseCode());
- }
-
- // "/logs" and "/logLevel" require admin authorization,
- // only userA has the access.
- for (String servlet :
- new String[]{"logLevel", "logs"}) {
- HttpURLConnection conn = authUrl
- .openConnection(new URL(serverURL + servlet), token);
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- }
-
- // Setup token for userB
- token = getEncryptedAuthToken(signer, "userB");
-
- // userB cannot access these servlets.
- for (String servlet :
- new String[]{"logLevel", "logs"}) {
- HttpURLConnection conn = authUrl
- .openConnection(new URL(serverURL + servlet), token);
- Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN,
- conn.getResponseCode());
- }
-
- } finally {
- if (httpServer != null) {
- httpServer.stop();
- }
- }
- }
-
- @Test
- public void testSessionCookie() throws Exception {
- Configuration conf = new Configuration();
- conf.set(HttpServer2.FILTER_INITIALIZER_PROPERTY,
- AuthenticationFilterInitializer.class.getName());
- conf.set(PREFIX + "type", "kerberos");
- conf.setBoolean(PREFIX + "simple.anonymous.allowed", false);
- conf.set(PREFIX + "signer.secret.provider",
- TestSignerSecretProvider.class.getName());
-
- conf.set(PREFIX + "kerberos.keytab",
- httpSpnegoKeytabFile.getAbsolutePath());
- conf.set(PREFIX + "kerberos.principal", httpSpnegoPrincipal);
- conf.set(PREFIX + "cookie.domain", realm);
- conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION,
- true);
-
- //setup logs dir
- System.setProperty("hadoop.log.dir", testRootDir.getAbsolutePath());
-
- HttpServer2 httpServer = null;
- // Create http server to test.
- httpServer = getCommonBuilder()
- .setConf(conf)
- .build();
- httpServer.start();
-
- // Get signer to encrypt token
- final Signer signer = new Signer(new TestSignerSecretProvider());
- final AuthenticatedURL authUrl = new AuthenticatedURL();
-
- final URL url = new URL("http://" + NetUtils.getHostPortString(
- httpServer.getConnectorAddress(0)) + "/conf");
-
- // this illustrates an inconsistency with AuthenticatedURL. the
- // authenticator is only called when the token is not set. if the
- // authenticator fails then it must throw an AuthenticationException to
- // the caller, yet the caller may see 401 for subsequent requests
- // that require re-authentication like token expiration.
- final UserGroupInformation simpleUgi =
- UserGroupInformation.createRemoteUser("simple-user");
-
- authUgi.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- TestSignerSecretProvider.rollSecret();
- HttpURLConnection conn = null;
- AuthenticatedURL.Token token = new AuthenticatedURL.Token();
-
- // initial request should trigger authentication and set the token.
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- Assert.assertTrue(token.isSet());
- String cookie = token.toString();
-
- // token should not change.
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- Assert.assertTrue(token.isSet());
- Assert.assertEquals(cookie, token.toString());
-
- // roll secret to invalidate token.
- TestSignerSecretProvider.rollSecret();
- conn = authUrl.openConnection(url, token);
- // this may or may not happen. under normal circumstances the
- // jdk will silently renegotiate and the client never sees a 401.
- // however in some cases the jdk will give up doing spnego. since
- // the token is already set, the authenticator isn't invoked (which
- // would do the spnego if the jdk doesn't), which causes the client
- // to see a 401.
- if (conn.getResponseCode() == HttpURLConnection.HTTP_UNAUTHORIZED) {
- // if this happens, the token should be cleared which means the
- // next request should succeed and receive a new token.
- Assert.assertFalse(token.isSet());
- conn = authUrl.openConnection(url, token);
- }
-
- // token should change.
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- Assert.assertTrue(token.isSet());
- Assert.assertNotEquals(cookie, token.toString());
- cookie = token.toString();
-
- // token should not change.
- for (int i=0; i < 3; i++) {
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals("attempt"+i,
- HttpURLConnection.HTTP_OK, conn.getResponseCode());
- Assert.assertTrue(token.isSet());
- Assert.assertEquals(cookie, token.toString());
- }
-
- // blow out the kerberos creds test only auth token is used.
- Subject s = Subject.getSubject(AccessController.getContext());
- Set<Object> oldCreds = new HashSet<>(s.getPrivateCredentials());
- s.getPrivateCredentials().clear();
-
- // token should not change.
- for (int i=0; i < 3; i++) {
- try {
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals("attempt"+i,
- HttpURLConnection.HTTP_OK, conn.getResponseCode());
- } catch (AuthenticationException ae) {
- Assert.fail("attempt"+i+" "+ae);
- }
- Assert.assertTrue(token.isSet());
- Assert.assertEquals(cookie, token.toString());
- }
-
- // invalidate token. connections should fail now and token should be
- // unset.
- TestSignerSecretProvider.rollSecret();
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals(
- HttpURLConnection.HTTP_UNAUTHORIZED, conn.getResponseCode());
- Assert.assertFalse(token.isSet());
- Assert.assertEquals("", token.toString());
-
- // restore the kerberos creds, should work again.
- s.getPrivateCredentials().addAll(oldCreds);
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals(
- HttpURLConnection.HTTP_OK, conn.getResponseCode());
- Assert.assertTrue(token.isSet());
- cookie = token.toString();
-
- // token should not change.
- for (int i=0; i < 3; i++) {
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals("attempt"+i,
- HttpURLConnection.HTTP_OK, conn.getResponseCode());
- Assert.assertTrue(token.isSet());
- Assert.assertEquals(cookie, token.toString());
- }
- return null;
- }
- });
-
- simpleUgi.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- TestSignerSecretProvider.rollSecret();
- AuthenticatedURL authUrl = new AuthenticatedURL();
- AuthenticatedURL.Token token = new AuthenticatedURL.Token();
- HttpURLConnection conn = null;
-
- // initial connect with unset token will trigger authenticator which
- // should fail since we have no creds and leave token unset.
- try {
- authUrl.openConnection(url, token);
- Assert.fail("should fail with no credentials");
- } catch (AuthenticationException ae) {
- Assert.assertNotNull(ae.getCause());
- Assert.assertEquals(GSSException.class, ae.getCause().getClass());
- GSSException gsse = (GSSException)ae.getCause();
- Assert.assertEquals(GSSException.NO_CRED, gsse.getMajor());
- } catch (Throwable t) {
- Assert.fail("Unexpected exception" + t);
- }
- Assert.assertFalse(token.isSet());
-
- // create a valid token and save its value.
- token = getEncryptedAuthToken(signer, "valid");
- String cookie = token.toString();
-
- // server should accept token. after the request the token should
- // be set to the same value (ie. server didn't reissue cookie)
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- Assert.assertTrue(token.isSet());
- Assert.assertEquals(cookie, token.toString());
-
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- Assert.assertTrue(token.isSet());
- Assert.assertEquals(cookie, token.toString());
-
- // change the secret to effectively invalidate the cookie. see above
- // regarding inconsistency. the authenticator has no way to know the
- // token is bad, so the client will encounter a 401 instead of
- // AuthenticationException.
- TestSignerSecretProvider.rollSecret();
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals(
- HttpURLConnection.HTTP_UNAUTHORIZED, conn.getResponseCode());
- Assert.assertFalse(token.isSet());
- Assert.assertEquals("", token.toString());
- return null;
- }
- });
- }
-
- public static class TestSignerSecretProvider extends SignerSecretProvider {
- static int n = 0;
- static byte[] secret;
-
- static void rollSecret() {
- secret = ("secret[" + (n++) + "]").getBytes();
- }
-
- public TestSignerSecretProvider() {
- }
-
- @Override
- public void init(Properties config, ServletContext servletContext,
- long tokenValidity) throws Exception {
- rollSecret();
- }
-
- @Override
- public byte[] getCurrentSecret() {
- return secret;
- }
-
- @Override
- public byte[][] getAllSecrets() {
- return new byte[][]{secret};
- }
- }
-
- private AuthenticatedURL.Token getEncryptedAuthToken(Signer signer,
- String user) throws Exception {
- AuthenticationToken token =
- new AuthenticationToken(user, user, "kerberos");
- token.setExpires(System.currentTimeMillis() + TIMEOUT);
- return new AuthenticatedURL.Token(signer.sign(token.toString()));
- }
-
- private Signer getSignerToEncrypt() throws Exception {
- SignerSecretProvider secretProvider =
- StringSignerSecretProviderCreator.newStringSignerSecretProvider();
- Properties secretProviderProps = new Properties();
- secretProviderProps.setProperty(
- AuthenticationFilter.SIGNATURE_SECRET, SECRET_STR);
- secretProvider.init(secretProviderProps, null, TIMEOUT);
- return new Signer(secretProvider);
- }
-
- private Configuration getSpengoConf(Configuration conf) {
- conf = new Configuration();
- conf.set(HttpServer2.FILTER_INITIALIZER_PROPERTY,
- AuthenticationFilterInitializer.class.getName());
- conf.set(PREFIX + "type", "kerberos");
- conf.setBoolean(PREFIX + "simple.anonymous.allowed", false);
- conf.set(PREFIX + "signature.secret.file",
- secretFile.getAbsolutePath());
- conf.set(PREFIX + "kerberos.keytab",
- httpSpnegoKeytabFile.getAbsolutePath());
- conf.set(PREFIX + "kerberos.principal", httpSpnegoPrincipal);
- conf.set(PREFIX + "cookie.domain", realm);
- conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION,
- true);
- return conf;
- }
-
- private HttpServer2.Builder getCommonBuilder() throws Exception {
- return new HttpServer2.Builder().setName("test")
- .addEndpoint(new URI("http://localhost:0"))
- .setFindPort(true);
- }
-}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
index 64cd9b7..c8179e2 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
@@ -19,12 +19,16 @@ package org.apache.hadoop.security;
import junit.framework.TestCase;
import org.apache.hadoop.http.HttpServer2;
+import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.http.FilterContainer;
import org.mockito.Mockito;
import org.mockito.invocation.InvocationOnMock;
import org.mockito.stubbing.Answer;
+import java.io.File;
+import java.io.FileWriter;
+import java.io.Writer;
import java.util.Map;
public class TestAuthenticationFilter extends TestCase {
@@ -38,7 +42,7 @@ public class TestAuthenticationFilter extends TestCase {
FilterContainer container = Mockito.mock(FilterContainer.class);
Mockito.doAnswer(
- new Answer() {
+ new Answer() {
@Override
public Object answer(InvocationOnMock invocationOnMock)
throws Throwable {
@@ -46,6 +50,8 @@ public class TestAuthenticationFilter extends TestCase {
assertEquals("authentication", args[0]);
+ assertEquals(AuthenticationFilter.class.getName(), args[1]);
+
Map<String, String> conf = (Map<String, String>) args[2];
assertEquals("/", conf.get("cookie.path"));
@@ -60,8 +66,9 @@ public class TestAuthenticationFilter extends TestCase {
assertEquals("bar", conf.get("foo"));
return null;
- }}
- ).when(container).addFilter(Mockito.<String>anyObject(),
+ }
+ }
+ ).when(container).addFilter(Mockito.<String>anyObject(),
Mockito.<String>anyObject(),
Mockito.<Map<String, String>>anyObject());
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationWithProxyUserFilter.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationWithProxyUserFilter.java
deleted file mode 100644
index 504f5a1..0000000
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationWithProxyUserFilter.java
+++ /dev/null
@@ -1,78 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with this
- * work for additional information regarding copyright ownership. The ASF
- * licenses this file to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package org.apache.hadoop.security;
-
-
-import junit.framework.TestCase;
-import org.apache.hadoop.http.HttpServer2;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.http.FilterContainer;
-import org.mockito.Mockito;
-import org.mockito.invocation.InvocationOnMock;
-import org.mockito.stubbing.Answer;
-import java.util.Map;
-
-/**
- * This class is tested for {@link AuthenticationWithProxyUserFilter}
- * to verify configurations of this filter.
- */
-public class TestAuthenticationWithProxyUserFilter extends TestCase {
-
- @SuppressWarnings("unchecked")
- public void testConfiguration() throws Exception {
- Configuration conf = new Configuration();
- conf.set("hadoop.http.authentication.foo", "bar");
-
- conf.set(HttpServer2.BIND_ADDRESS, "barhost");
-
- FilterContainer container = Mockito.mock(FilterContainer.class);
- Mockito.doAnswer(
- new Answer() {
- @Override
- public Object answer(InvocationOnMock invocationOnMock)
- throws Throwable {
- Object[] args = invocationOnMock.getArguments();
-
- assertEquals("authentication", args[0]);
-
- assertEquals(
- AuthenticationWithProxyUserFilter.class.getName(), args[1]);
-
- Map<String, String> conf = (Map<String, String>) args[2];
- assertEquals("/", conf.get("cookie.path"));
-
- assertEquals("simple", conf.get("type"));
- assertEquals("36000", conf.get("token.validity"));
- assertNull(conf.get("cookie.domain"));
- assertEquals("true", conf.get("simple.anonymous.allowed"));
- assertEquals("HTTP/barhost@LOCALHOST",
- conf.get("kerberos.principal"));
- assertEquals(System.getProperty("user.home") +
- "/hadoop.keytab", conf.get("kerberos.keytab"));
- assertEquals("bar", conf.get("foo"));
-
- return null;
- }
- }
- ).when(container).addFilter(Mockito.<String>anyObject(),
- Mockito.<String>anyObject(),
- Mockito.<Map<String, String>>anyObject());
-
- new AuthenticationFilterInitializer().initFilter(container, conf);
- }
-
-}
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org