@Test public void testNoHostsForUsers() throws Exception { Configuration conf = new Configuration(false); conf.set("y." + REAL_USER_NAME + ".users", StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME))); ProxyUsers.refreshSuperUserGroupsConfiguration(conf, "y"); UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // IP doesn't matter assertNotAuthorized(proxyUserUgi, "1.2.3.4"); }
@Test public void testNoHostsForUsers() throws Exception { Configuration conf = new Configuration(false); conf.set("y." + REAL_USER_NAME + ".users", StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME))); ProxyUsers.refreshSuperUserGroupsConfiguration(conf, "y"); UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // IP doesn't matter assertNotAuthorized(proxyUserUgi, "1.2.3.4"); }
@Test public void testProxyUsersWithCustomPrefix() throws Exception { Configuration conf = new Configuration(false); conf.set("x." + REAL_USER_NAME + ".users", StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME))); conf.set("x." + REAL_USER_NAME+ ".hosts", PROXY_IP); ProxyUsers.refreshSuperUserGroupsConfiguration(conf, "x"); // First try proxying a user that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a user that's not allowed realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME); proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertNotAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
@Test public void testProxyUsersWithCustomPrefix() throws Exception { Configuration conf = new Configuration(false); conf.set("x." + REAL_USER_NAME + ".users", StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME))); conf.set("x." + REAL_USER_NAME+ ".hosts", PROXY_IP); ProxyUsers.refreshSuperUserGroupsConfiguration(conf, "x"); // First try proxying a user that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a user that's not allowed realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME); proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertNotAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
assertNotAuthorized(proxyUserUgi, "1.2.3.5"); assertNotAuthorized(proxyUserUgi, "1.2.3.4"); assertNotAuthorized(proxyUserUgi, "1.2.3.5");
assertNotAuthorized(proxyUserUgi, "1.2.3.5"); assertNotAuthorized(proxyUserUgi, "1.2.3.4"); assertNotAuthorized(proxyUserUgi, "1.2.3.5");
assertNotAuthorized(proxyUserUgi, "1.2.3.5"); assertNotAuthorized(proxyUserUgi, "1.2.3.4"); assertNotAuthorized(proxyUserUgi, "1.2.3.5");
@Test public void testProxyUsersWithProviderOverride() throws Exception { Configuration conf = new Configuration(); conf.set( CommonConfigurationKeysPublic.HADOOP_SECURITY_IMPERSONATION_PROVIDER_CLASS, "org.apache.hadoop.security.authorize.TestProxyUsers$TestDummyImpersonationProvider"); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createUserForTesting(REAL_USER_NAME, SUDO_GROUP_NAMES); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a group that's not allowed realUserUgi = UserGroupInformation .createUserForTesting(REAL_USER_NAME, GROUP_NAMES); proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertNotAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
assertNotAuthorized(proxyUserUgi, "1.2.3.5"); assertNotAuthorized(proxyUserUgi, "1.2.3.4"); assertNotAuthorized(proxyUserUgi, "1.2.3.5");
@Test public void testProxyUsersWithProviderOverride() throws Exception { Configuration conf = new Configuration(); conf.set( CommonConfigurationKeysPublic.HADOOP_SECURITY_IMPERSONATION_PROVIDER_CLASS, "org.apache.hadoop.security.authorize.TestProxyUsers$TestDummyImpersonationProvider"); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createUserForTesting(REAL_USER_NAME, SUDO_GROUP_NAMES); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a group that's not allowed realUserUgi = UserGroupInformation .createUserForTesting(REAL_USER_NAME, GROUP_NAMES); proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertNotAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
@Test public void testIPRange() { Configuration conf = new Configuration(); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserGroupConfKey(REAL_USER_NAME), "*"); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserIpConfKey(REAL_USER_NAME), PROXY_IP_RANGE); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertAuthorized(proxyUserUgi, "10.222.0.0"); // From bad IP assertNotAuthorized(proxyUserUgi, "10.221.0.0"); }
@Test public void testWildcardIP() { Configuration conf = new Configuration(); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserGroupConfKey(REAL_USER_NAME), StringUtils.join(",", Arrays.asList(GROUP_NAMES))); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserIpConfKey(REAL_USER_NAME), "*"); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From either IP should be fine assertAuthorized(proxyUserUgi, "1.2.3.4"); assertAuthorized(proxyUserUgi, "1.2.3.5"); // Now set up an unallowed group realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME); proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES); // Neither IP should be OK assertNotAuthorized(proxyUserUgi, "1.2.3.4"); assertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
@Test public void testWildcardIP() { Configuration conf = new Configuration(); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserGroupConfKey(REAL_USER_NAME), StringUtils.join(",", Arrays.asList(GROUP_NAMES))); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserIpConfKey(REAL_USER_NAME), "*"); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From either IP should be fine assertAuthorized(proxyUserUgi, "1.2.3.4"); assertAuthorized(proxyUserUgi, "1.2.3.5"); // Now set up an unallowed group realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME); proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES); // Neither IP should be OK assertNotAuthorized(proxyUserUgi, "1.2.3.4"); assertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
@Test public void testIPRange() { Configuration conf = new Configuration(); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserGroupConfKey(REAL_USER_NAME), "*"); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserIpConfKey(REAL_USER_NAME), PROXY_IP_RANGE); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertAuthorized(proxyUserUgi, "10.222.0.0"); // From bad IP assertNotAuthorized(proxyUserUgi, "10.221.0.0"); }
assertNotAuthorized(proxyUserUgi, "1.2.3.5"); assertNotAuthorized(proxyUserUgi, "1.2.3.5");
assertNotAuthorized(proxyUserUgi, "1.2.3.5"); assertNotAuthorized(proxyUserUgi, "1.2.3.5");
assertNotAuthorized(proxyUserUgi, "1.2.3.5"); assertNotAuthorized(proxyUserUgi, "1.2.3.5");
assertNotAuthorized(proxyUserUgi, "1.2.3.5"); assertNotAuthorized(proxyUserUgi, "1.2.3.5");