View Javadoc

1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  package org.apache.hadoop.hbase.security.token;
19  
20  import static org.hamcrest.CoreMatchers.containsString;
21  import static org.hamcrest.CoreMatchers.instanceOf;
22  import static org.junit.Assert.assertEquals;
23  import static org.junit.Assert.assertThat;
24  
25  import com.google.protobuf.ServiceException;
26  
27  import java.io.IOException;
28  import java.util.Arrays;
29  import java.util.Collection;
30  
31  import org.apache.hadoop.hbase.HConstants;
32  import org.apache.hadoop.hbase.TableName;
33  import org.apache.hadoop.hbase.client.Connection;
34  import org.apache.hadoop.hbase.client.ConnectionFactory;
35  import org.apache.hadoop.hbase.client.Table;
36  import org.apache.hadoop.hbase.ipc.BlockingRpcClient;
37  import org.apache.hadoop.hbase.ipc.CoprocessorRpcChannel;
38  import org.apache.hadoop.hbase.ipc.NettyRpcClient;
39  import org.apache.hadoop.hbase.ipc.RpcClientFactory;
40  import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
41  import org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos;
42  import org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos.GetAuthenticationTokenRequest;
43  import org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos.WhoAmIRequest;
44  import org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos.WhoAmIResponse;
45  import org.apache.hadoop.hbase.security.AccessDeniedException;
46  import org.apache.hadoop.hbase.testclassification.MediumTests;
47  import org.apache.hadoop.hbase.testclassification.SecurityTests;
48  import org.apache.hadoop.security.UserGroupInformation;
49  import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
50  import org.apache.hadoop.security.token.Token;
51  import org.apache.hadoop.security.token.TokenIdentifier;
52  import org.junit.Before;
53  import org.junit.BeforeClass;
54  import org.junit.Test;
55  import org.junit.experimental.categories.Category;
56  import org.junit.runner.RunWith;
57  import org.junit.runners.Parameterized;
58  import org.junit.runners.Parameterized.Parameter;
59  import org.junit.runners.Parameterized.Parameters;
60  
61  
62  @RunWith(Parameterized.class)
63  @Category({ SecurityTests.class, MediumTests.class })
64  public class TestGenerateDelegationToken extends SecureTestCluster {
65  
66    @BeforeClass
67    public static void setUp() throws Exception {
68      SecureTestCluster.setUp();
69      try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
70        Token<? extends TokenIdentifier> token = TokenUtil.obtainToken(conn);
71        UserGroupInformation.getCurrentUser().addToken(token);
72      }
73    }
74  
75    @Parameters(name = "{index}: rpcClientImpl={0}")
76    public static Collection<Object[]> parameters() {
77      return Arrays.asList(new Object[] { BlockingRpcClient.class.getName() },
78        new Object[] { NettyRpcClient.class.getName() });
79    }
80  
81    @Parameter
82    public String rpcClientImpl;
83  
84    @Before
85    public void setUpBeforeMethod() {
86      TEST_UTIL.getConfiguration().set(RpcClientFactory.CUSTOM_RPC_CLIENT_IMPL_CONF_KEY,
87        rpcClientImpl);
88    }
89  
90    @Test
91    public void test() throws Exception {
92      try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
93          Table table = conn.getTable(TableName.META_TABLE_NAME)) {
94        CoprocessorRpcChannel rpcChannel = table.coprocessorService(HConstants.EMPTY_START_ROW);
95        AuthenticationProtos.AuthenticationService.BlockingInterface service =
96            AuthenticationProtos.AuthenticationService.newBlockingStub(rpcChannel);
97        WhoAmIResponse response = service.whoAmI(null, WhoAmIRequest.getDefaultInstance());
98        assertEquals(USERNAME, response.getUsername());
99        assertEquals(AuthenticationMethod.TOKEN.name(), response.getAuthMethod());
100       try {
101         service.getAuthenticationToken(null, GetAuthenticationTokenRequest.getDefaultInstance());
102       } catch (ServiceException e) {
103         IOException ioe = ProtobufUtil.getRemoteException(e);
104         assertThat(ioe, instanceOf(AccessDeniedException.class));
105         assertThat(ioe.getMessage(),
106           containsString("Token generation only allowed for Kerberos authenticated clients"));
107       }
108     }
109   }
110 }