Repository: accumulo Updated Branches: refs/heads/1.7 e43e9273e -> c85e04f5e refs/heads/master cf75edb45 -> de5041695
ACCUMULO-4135 Some extra tests and deprecation suppressions. Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/c85e04f5 Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/c85e04f5 Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/c85e04f5 Branch: refs/heads/1.7 Commit: c85e04f5eba2d0f66ce2263add117b8d6f1028f7 Parents: e43e927 Author: Josh Elser <els...@apache.org> Authored: Sun Feb 7 21:12:10 2016 -0500 Committer: Josh Elser <els...@apache.org> Committed: Sun Feb 7 21:35:23 2016 -0500 ---------------------------------------------------------------------- ...redentialsUpdatingInvocationHandlerTest.java | 79 ++++++++++++++++++++ .../test/functional/KerberosProxyIT.java | 4 +- 2 files changed, 81 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/accumulo/blob/c85e04f5/server/base/src/test/java/org/apache/accumulo/server/rpc/TCredentialsUpdatingInvocationHandlerTest.java ---------------------------------------------------------------------- diff --git a/server/base/src/test/java/org/apache/accumulo/server/rpc/TCredentialsUpdatingInvocationHandlerTest.java b/server/base/src/test/java/org/apache/accumulo/server/rpc/TCredentialsUpdatingInvocationHandlerTest.java index 740acd9..c4340c6 100644 --- a/server/base/src/test/java/org/apache/accumulo/server/rpc/TCredentialsUpdatingInvocationHandlerTest.java +++ b/server/base/src/test/java/org/apache/accumulo/server/rpc/TCredentialsUpdatingInvocationHandlerTest.java @@ -117,6 +117,7 @@ public class TCredentialsUpdatingInvocationHandlerTest { proxy.updateArgs(new Object[] {new Object(), tcreds}); } + @SuppressWarnings("deprecation") @Test public void testAllowedAnyImpersonationForAnyUser() throws Exception { final String proxyServer = "proxy"; @@ -129,6 +130,18 @@ public class TCredentialsUpdatingInvocationHandlerTest { } @Test + public void testAllowedAnyImpersonationForAnyUserNewConfig() throws Exception { + final String proxyServer = "proxy"; + cc.set(Property.INSTANCE_RPC_SASL_ALLOWED_USER_IMPERSONATION, proxyServer + ":*"); + cc.set(Property.INSTANCE_RPC_SASL_ALLOWED_HOST_IMPERSONATION, "*"); + proxy = new TCredentialsUpdatingInvocationHandler<Object>(new Object(), conf); + TCredentials tcreds = new TCredentials("client", KerberosToken.class.getName(), ByteBuffer.allocate(0), UUID.randomUUID().toString()); + UGIAssumingProcessor.rpcPrincipal.set(proxyServer); + proxy.updateArgs(new Object[] {new Object(), tcreds}); + } + + @SuppressWarnings("deprecation") + @Test public void testAllowedImpersonationForSpecificUsers() throws Exception { final String proxyServer = "proxy"; cc.set(Property.INSTANCE_RPC_SASL_PROXYUSERS.getKey() + proxyServer + ".users", "client1,client2"); @@ -141,6 +154,20 @@ public class TCredentialsUpdatingInvocationHandlerTest { proxy.updateArgs(new Object[] {new Object(), tcreds}); } + @Test + public void testAllowedImpersonationForSpecificUsersNewConfig() throws Exception { + final String proxyServer = "proxy"; + cc.set(Property.INSTANCE_RPC_SASL_ALLOWED_USER_IMPERSONATION, proxyServer + ":client1,client2"); + cc.set(Property.INSTANCE_RPC_SASL_ALLOWED_HOST_IMPERSONATION, "*"); + proxy = new TCredentialsUpdatingInvocationHandler<Object>(new Object(), conf); + TCredentials tcreds = new TCredentials("client1", KerberosToken.class.getName(), ByteBuffer.allocate(0), UUID.randomUUID().toString()); + UGIAssumingProcessor.rpcPrincipal.set(proxyServer); + proxy.updateArgs(new Object[] {new Object(), tcreds}); + tcreds = new TCredentials("client2", KerberosToken.class.getName(), ByteBuffer.allocate(0), UUID.randomUUID().toString()); + proxy.updateArgs(new Object[] {new Object(), tcreds}); + } + + @SuppressWarnings("deprecation") @Test(expected = ThriftSecurityException.class) public void testDisallowedImpersonationForUser() throws Exception { final String proxyServer = "proxy"; @@ -154,6 +181,19 @@ public class TCredentialsUpdatingInvocationHandlerTest { } @Test(expected = ThriftSecurityException.class) + public void testDisallowedImpersonationForUserNewConfig() throws Exception { + final String proxyServer = "proxy"; + // let "otherproxy" impersonate, but not "proxy" + cc.set(Property.INSTANCE_RPC_SASL_ALLOWED_USER_IMPERSONATION, "otherproxy:*"); + cc.set(Property.INSTANCE_RPC_SASL_ALLOWED_HOST_IMPERSONATION, "*"); + proxy = new TCredentialsUpdatingInvocationHandler<Object>(new Object(), conf); + TCredentials tcreds = new TCredentials("client", KerberosToken.class.getName(), ByteBuffer.allocate(0), UUID.randomUUID().toString()); + UGIAssumingProcessor.rpcPrincipal.set(proxyServer); + proxy.updateArgs(new Object[] {new Object(), tcreds}); + } + + @SuppressWarnings("deprecation") + @Test(expected = ThriftSecurityException.class) public void testDisallowedImpersonationForMultipleUsers() throws Exception { final String proxyServer = "proxy"; // let "otherproxy" impersonate, but not "proxy" @@ -167,6 +207,19 @@ public class TCredentialsUpdatingInvocationHandlerTest { proxy.updateArgs(new Object[] {new Object(), tcreds}); } + @Test(expected = ThriftSecurityException.class) + public void testDisallowedImpersonationForMultipleUsersNewConfig() throws Exception { + final String proxyServer = "proxy"; + // let "otherproxy" impersonate, but not "proxy" + cc.set(Property.INSTANCE_RPC_SASL_ALLOWED_USER_IMPERSONATION, "otherproxy1:*;otherproxy2:client1,client2"); + cc.set(Property.INSTANCE_RPC_SASL_ALLOWED_HOST_IMPERSONATION, "*;*"); + proxy = new TCredentialsUpdatingInvocationHandler<Object>(new Object(), conf); + TCredentials tcreds = new TCredentials("client1", KerberosToken.class.getName(), ByteBuffer.allocate(0), UUID.randomUUID().toString()); + UGIAssumingProcessor.rpcPrincipal.set(proxyServer); + proxy.updateArgs(new Object[] {new Object(), tcreds}); + } + + @SuppressWarnings("deprecation") @Test public void testAllowedImpersonationFromSpecificHost() throws Exception { final String proxyServer = "proxy", client = "client", host = "host.domain.com"; @@ -179,6 +232,19 @@ public class TCredentialsUpdatingInvocationHandlerTest { proxy.updateArgs(new Object[] {new Object(), tcreds}); } + @Test + public void testAllowedImpersonationFromSpecificHostNewConfig() throws Exception { + final String proxyServer = "proxy", client = "client", host = "host.domain.com"; + cc.set(Property.INSTANCE_RPC_SASL_ALLOWED_USER_IMPERSONATION, proxyServer + ":" + client); + cc.set(Property.INSTANCE_RPC_SASL_ALLOWED_HOST_IMPERSONATION, host); + proxy = new TCredentialsUpdatingInvocationHandler<Object>(new Object(), conf); + TCredentials tcreds = new TCredentials("client", KerberosToken.class.getName(), ByteBuffer.allocate(0), UUID.randomUUID().toString()); + UGIAssumingProcessor.rpcPrincipal.set(proxyServer); + TServerUtils.clientAddress.set(host); + proxy.updateArgs(new Object[] {new Object(), tcreds}); + } + + @SuppressWarnings("deprecation") @Test(expected = ThriftSecurityException.class) public void testDisallowedImpersonationFromSpecificHost() throws Exception { final String proxyServer = "proxy", client = "client", host = "host.domain.com"; @@ -191,4 +257,17 @@ public class TCredentialsUpdatingInvocationHandlerTest { TServerUtils.clientAddress.set("otherhost.domain.com"); proxy.updateArgs(new Object[] {new Object(), tcreds}); } + + @Test(expected = ThriftSecurityException.class) + public void testDisallowedImpersonationFromSpecificHostNewConfig() throws Exception { + final String proxyServer = "proxy", client = "client", host = "host.domain.com"; + cc.set(Property.INSTANCE_RPC_SASL_ALLOWED_USER_IMPERSONATION, proxyServer + ":" + client); + cc.set(Property.INSTANCE_RPC_SASL_ALLOWED_HOST_IMPERSONATION, host); + proxy = new TCredentialsUpdatingInvocationHandler<Object>(new Object(), conf); + TCredentials tcreds = new TCredentials("client", KerberosToken.class.getName(), ByteBuffer.allocate(0), UUID.randomUUID().toString()); + UGIAssumingProcessor.rpcPrincipal.set(proxyServer); + // The RPC came from a different host than is allowed + TServerUtils.clientAddress.set("otherhost.domain.com"); + proxy.updateArgs(new Object[] {new Object(), tcreds}); + } } http://git-wip-us.apache.org/repos/asf/accumulo/blob/c85e04f5/test/src/test/java/org/apache/accumulo/test/functional/KerberosProxyIT.java ---------------------------------------------------------------------- diff --git a/test/src/test/java/org/apache/accumulo/test/functional/KerberosProxyIT.java b/test/src/test/java/org/apache/accumulo/test/functional/KerberosProxyIT.java index bbaf247..b9274e0 100644 --- a/test/src/test/java/org/apache/accumulo/test/functional/KerberosProxyIT.java +++ b/test/src/test/java/org/apache/accumulo/test/functional/KerberosProxyIT.java @@ -139,8 +139,8 @@ public class KerberosProxyIT extends AccumuloIT { cfg.setNumTservers(1); Map<String,String> siteCfg = cfg.getSiteConfig(); // Allow the proxy to impersonate the client user, but no one else - siteCfg.put(Property.INSTANCE_RPC_SASL_PROXYUSERS.getKey() + proxyPrincipal + ".users", kdc.getRootUser().getPrincipal()); - siteCfg.put(Property.INSTANCE_RPC_SASL_PROXYUSERS.getKey() + proxyPrincipal + ".hosts", "*"); + siteCfg.put(Property.INSTANCE_RPC_SASL_ALLOWED_USER_IMPERSONATION.getKey(), proxyPrincipal + ":" + kdc.getRootUser().getPrincipal()); + siteCfg.put(Property.INSTANCE_RPC_SASL_ALLOWED_HOST_IMPERSONATION.getKey(), "*"); cfg.setSiteConfig(siteCfg); }
