[GitHub] [lucene-solr] rmuir commented on issue #1068: SOLR-14033: Fix Hadoop tests with security manager

GitBox Mon, 09 Dec 2019 18:57:59 -0800

rmuir commented on issue #1068: SOLR-14033: Fix Hadoop tests with security 
manager
URL: https://github.com/apache/lucene-solr/pull/1068#issuecomment-563647313
 
 
   I had two failures, both involved hadoop trying to execute to get unix 
supplementary groups:
   ```
      [junit4]   - org.apache.solr.cloud.TestSolrCloudWithSecureImpersonation 
(suite)
      [junit4]   - 
org.apache.solr.security.hadoop.TestImpersonationWithHadoopAuth (suite)
   ```
   
   Stacks look like this in both cases:
   ```
      [junit4] ERROR   0.00s J0  | TestImpersonationWithHadoopAuth (suite) <<<
      [junit4]    > Throwable #1: 
com.google.common.util.concurrent.UncheckedExecutionException: 
java.security.AccessControlException: access denied ("java.io.FilePermission" 
"<<ALL FILES>>" "execute")
      [junit4]    >     at __randomizedtesting.SeedInfo.seed([C1005F0247624]:0)
      [junit4]    >     at 
com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2050)
      [junit4]    >     at 
com.google.common.cache.LocalCache.get(LocalCache.java:3951)
      [junit4]    >     at 
com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3973)
      [junit4]    >     at 
com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4957)
      [junit4]    >     at 
org.apache.hadoop.security.Groups.getGroups(Groups.java:228)
      [junit4]    >     at 
org.apache.solr.security.hadoop.ImpersonationUtil.getUsersFirstGroup(ImpersonationUtil.java:42)
      [junit4]    >     at 
org.apache.solr.security.hadoop.TestImpersonationWithHadoopAuth.setupClass(TestImpersonationWithHadoopAuth.java:74)
      [junit4]    >     at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      [junit4]    >     at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      [junit4]    >     at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      [junit4]    >     at 
java.base/java.lang.reflect.Method.invoke(Method.java:567)
      [junit4]    >     at java.base/java.lang.Thread.run(Thread.java:830)
      [junit4]    > Caused by: java.security.AccessControlException: access 
denied ("java.io.FilePermission" "<<ALL FILES>>" "execute")
      [junit4]    >     at 
java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
      [junit4]    >     at 
java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
      [junit4]    >     at 
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
      [junit4]    >     at 
java.base/java.lang.SecurityManager.checkExec(SecurityManager.java:658)
      [junit4]    >     at 
java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1096)
      [junit4]    >     at 
java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1071)
      [junit4]    >     at 
org.apache.hadoop.util.Shell.runCommand(Shell.java:938)
      [junit4]    >     at org.apache.hadoop.util.Shell.run(Shell.java:901)
      [junit4]    >     at 
org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:1213)
      [junit4]    >     at 
org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:200)
      [junit4]    >     at 
org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:97)
      [junit4]    >     at 
org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback.getGroups(JniBasedUnixGroupsMappingWithFallback.java:51)
      [junit4]    >     at 
org.apache.hadoop.security.Groups$GroupCacheLoader.fetchGroupList(Groups.java:387)
      [junit4]    >     at 
org.apache.hadoop.security.Groups$GroupCacheLoader.load(Groups.java:321)
      [junit4]    >     at 
org.apache.hadoop.security.Groups$GroupCacheLoader.load(Groups.java:270)
      [junit4]    >     at 
com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3527)
      [junit4]    >     at 
com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2276)
      [junit4]    >     at 
com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2154)
      [junit4]    >     at 
com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2044)
      [junit4]    >     ... 29 more
   ```
   
   I haven't looked at what is going on here, maybe the user's supplementary 
groups could be retrieved instead via JAAS functionality, e.g. 
https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/UnixSystem.html
 ?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

[GitHub] [lucene-solr] rmuir commented on issue #1068: SOLR-14033: Fix Hadoop tests with security manager

Reply via email to