diff --git hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index 80a0898..c1a6164 100644 --- hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -324,7 +324,7 @@ public static void setConfiguration(Configuration conf) { @InterfaceAudience.Private @VisibleForTesting - static void reset() { + public static void reset() { authenticationMethod = null; conf = null; groups = null; diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java index cce0fe5..02c6a5f 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java @@ -1100,7 +1100,7 @@ private boolean isAllowedDelegationTokenOp() throws IOException { .contains(UserGroupInformation.getCurrentUser() .getRealAuthenticationMethod()); } else { - return true; + return false; } } diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestClientRMService.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestClientRMService.java index 6a0b99c..9de5edd 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestClientRMService.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestClientRMService.java @@ -48,7 +48,9 @@ import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.io.Text; +import org.apache.hadoop.security.SaslRpcServer.AuthMethod; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.authentication.util.KerberosName; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.yarn.MockApps; @@ -152,6 +154,7 @@ import org.apache.hadoop.yarn.util.UTCClock; import org.apache.hadoop.yarn.util.resource.ResourceCalculator; import org.apache.hadoop.yarn.util.resource.Resources; +import org.junit.After; import org.junit.AfterClass; import org.junit.Assert; import org.junit.BeforeClass; @@ -193,7 +196,7 @@ public static void teardownSecretManager() { } } - @Test + @Test(timeout = 120000) public void testGetClusterNodes() throws Exception { MockRM rm = new MockRM() { protected ClientRMService createClientRMService() { @@ -627,7 +630,8 @@ public void testGetQueueInfo() throws Exception { private static final String ownerPrincipal = "owner@EXAMPLE.COM"; private static final String otherPrincipal = "other@EXAMPLE.COM"; private static final UserGroupInformation testerKerb = - UserGroupInformation.createRemoteUser(testerPrincipal); + UserGroupInformation + .createRemoteUser(testerPrincipal, AuthMethod.KERBEROS); private static final UserGroupInformation ownerKerb = UserGroupInformation.createRemoteUser(ownerPrincipal); private static final UserGroupInformation otherKerb = @@ -635,6 +639,7 @@ public void testGetQueueInfo() throws Exception { @Test public void testTokenRenewalByOwner() throws Exception { + initializeUserGroupSecureMode(owner); owner.doAs(new PrivilegedExceptionAction() { @Override public Void run() throws Exception { @@ -647,6 +652,7 @@ public Void run() throws Exception { @Test public void testTokenRenewalWrongUser() throws Exception { try { + initializeUserGroupSecureMode(owner); owner.doAs(new PrivilegedExceptionAction() { @Override public Void run() throws Exception { @@ -669,6 +675,7 @@ public Void run() throws Exception { @Test public void testTokenRenewalByLoginUser() throws Exception { + initializeUserGroupSecureMode(owner); UserGroupInformation.getLoginUser().doAs(new PrivilegedExceptionAction() { @Override public Void run() throws Exception { @@ -706,6 +713,7 @@ public void testTokenCancellationByOwner() throws Exception { RMContext rmContext = mock(RMContext.class); final ClientRMService rmService = new ClientRMService(rmContext, null, null, null, null, dtsm); + initializeUserGroupSecureMode(testerKerb); testerKerb.doAs(new PrivilegedExceptionAction() { @Override public Void run() throws Exception { @@ -713,6 +721,7 @@ public Void run() throws Exception { return null; } }); + initializeUserGroupSecureMode(owner); owner.doAs(new PrivilegedExceptionAction() { @Override public Void run() throws Exception { @@ -722,6 +731,20 @@ public Void run() throws Exception { }); } + @After + public void teardown() throws IOException { + UserGroupInformation.reset(); + } + + private void initializeUserGroupSecureMode(UserGroupInformation kerbUsr) + throws IOException { + Configuration conf = new Configuration(); + conf.set("hadoop.security.authentication", "kerberos"); + conf.set("hadoop.security.auth_to_local", kerberosRule); + UserGroupInformation.setConfiguration(conf); + kerbUsr.setAuthenticationMethod(AuthenticationMethod.KERBEROS); + } + @Test public void testTokenCancellationByRenewer() throws Exception { // two tests required - one with a kerberos name @@ -729,6 +752,7 @@ public void testTokenCancellationByRenewer() throws Exception { RMContext rmContext = mock(RMContext.class); final ClientRMService rmService = new ClientRMService(rmContext, null, null, null, null, dtsm); + initializeUserGroupSecureMode(testerKerb); testerKerb.doAs(new PrivilegedExceptionAction() { @Override public Void run() throws Exception { @@ -736,6 +760,7 @@ public Void run() throws Exception { return null; } }); + initializeUserGroupSecureMode(other); other.doAs(new PrivilegedExceptionAction() { @Override public Void run() throws Exception { @@ -746,6 +771,21 @@ public Void run() throws Exception { } @Test + public void testTokenNonSecureuser() throws Exception { + RMContext rmContext = mock(RMContext.class); + ClientRMService rmService = + new ClientRMService(rmContext, null, null, null, null, dtsm); + try { + rmService.getDelegationToken(null); + Assert.fail("Expecting IOException but its failing"); + } catch (Exception e) { + Assert.assertTrue(e.getMessage().contains( + "Delegation Token can be issued only with kerberos authentication")); + } + rmService.close(); + } + + @Test public void testTokenCancellationByWrongUser() { // two sets to test - // 1. try to cancel tokens of short and kerberos users as a kerberos UGI @@ -761,6 +801,7 @@ public void testTokenCancellationByWrongUser() { for (final UserGroupInformation tokOwner : kerbTestOwners) { for (final UserGroupInformation tokRenewer : kerbTestRenewers) { try { + initializeUserGroupSecureMode(testerKerb); testerKerb.doAs(new PrivilegedExceptionAction() { @Override public Void run() throws Exception { @@ -791,6 +832,7 @@ public Void run() throws Exception { for (final UserGroupInformation tokOwner : simpleTestOwners) { for (final UserGroupInformation tokRenewer : simpleTestRenewers) { try { + initializeUserGroupSecureMode(tester); tester.doAs(new PrivilegedExceptionAction() { @Override public Void run() throws Exception { @@ -828,12 +870,12 @@ private void checkTokenCancellation(ClientRMService rmService, throws IOException, YarnException { RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier(new Text(owner.getUserName()), - new Text(renewer.getUserName()), null); + new Text(renewer.getUserName()), null); Token token = new Token(tokenIdentifier, dtsm); org.apache.hadoop.yarn.api.records.Token dToken = BuilderUtils.newDelegationToken(token.getIdentifier(), token.getKind() - .toString(), token.getPassword(), token.getService().toString()); + .toString(), token.getPassword(), token.getService().toString()); CancelDelegationTokenRequest request = Records.newRecord(CancelDelegationTokenRequest.class); request.setDelegationToken(dToken); diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestRMDelegationTokens.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestRMDelegationTokens.java index 2847a89..289fd60 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestRMDelegationTokens.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestRMDelegationTokens.java @@ -21,6 +21,7 @@ import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; +import java.io.IOException; import java.util.HashSet; import java.util.Map; import java.util.Set; @@ -29,6 +30,7 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.io.Text; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.delegation.DelegationKey; import org.apache.hadoop.util.ExitUtil; @@ -67,9 +69,18 @@ public void setup() { conf.set(YarnConfiguration.RM_SCHEDULER, FairScheduler.class.getName()); } + private void initializeUserGroupSecureMode(UserGroupInformation kerbUsr) + throws IOException { + Configuration conf = new Configuration(); + conf.set("hadoop.security.authentication", "kerberos"); + UserGroupInformation.setConfiguration(conf); + kerbUsr.setAuthenticationMethod(AuthenticationMethod.KERBEROS); + } + // Test the DT mast key in the state-store when the mast key is being rolled. @Test(timeout = 15000) public void testRMDTMasterKeyStateOnRollingMasterKey() throws Exception { + initializeUserGroupSecureMode(UserGroupInformation.getCurrentUser()); MemoryRMStateStore memStore = new MemoryRMStateStore(); memStore.init(conf); RMState rmState = memStore.getState(); @@ -78,7 +89,6 @@ public void testRMDTMasterKeyStateOnRollingMasterKey() throws Exception { rmState.getRMDTSecretManagerState().getTokenState(); Set rmDTMasterKeyState = rmState.getRMDTSecretManagerState().getMasterKeyState(); - MockRM rm1 = new MyMockRM(conf, memStore); rm1.start(); // on rm start, two master keys are created. diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokens.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokens.java index dab8343..85c0e93 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokens.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokens.java @@ -38,6 +38,8 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.CommonConfigurationKeysPublic; import org.apache.hadoop.minikdc.MiniKdc; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.authentication.KerberosTestUtils; import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler; @@ -84,7 +86,6 @@ import com.sun.jersey.api.client.ClientResponse.Status; import com.sun.jersey.api.client.filter.LoggingFilter; import com.sun.jersey.guice.spi.container.servlet.GuiceContainer; -import com.sun.jersey.test.framework.JerseyTest; import com.sun.jersey.test.framework.WebAppDescriptor; @RunWith(Parameterized.class) @@ -246,6 +247,7 @@ public void setUp() throws Exception { super.setUp(); httpSpnegoKeytabFile.deleteOnExit(); testRootDir.deleteOnExit(); + initializeUserGroupSecureMode(UserGroupInformation.getCurrentUser()); } @AfterClass @@ -255,11 +257,20 @@ public static void shutdownKdc() { } } + private void initializeUserGroupSecureMode(UserGroupInformation kerbUsr) + throws IOException { + Configuration conf = new Configuration(); + conf.set("hadoop.security.authentication", "kerberos"); + UserGroupInformation.setConfiguration(conf); + kerbUsr.setAuthenticationMethod(AuthenticationMethod.KERBEROS); + } + @After @Override public void tearDown() throws Exception { rm.stop(); super.tearDown(); + UserGroupInformation.reset(); } // Simple test - try to create a delegation token via web services and check