/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.mapred;
import java.io.IOException;
import javax.security.auth.login.LoginException;
import junit.framework.TestCase;
import org.apache.hadoop.security.UnixUserGroupInformation;
import org.apache.hadoop.security.UserGroupInformation;
/**
* Unit test class to test queue acls
*
*/
public class TestQueueAclsForCurrentUser extends TestCase {
private QueueManager queueManager;
private JobConf conf = null;
UserGroupInformation currentUGI = null;
String submitAcl = QueueManager.QueueOperation.SUBMIT_JOB.getAclName();
String adminAcl = QueueManager.QueueOperation.ADMINISTER_JOBS.getAclName();
private void setupConfForNoAccess() throws IOException,LoginException {
currentUGI = UnixUserGroupInformation.login();
String userName = currentUGI.getUserName();
conf = new JobConf();
conf.setBoolean("mapred.acls.enabled",true);
conf.set("mapred.queue.names", "qu1,qu2");
//Only user u1 has access
conf.set("mapred.queue.qu1.acl-submit-job", "u1");
conf.set("mapred.queue.qu1.acl-administer-jobs", "u1");
//q2 only group g2 has acls for the queues
conf.set("mapred.queue.qu2.acl-submit-job", " g2");
conf.set("mapred.queue.qu2.acl-administer-jobs", " g2");
queueManager = new QueueManager(conf);
}
/**
* sets up configuration for acls test.
* @return
*/
private void setupConf(boolean aclSwitch) throws IOException,LoginException{
currentUGI = UnixUserGroupInformation.login();
String userName = currentUGI.getUserName();
conf = new JobConf();
conf.setBoolean("mapred.acls.enabled", aclSwitch);
conf.set("mapred.queue.names", "qu1,qu2,qu3,qu4,qu5,qu6,qu7");
//q1 Has acls for all the users, supports both submit and administer
conf.set("mapred.queue.qu1.acl-submit-job", "*");
conf.set("mapred.queue.qu1-acl-administer-jobs", "*");
//q2 only u2 has acls for the queues
conf.set("mapred.queue.qu2.acl-submit-job", "u2");
conf.set("mapred.queue.qu2.acl-administer-jobs", "u2");
//q3 Only u2 has submit operation access rest all have administer access
conf.set("mapred.queue.qu3.acl-submit-job", "u2");
conf.set("mapred.queue.qu3.acl-administer-jobs", "*");
//q4 Only u2 has administer access , anyone can do submit
conf.set("mapred.queue.qu4.acl-submit-job", "*");
conf.set("mapred.queue.qu4.acl-administer-jobs", "u2");
//qu6 only current user has submit access
conf.set("mapred.queue.qu6.acl-submit-job",userName);
conf.set("mapred.queue.qu6.acl-administrator-jobs","u2");
//qu7 only current user has administrator access
conf.set("mapred.queue.qu7.acl-submit-job","u2");
conf.set("mapred.queue.qu7.acl-administrator-jobs",userName);
//qu8 only current group has access
StringBuilder groupNames = new StringBuilder("");
String[] ugiGroupNames = currentUGI.getGroupNames();
int max = ugiGroupNames.length-1;
for(int j=0;j< ugiGroupNames.length;j++) {
groupNames.append(ugiGroupNames[j]);
if(j<max) {
groupNames.append(",");
}
}
conf.set("mapred.queue.qu5.acl-submit-job"," "+groupNames.toString());
conf.set("mapred.queue.qu5.acl-administrator-jobs"," "
+groupNames.toString());
queueManager = new QueueManager(conf);
}
public void testQueueAclsForCurrentuser() throws IOException,LoginException {
setupConf(true);
QueueAclsInfo[] queueAclsInfoList =
queueManager.getQueueAcls(currentUGI);
checkQueueAclsInfo(queueAclsInfoList);
}
public void testQueueAclsForCurrentUserAclsDisabled() throws IOException,
LoginException {
setupConf(false);
//fetch the acls info for current user.
QueueAclsInfo[] queueAclsInfoList = queueManager.
getQueueAcls(currentUGI);
checkQueueAclsInfo(queueAclsInfoList);
}
public void testQueueAclsForNoAccess() throws IOException,LoginException {
setupConfForNoAccess();
QueueAclsInfo[] queueAclsInfoList = queueManager.
getQueueAcls(currentUGI);
assertTrue(queueAclsInfoList.length == 0);
}
private void checkQueueAclsInfo(QueueAclsInfo[] queueAclsInfoList)
throws IOException {
if (conf.get("mapred.acls.enabled").equalsIgnoreCase("true")) {
for (int i = 0; i < queueAclsInfoList.length; i++) {
QueueAclsInfo acls = queueAclsInfoList[i];
String queueName = acls.getQueueName();
assertFalse(queueName.contains("qu2"));
if (queueName.equals("qu1")) {
assertTrue(acls.getOperations().length == 2);
assertTrue(checkAll(acls.getOperations()));
} else if (queueName.equals("qu3")) {
assertTrue(acls.getOperations().length == 1);
assertTrue(acls.getOperations()[0].equalsIgnoreCase(adminAcl));
} else if (queueName.equals("qu4")) {
assertTrue(acls.getOperations().length == 1);
assertTrue(acls.getOperations()[0].equalsIgnoreCase(submitAcl));
} else if (queueName.equals("qu5")) {
assertTrue(acls.getOperations().length == 2);
assertTrue(checkAll(acls.getOperations()));
} else if(queueName.equals("qu6")) {
assertTrue(acls.getOperations()[0].equals(submitAcl));
} else if(queueName.equals("qu7")) {
assertTrue(acls.getOperations()[0].equals(adminAcl));
}
}
} else {
for (int i = 0; i < queueAclsInfoList.length; i++) {
QueueAclsInfo acls = queueAclsInfoList[i];
String queueName = acls.getQueueName();
assertTrue(acls.getOperations().length == 2);
assertTrue(checkAll(acls.getOperations()));
}
}
}
private boolean checkAll(String[] operations){
boolean submit = false;
boolean admin = false;
for(String val: operations){
if(val.equalsIgnoreCase(submitAcl))
submit = true;
else if(val.equalsIgnoreCase(adminAcl))
admin = true;
}
if(submit && admin) return true;
return false;
}
}