TestTokenAuthentication.java example

Explorer
hbase-trunk-mttr-master
/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.apache.hadoop.hbase.security.token;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;

import java.security.PrivilegedExceptionAction;
import java.util.UUID;

import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseTestingUtility;
import org.apache.hadoop.hbase.HConstants;
import org.apache.hadoop.hbase.LargeTests;
import org.apache.hadoop.hbase.client.HTable;
import org.apache.hadoop.hbase.coprocessor.BaseEndpointCoprocessor;
import org.apache.hadoop.hbase.ipc.CoprocessorProtocol;
import org.apache.hadoop.hbase.ipc.HBaseRPC;
import org.apache.hadoop.hbase.ipc.HBaseServer;
import org.apache.hadoop.hbase.ipc.RequestContext;
import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.regionserver.HRegionServer;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.util.Writables;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.experimental.categories.Category;

/**
 * Tests for authentication token creation and usage
 */
@Category(LargeTests.class)
public class TestTokenAuthentication {
  public static interface IdentityProtocol extends CoprocessorProtocol {
    public String whoami();
    public String getAuthMethod();
  }

  public static class IdentityCoprocessor extends BaseEndpointCoprocessor
      implements IdentityProtocol {
    public String whoami() {
      return RequestContext.getRequestUserName();
    }

    public String getAuthMethod() {
      UserGroupInformation ugi = null;
      User user = RequestContext.getRequestUser();
      if (user != null) {
        ugi = user.getUGI();
      }
      if (ugi != null) {
        return ugi.getAuthenticationMethod().toString();
      }
      return null;
    }
  }

  private static HBaseTestingUtility TEST_UTIL;
  private static AuthenticationTokenSecretManager secretManager;

  @BeforeClass
  public static void setupBeforeClass() throws Exception {
    TEST_UTIL = new HBaseTestingUtility();
    Configuration conf = TEST_UTIL.getConfiguration();
    conf.set("hbase.coprocessor.region.classes",
        IdentityCoprocessor.class.getName());
    TEST_UTIL.startMiniCluster();
    HRegionServer rs = TEST_UTIL.getMiniHBaseCluster().getRegionServer(0);
    secretManager = new AuthenticationTokenSecretManager(conf, rs.getZooKeeper(),
        rs.getServerName().toString(), 
        conf.getLong("hbase.auth.key.update.interval", 24*60*60*1000), 
        conf.getLong("hbase.auth.token.max.lifetime", 7*24*60*60*1000));
    secretManager.start(); 
    while(secretManager.getCurrentKey() == null) {
      Thread.sleep(1);
    }
  }

  @AfterClass
  public static void tearDownAfterClass() throws Exception {
    TEST_UTIL.shutdownMiniCluster();
  }

  @Test
  public void testTokenCreation() throws Exception {
    Token<AuthenticationTokenIdentifier> token =
        secretManager.generateToken("testuser");

    AuthenticationTokenIdentifier ident = new AuthenticationTokenIdentifier();
    Writables.getWritable(token.getIdentifier(), ident);
    assertEquals("Token username should match", "testuser",
        ident.getUsername());
    byte[] passwd = secretManager.retrievePassword(ident);
    assertTrue("Token password and password from secret manager should match",
        Bytes.equals(token.getPassword(), passwd));
  }

  // @Test - Disable due to kerberos requirement
  public void testTokenAuthentication() throws Exception {
    UserGroupInformation testuser =
        UserGroupInformation.createUserForTesting("testuser", new String[]{"testgroup"});

    testuser.setAuthenticationMethod(
        UserGroupInformation.AuthenticationMethod.TOKEN);
    final Configuration conf = TEST_UTIL.getConfiguration();
    conf.set("hadoop.security.authentication", "kerberos");
    conf.set("randomkey", UUID.randomUUID().toString());
    testuser.setConfiguration(conf);
    Token<AuthenticationTokenIdentifier> token =
        secretManager.generateToken("testuser");
    testuser.addToken(token);

    // verify the server authenticates us as this token user
    testuser.doAs(new PrivilegedExceptionAction<Object>() {
      public Object run() throws Exception {
        HTable table = new HTable(conf, ".META.");
        IdentityProtocol prot = table.coprocessorProxy(
            IdentityProtocol.class, HConstants.EMPTY_START_ROW);
        String myname = prot.whoami();
        assertEquals("testuser", myname);
        String authMethod = prot.getAuthMethod();
        assertEquals("TOKEN", authMethod);
        return null;
      }
    });
  }
}