TestJobAclsManager.java

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.hadoop.mapred;

import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;

import java.util.HashMap;
import java.util.Map;

import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.mapreduce.JobACL;
import org.apache.hadoop.mapreduce.MRConfig;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.junit.Test;

/**
 * Test the job acls manager
 */
public class TestJobAclsManager {

  @Test
  public void testClusterAdmins() {
    Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
    Configuration conf = new Configuration();
    String jobOwner = "testuser";
    conf.set(JobACL.VIEW_JOB.getAclName(), jobOwner);
    conf.set(JobACL.MODIFY_JOB.getAclName(), jobOwner);
    conf.setBoolean(MRConfig.MR_ACLS_ENABLED, true);
    String clusterAdmin = "testuser2";
    conf.set(MRConfig.MR_ADMINS, clusterAdmin);

    JobACLsManager aclsManager = new JobACLsManager(conf);
    tmpJobACLs = aclsManager.constructJobACLs(conf);
    final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;

    UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(
        clusterAdmin, new String[] {});

    // cluster admin should have access
    boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner,
        jobACLs.get(JobACL.VIEW_JOB));
    assertTrue("cluster admin should have view access", val);
    val = aclsManager.checkAccess(callerUGI, JobACL.MODIFY_JOB, jobOwner,
        jobACLs.get(JobACL.MODIFY_JOB));
    assertTrue("cluster admin should have modify access", val);
  }

  @Test
  public void testClusterNoAdmins() {
    Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
    Configuration conf = new Configuration();
    String jobOwner = "testuser";
    conf.set(JobACL.VIEW_JOB.getAclName(), "");
    conf.setBoolean(MRConfig.MR_ACLS_ENABLED, true);
    String noAdminUser = "testuser2";

    JobACLsManager aclsManager = new JobACLsManager(conf);
    tmpJobACLs = aclsManager.constructJobACLs(conf);
    final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;

    UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(
        noAdminUser, new String[] {});
    // random user should not have access
    boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner,
        jobACLs.get(JobACL.VIEW_JOB));
    assertFalse("random user should not have view access", val);
    val = aclsManager.checkAccess(callerUGI, JobACL.MODIFY_JOB, jobOwner,
        jobACLs.get(JobACL.MODIFY_JOB));
    assertFalse("random user should not have modify access", val);

    callerUGI = UserGroupInformation.createUserForTesting(jobOwner,
        new String[] {});
    // Owner should have access
    val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner,
        jobACLs.get(JobACL.VIEW_JOB));
    assertTrue("owner should have view access", val);
    val = aclsManager.checkAccess(callerUGI, JobACL.MODIFY_JOB, jobOwner,
        jobACLs.get(JobACL.MODIFY_JOB));
    assertTrue("owner should have modify access", val);
  }

  @Test
  public void testAclsOff() {
    Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
    Configuration conf = new Configuration();
    String jobOwner = "testuser";
    conf.set(JobACL.VIEW_JOB.getAclName(), jobOwner);
    conf.setBoolean(MRConfig.MR_ACLS_ENABLED, false);
    String noAdminUser = "testuser2";

    JobACLsManager aclsManager = new JobACLsManager(conf);
    tmpJobACLs = aclsManager.constructJobACLs(conf);
    final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;

    UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(
        noAdminUser, new String[] {});
    // acls off so anyone should have access
    boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner,
        jobACLs.get(JobACL.VIEW_JOB));
    assertTrue("acls off so anyone should have access", val);
  }

  @Test
  public void testGroups() {
    Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
    Configuration conf = new Configuration();
    String jobOwner = "testuser";
    conf.set(JobACL.VIEW_JOB.getAclName(), jobOwner);
    conf.setBoolean(MRConfig.MR_ACLS_ENABLED, true);
    String user = "testuser2";
    String adminGroup = "adminGroup";
    conf.set(MRConfig.MR_ADMINS, " " + adminGroup);

    JobACLsManager aclsManager = new JobACLsManager(conf);
    tmpJobACLs = aclsManager.constructJobACLs(conf);
    final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;

    UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(
     user, new String[] {adminGroup});
    // acls off so anyone should have access
    boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner,
        jobACLs.get(JobACL.VIEW_JOB));
    assertTrue("user in admin group should have access", val);
  }
}