Source code

001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.security.token;
019
020import static org.hamcrest.CoreMatchers.containsString;
021import static org.hamcrest.CoreMatchers.instanceOf;
022import static org.hamcrest.MatcherAssert.assertThat;
023import static org.junit.Assert.assertEquals;
024
025import com.google.protobuf.ServiceException;
026import java.io.IOException;
027import java.util.Arrays;
028import java.util.Collection;
029import org.apache.hadoop.hbase.HBaseClassTestRule;
030import org.apache.hadoop.hbase.HConstants;
031import org.apache.hadoop.hbase.TableName;
032import org.apache.hadoop.hbase.client.Connection;
033import org.apache.hadoop.hbase.client.ConnectionFactory;
034import org.apache.hadoop.hbase.client.Table;
035import org.apache.hadoop.hbase.ipc.CoprocessorRpcChannel;
036import org.apache.hadoop.hbase.ipc.NettyRpcClient;
037import org.apache.hadoop.hbase.ipc.RpcClientFactory;
038import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
039import org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos;
040import org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos.GetAuthenticationTokenRequest;
041import org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos.WhoAmIRequest;
042import org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos.WhoAmIResponse;
043import org.apache.hadoop.hbase.security.AccessDeniedException;
044import org.apache.hadoop.hbase.testclassification.MediumTests;
045import org.apache.hadoop.hbase.testclassification.SecurityTests;
046import org.apache.hadoop.security.UserGroupInformation;
047import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
048import org.apache.hadoop.security.token.Token;
049import org.apache.hadoop.security.token.TokenIdentifier;
050import org.junit.Before;
051import org.junit.BeforeClass;
052import org.junit.ClassRule;
053import org.junit.Test;
054import org.junit.experimental.categories.Category;
055import org.junit.runner.RunWith;
056import org.junit.runners.Parameterized;
057import org.junit.runners.Parameterized.Parameter;
058import org.junit.runners.Parameterized.Parameters;
059
060@RunWith(Parameterized.class)
061@Category({ SecurityTests.class, MediumTests.class })
062public class TestGenerateDelegationToken extends SecureTestCluster {
063
064  @ClassRule
065  public static final HBaseClassTestRule CLASS_RULE =
066    HBaseClassTestRule.forClass(TestGenerateDelegationToken.class);
067
068  @BeforeClass
069  public static void setUp() throws Exception {
070    SecureTestCluster.setUp();
071    try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
072      Token<? extends TokenIdentifier> token = ClientTokenUtil.obtainToken(conn);
073      UserGroupInformation.getCurrentUser().addToken(token);
074    }
075  }
076
077  @Parameters(name = "{index}: rpcClientImpl={0}")
078  public static Collection<Object> parameters() {
079    // Client connection supports only non-blocking RPCs (due to master registry restriction), hence
080    // we only test NettyRpcClient.
081    return Arrays.asList(new Object[] { NettyRpcClient.class.getName() });
082  }
083
084  @Parameter
085  public String rpcClientImpl;
086
087  @Before
088  public void setUpBeforeMethod() {
089    TEST_UTIL.getConfiguration().set(RpcClientFactory.CUSTOM_RPC_CLIENT_IMPL_CONF_KEY,
090      rpcClientImpl);
091  }
092
093  @Test
094  public void test() throws Exception {
095    try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
096      Table table = conn.getTable(TableName.META_TABLE_NAME)) {
097      CoprocessorRpcChannel rpcChannel = table.coprocessorService(HConstants.EMPTY_START_ROW);
098      AuthenticationProtos.AuthenticationService.BlockingInterface service =
099        AuthenticationProtos.AuthenticationService.newBlockingStub(rpcChannel);
100      WhoAmIResponse response = service.whoAmI(null, WhoAmIRequest.getDefaultInstance());
101      assertEquals(USERNAME, response.getUsername());
102      assertEquals(AuthenticationMethod.TOKEN.name(), response.getAuthMethod());
103      try {
104        service.getAuthenticationToken(null, GetAuthenticationTokenRequest.getDefaultInstance());
105      } catch (ServiceException e) {
106        IOException ioe = ProtobufUtil.getRemoteException(e);
107        assertThat(ioe, instanceOf(AccessDeniedException.class));
108        assertThat(ioe.getMessage(),
109          containsString("Token generation only allowed for Kerberos authenticated clients"));
110      }
111    }
112  }
113}