001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.security.token;
019
020import static org.hamcrest.CoreMatchers.containsString;
021import static org.hamcrest.CoreMatchers.instanceOf;
022import static org.hamcrest.MatcherAssert.assertThat;
023import static org.junit.Assert.assertEquals;
024
025import java.io.IOException;
026import java.util.Arrays;
027import java.util.Collection;
028import org.apache.hadoop.hbase.HBaseClassTestRule;
029import org.apache.hadoop.hbase.HConstants;
030import org.apache.hadoop.hbase.TableName;
031import org.apache.hadoop.hbase.client.Connection;
032import org.apache.hadoop.hbase.client.ConnectionFactory;
033import org.apache.hadoop.hbase.client.Table;
034import org.apache.hadoop.hbase.ipc.CoprocessorRpcChannel;
035import org.apache.hadoop.hbase.ipc.NettyRpcClient;
036import org.apache.hadoop.hbase.ipc.RpcClientFactory;
037import org.apache.hadoop.hbase.security.AccessDeniedException;
038import org.apache.hadoop.hbase.testclassification.MediumTests;
039import org.apache.hadoop.hbase.testclassification.SecurityTests;
040import org.apache.hadoop.security.UserGroupInformation;
041import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
042import org.apache.hadoop.security.token.Token;
043import org.apache.hadoop.security.token.TokenIdentifier;
044import org.junit.Before;
045import org.junit.BeforeClass;
046import org.junit.ClassRule;
047import org.junit.Test;
048import org.junit.experimental.categories.Category;
049import org.junit.runner.RunWith;
050import org.junit.runners.Parameterized;
051import org.junit.runners.Parameterized.Parameter;
052import org.junit.runners.Parameterized.Parameters;
053
054import org.apache.hbase.thirdparty.com.google.protobuf.ServiceException;
055
056import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
057import org.apache.hadoop.hbase.shaded.protobuf.generated.AuthenticationProtos;
058import org.apache.hadoop.hbase.shaded.protobuf.generated.AuthenticationProtos.GetAuthenticationTokenRequest;
059import org.apache.hadoop.hbase.shaded.protobuf.generated.AuthenticationProtos.WhoAmIRequest;
060import org.apache.hadoop.hbase.shaded.protobuf.generated.AuthenticationProtos.WhoAmIResponse;
061
062@RunWith(Parameterized.class)
063@Category({ SecurityTests.class, MediumTests.class })
064public class TestGenerateDelegationToken extends SecureTestCluster {
065
066  @ClassRule
067  public static final HBaseClassTestRule CLASS_RULE =
068    HBaseClassTestRule.forClass(TestGenerateDelegationToken.class);
069
070  @BeforeClass
071  public static void setUp() throws Exception {
072    SecureTestCluster.setUp();
073    try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
074      Token<? extends TokenIdentifier> token = ClientTokenUtil.obtainToken(conn);
075      UserGroupInformation.getCurrentUser().addToken(token);
076    }
077  }
078
079  @Parameters(name = "{index}: rpcClientImpl={0}")
080  public static Collection<Object> parameters() {
081    // Client connection supports only non-blocking RPCs (due to master registry restriction), hence
082    // we only test NettyRpcClient.
083    return Arrays.asList(new Object[] { NettyRpcClient.class.getName() });
084  }
085
086  @Parameter
087  public String rpcClientImpl;
088
089  @Before
090  public void setUpBeforeMethod() {
091    TEST_UTIL.getConfiguration().set(RpcClientFactory.CUSTOM_RPC_CLIENT_IMPL_CONF_KEY,
092      rpcClientImpl);
093  }
094
095  @Test
096  public void test() throws Exception {
097    try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
098      Table table = conn.getTable(TableName.META_TABLE_NAME)) {
099      CoprocessorRpcChannel rpcChannel = table.coprocessorService(HConstants.EMPTY_START_ROW);
100      AuthenticationProtos.AuthenticationService.BlockingInterface service =
101        AuthenticationProtos.AuthenticationService.newBlockingStub(rpcChannel);
102      WhoAmIResponse response = service.whoAmI(null, WhoAmIRequest.getDefaultInstance());
103      assertEquals(USERNAME, response.getUsername());
104      assertEquals(AuthenticationMethod.TOKEN.name(), response.getAuthMethod());
105      try {
106        service.getAuthenticationToken(null, GetAuthenticationTokenRequest.getDefaultInstance());
107      } catch (ServiceException e) {
108        IOException ioe = ProtobufUtil.getRemoteException(e);
109        assertThat(ioe, instanceOf(AccessDeniedException.class));
110        assertThat(ioe.getMessage(),
111          containsString("Token generation only allowed for Kerberos authenticated clients"));
112      }
113    }
114  }
115}