Java tutorial
/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.hadoop.registry.secure; import org.apache.commons.io.FileUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.minikdc.MiniKdc; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authentication.util.KerberosName; import org.apache.hadoop.service.Service; import org.apache.hadoop.service.ServiceOperations; import org.apache.hadoop.registry.RegistryTestHelper; import org.apache.hadoop.registry.client.impl.zk.RegistrySecurity; import org.apache.hadoop.registry.client.impl.zk.ZookeeperConfigOptions; import org.apache.hadoop.registry.server.services.AddingCompositeService; import org.apache.hadoop.registry.server.services.MicroZookeeperService; import org.apache.hadoop.registry.server.services.MicroZookeeperServiceKeys; import org.apache.hadoop.util.Shell; import org.junit.After; import org.junit.AfterClass; import org.junit.Before; import org.junit.BeforeClass; import org.junit.Rule; import org.junit.rules.TestName; import org.junit.rules.Timeout; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import javax.security.auth.Subject; import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import java.io.File; import java.io.FileNotFoundException; import java.io.IOException; import java.security.Principal; import java.util.HashSet; import java.util.Properties; import java.util.Set; /** * Add kerberos tests. This is based on the (JUnit3) KerberosSecurityTestcase * and its test case, <code>TestMiniKdc</code> */ public class AbstractSecureRegistryTest extends RegistryTestHelper { public static final String REALM = "EXAMPLE.COM"; public static final String ZOOKEEPER = "zookeeper"; public static final String ZOOKEEPER_LOCALHOST = "zookeeper/localhost"; public static final String ZOOKEEPER_1270001 = "zookeeper/127.0.0.1"; public static final String ZOOKEEPER_REALM = "zookeeper@" + REALM; public static final String ZOOKEEPER_CLIENT_CONTEXT = ZOOKEEPER; public static final String ZOOKEEPER_SERVER_CONTEXT = "ZOOKEEPER_SERVER";; public static final String ZOOKEEPER_LOCALHOST_REALM = ZOOKEEPER_LOCALHOST + "@" + REALM; public static final String ALICE = "alice"; public static final String ALICE_CLIENT_CONTEXT = "alice"; public static final String ALICE_LOCALHOST = "alice/localhost"; public static final String BOB = "bob"; public static final String BOB_CLIENT_CONTEXT = "bob"; public static final String BOB_LOCALHOST = "bob/localhost"; private static final Logger LOG = LoggerFactory.getLogger(AbstractSecureRegistryTest.class); public static final Configuration CONF; static { CONF = new Configuration(); CONF.set("hadoop.security.authentication", "kerberos"); CONF.setBoolean("hadoop.security.authorization", true); } private static final AddingCompositeService classTeardown = new AddingCompositeService("classTeardown"); // static initializer guarantees it is always started // ahead of any @BeforeClass methods static { classTeardown.init(CONF); classTeardown.start(); } public static final String SUN_SECURITY_KRB5_DEBUG = "sun.security.krb5.debug"; private final AddingCompositeService teardown = new AddingCompositeService("teardown"); protected static MiniKdc kdc; protected static File keytab_zk; protected static File keytab_bob; protected static File keytab_alice; protected static File kdcWorkDir; protected static Properties kdcConf; protected static RegistrySecurity registrySecurity; @Rule public final Timeout testTimeout = new Timeout(900000); @Rule public TestName methodName = new TestName(); protected MicroZookeeperService secureZK; protected static File jaasFile; private LoginContext zookeeperLogin; private static String zkServerPrincipal; /** * All class initialization for this test class * @throws Exception */ @BeforeClass public static void beforeSecureRegistryTestClass() throws Exception { registrySecurity = new RegistrySecurity("registrySecurity"); registrySecurity.init(CONF); setupKDCAndPrincipals(); RegistrySecurity.clearJaasSystemProperties(); RegistrySecurity.bindJVMtoJAASFile(jaasFile); initHadoopSecurity(); } @AfterClass public static void afterSecureRegistryTestClass() throws Exception { describe(LOG, "teardown of class"); classTeardown.close(); teardownKDC(); } /** * give our thread a name */ @Before public void nameThread() { Thread.currentThread().setName("JUnit"); } /** * For unknown reasons, the before-class setting of the JVM properties were * not being picked up. This method addresses that by setting them * before every test case */ @Before public void beforeSecureRegistryTest() { } @After public void afterSecureRegistryTest() throws IOException { describe(LOG, "teardown of instance"); teardown.close(); stopSecureZK(); } protected static void addToClassTeardown(Service svc) { classTeardown.addService(svc); } protected void addToTeardown(Service svc) { teardown.addService(svc); } public static void teardownKDC() throws Exception { if (kdc != null) { kdc.stop(); kdc = null; } } /** * Sets up the KDC and a set of principals in the JAAS file * * @throws Exception */ public static void setupKDCAndPrincipals() throws Exception { // set up the KDC File target = new File(System.getProperty("test.dir", "target")); kdcWorkDir = new File(target, "kdc"); kdcWorkDir.mkdirs(); if (!kdcWorkDir.mkdirs()) { assertTrue(kdcWorkDir.isDirectory()); } kdcConf = MiniKdc.createConf(); kdcConf.setProperty(MiniKdc.DEBUG, "true"); kdc = new MiniKdc(kdcConf, kdcWorkDir); kdc.start(); keytab_zk = createKeytab(ZOOKEEPER, "zookeeper.keytab"); keytab_alice = createKeytab(ALICE, "alice.keytab"); keytab_bob = createKeytab(BOB, "bob.keytab"); zkServerPrincipal = Shell.WINDOWS ? ZOOKEEPER_1270001 : ZOOKEEPER_LOCALHOST; StringBuilder jaas = new StringBuilder(1024); jaas.append(registrySecurity.createJAASEntry(ZOOKEEPER_CLIENT_CONTEXT, ZOOKEEPER, keytab_zk)); jaas.append(registrySecurity.createJAASEntry(ZOOKEEPER_SERVER_CONTEXT, zkServerPrincipal, keytab_zk)); jaas.append(registrySecurity.createJAASEntry(ALICE_CLIENT_CONTEXT, ALICE_LOCALHOST, keytab_alice)); jaas.append(registrySecurity.createJAASEntry(BOB_CLIENT_CONTEXT, BOB_LOCALHOST, keytab_bob)); jaasFile = new File(kdcWorkDir, "jaas.txt"); FileUtils.write(jaasFile, jaas.toString()); LOG.info("\n" + jaas); RegistrySecurity.bindJVMtoJAASFile(jaasFile); } // protected static final String kerberosRule = "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\nDEFAULT"; /** * Init hadoop security by setting up the UGI config */ public static void initHadoopSecurity() { UserGroupInformation.setConfiguration(CONF); KerberosName.setRules(kerberosRule); } /** * Stop the secure ZK and log out the ZK account */ public synchronized void stopSecureZK() { ServiceOperations.stop(secureZK); secureZK = null; logout(zookeeperLogin); zookeeperLogin = null; } public static MiniKdc getKdc() { return kdc; } public static File getKdcWorkDir() { return kdcWorkDir; } public static Properties getKdcConf() { return kdcConf; } /** * Create a secure instance * @param name instance name * @return the instance * @throws Exception */ protected static MicroZookeeperService createSecureZKInstance(String name) throws Exception { String context = ZOOKEEPER_SERVER_CONTEXT; Configuration conf = new Configuration(); File testdir = new File(System.getProperty("test.dir", "target")); File workDir = new File(testdir, name); if (!workDir.mkdirs()) { assertTrue(workDir.isDirectory()); } System.setProperty(ZookeeperConfigOptions.PROP_ZK_SERVER_MAINTAIN_CONNECTION_DESPITE_SASL_FAILURE, "false"); RegistrySecurity.validateContext(context); conf.set(MicroZookeeperServiceKeys.KEY_REGISTRY_ZKSERVICE_JAAS_CONTEXT, context); MicroZookeeperService secureZK = new MicroZookeeperService(name); secureZK.init(conf); LOG.info(secureZK.getDiagnostics()); return secureZK; } /** * Create the keytabl for the given principal, includes * raw principal and $principal/localhost * @param principal principal short name * @param filename filename of keytab * @return file of keytab * @throws Exception */ public static File createKeytab(String principal, String filename) throws Exception { assertNotEmpty("empty principal", principal); assertNotEmpty("empty host", filename); assertNotNull("Null KDC", kdc); File keytab = new File(kdcWorkDir, filename); kdc.createPrincipal(keytab, principal, principal + "/localhost", principal + "/127.0.0.1"); return keytab; } public static String getPrincipalAndRealm(String principal) { return principal + "@" + getRealm(); } protected static String getRealm() { return kdc.getRealm(); } /** * Log in, defaulting to the client context * @param principal principal * @param context context * @param keytab keytab * @return the logged in context * @throws LoginException failure to log in * @throws FileNotFoundException no keytab */ protected LoginContext login(String principal, String context, File keytab) throws LoginException, FileNotFoundException { LOG.info("Logging in as {} in context {} with keytab {}", principal, context, keytab); if (!keytab.exists()) { throw new FileNotFoundException(keytab.getAbsolutePath()); } Set<Principal> principals = new HashSet<Principal>(); principals.add(new KerberosPrincipal(principal)); Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>()); LoginContext login; login = new LoginContext(context, subject, null, KerberosConfiguration.createClientConfig(principal, keytab)); login.login(); return login; } /** * Start the secure ZK instance using the test method name as the path. * As the entry is saved to the {@link #secureZK} field, it * is automatically stopped after the test case. * @throws Exception on any failure */ protected synchronized void startSecureZK() throws Exception { assertNull("Zookeeper is already running", secureZK); zookeeperLogin = login(zkServerPrincipal, ZOOKEEPER_SERVER_CONTEXT, keytab_zk); secureZK = createSecureZKInstance("test-" + methodName.getMethodName()); secureZK.start(); } }