Return-Path: <dev-return-18904-archive-asf-public=cust-asf.ponee.io@accumulo.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 4CE58200CB3
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon, 26 Jun 2017 23:09:46 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 4B9F7160BDE; Mon, 26 Jun 2017 21:09:46 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 925B4160BDA
	for <archive-asf-public@cust-asf.ponee.io>; Mon, 26 Jun 2017 23:09:45 +0200 (CEST)
Received: (qmail 9599 invoked by uid 500); 26 Jun 2017 21:09:44 -0000
Mailing-List: contact dev-help@accumulo.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@accumulo.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@accumulo.apache.org>
List-Post: <mailto:dev@accumulo.apache.org>
List-Id: <dev.accumulo.apache.org>
Reply-To: dev@accumulo.apache.org
Delivered-To: mailing list dev@accumulo.apache.org
Received: (qmail 9588 invoked by uid 99); 26 Jun 2017 21:09:44 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Jun 2017 21:09:44 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33)
	id 5417ADFE07; Mon, 26 Jun 2017 21:09:44 +0000 (UTC)
From: keith-turner <git@git.apache.org>
To: dev@accumulo.apache.org
Reply-To: dev@accumulo.apache.org
References: <git-pr-273-accumulo@git.apache.org>
In-Reply-To: <git-pr-273-accumulo@git.apache.org>
Subject: [GitHub] accumulo pull request #273: ACCUMULO-4665 Use UGI with real Kerberos credent...
Content-Type: text/plain
Message-Id: <20170626210944.5417ADFE07@git1-us-west.apache.org>
Date: Mon, 26 Jun 2017 21:09:44 +0000 (UTC)
archived-at: Mon, 26 Jun 2017 21:09:46 -0000

Github user keith-turner commented on a diff in the pull request:

    https://github.com/apache/accumulo/pull/273#discussion_r124122964
  
    --- Diff: test/src/test/java/org/apache/accumulo/test/functional/KerberosProxyIT.java ---
    @@ -463,6 +477,56 @@ public void testMismatchPrincipals() throws Exception {
         }
       }
     
    +  @Test
    +  public void proxiedUserAccessWithoutAccumuloProxy() throws Exception {
    +    final String tableName = getUniqueNames(1)[0];
    +    ClusterUser rootUser = kdc.getRootUser();
    +    final UserGroupInformation rootUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    +    final UserGroupInformation realUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(proxyPrincipal, proxyKeytab.getAbsolutePath());
    +    final String userWithoutCredentials = kdc.qualifyUser(PROXIED_USER);
    +    final UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(userWithoutCredentials, realUgi);
    +
    +    // Create a table and user, grant permission to our user to read that table.
    +    rootUgi.doAs(new PrivilegedExceptionAction<Void>() {
    +      @Override
    +      public Void run() throws Exception {
    +        ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
    +        Connector conn = inst.getConnector(rootUgi.getUserName(), new KerberosToken());
    +        conn.tableOperations().create(tableName);
    +        conn.securityOperations().createLocalUser(userWithoutCredentials, new PasswordToken("ignored"));
    +        conn.securityOperations().grantTablePermission(userWithoutCredentials, tableName, TablePermission.READ);
    +        return null;
    +      }
    +    });
    +    realUgi.doAs(new PrivilegedExceptionAction<Void>() {
    +      @Override
    +      public Void run() throws Exception {
    +        ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
    +        Connector conn = inst.getConnector(proxyPrincipal, new KerberosToken());
    +        try {
    +          Scanner s = conn.createScanner(tableName, Authorizations.EMPTY);
    +          s.iterator().hasNext();
    +          Assert.fail("Expected to see an exception");
    +        } catch (RuntimeException e) {
    +          int numSecurityExceptionsSeen = Iterables.size(Iterables.filter(Throwables.getCausalChain(e),
    +              org.apache.accumulo.core.client.AccumuloSecurityException.class));
    +          assertTrue("Expected to see at least one AccumuloSecurityException, but saw: " + Throwables.getStackTraceAsString(e), numSecurityExceptionsSeen > 0);
    +        }
    +        return null;
    +      }
    +    });
    +    proxyUser.doAs(new PrivilegedExceptionAction<Void>() {
    +      @Override
    +      public Void run() throws Exception {
    +        ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
    +        Connector conn = inst.getConnector(userWithoutCredentials, new KerberosToken(userWithoutCredentials));
    +        Scanner s = conn.createScanner(tableName, Authorizations.EMPTY);
    +        assertFalse(s.iterator().hasNext());
    +        return null;
    --- End diff --
    
    oh right.  I assumed this was a Runnable w/o looking closely at the types.  But returning null in that case would probably be a compile error.  Sorry for the noise.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---