Return-Path: Delivered-To: apmail-hadoop-common-commits-archive@www.apache.org Received: (qmail 84128 invoked from network); 4 Mar 2011 04:22:44 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 4 Mar 2011 04:22:44 -0000 Received: (qmail 85279 invoked by uid 500); 4 Mar 2011 04:22:44 -0000 Delivered-To: apmail-hadoop-common-commits-archive@hadoop.apache.org Received: (qmail 85228 invoked by uid 500); 4 Mar 2011 04:22:43 -0000 Mailing-List: contact common-commits-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-dev@hadoop.apache.org Delivered-To: mailing list common-commits@hadoop.apache.org Received: (qmail 85206 invoked by uid 99); 4 Mar 2011 04:22:43 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Mar 2011 04:22:43 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Mar 2011 04:22:41 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 1B5EA2388C18; Fri, 4 Mar 2011 04:22:21 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1077511 - in /hadoop/common/branches/branch-0.20-security-patches/src: core/org/apache/hadoop/security/ core/org/apache/hadoop/security/authorize/ hdfs/org/apache/hadoop/hdfs/server/namenode/ hdfs/org/apache/hadoop/hdfs/tools/ mapred/org/a... Date: Fri, 04 Mar 2011 04:22:20 -0000 To: common-commits@hadoop.apache.org From: omalley@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20110304042221.1B5EA2388C18@eris.apache.org> Author: omalley Date: Fri Mar 4 04:22:20 2011 New Revision: 1077511 URL: http://svn.apache.org/viewvc?rev=1077511&view=rev Log: commit d3042af8bdc76770c30715c16d4408960714a884 Author: Boris Shkolnik Date: Wed Jun 23 11:23:09 2010 -0700 HADOOP:6815 from https://issues.apache.org/jira/secure/attachment/12447718/HADOOP-6815-YH20-1.patch +++ b/YAHOO-CHANGES.txt + HADOOP-6815. refreshSuperUserGroupsConfiguration should use + server side configuration for the refresh( boryas) Modified: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/Groups.java hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/RefreshUserMappingsProtocol.java hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ProxyUsers.java hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/tools/DFSAdmin.java hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobTracker.java hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/tools/MRAdmin.java hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestDelegationTokenForProxyUser.java hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/server/namenode/NNThroughputBenchmark.java hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestDoAsEffectiveUser.java hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestMapredGroupMappingServiceRefresh.java hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestRefreshUserMappings.java Modified: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/Groups.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/Groups.java?rev=1077511&r1=1077510&r2=1077511&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/Groups.java (original) +++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/Groups.java Fri Mar 4 04:22:20 2011 @@ -114,6 +114,10 @@ public class Groups { * Get the groups being used to map user-to-groups. * @return the groups being used to map user-to-groups. */ + public static Groups getUserToGroupsMappingService() { + return getUserToGroupsMappingService(new Configuration()); + } + public static Groups getUserToGroupsMappingService(Configuration conf) { if(GROUPS == null) { LOG.debug(" Creating new Groups object"); Modified: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/RefreshUserMappingsProtocol.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/RefreshUserMappingsProtocol.java?rev=1077511&r1=1077510&r2=1077511&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/RefreshUserMappingsProtocol.java (original) +++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/RefreshUserMappingsProtocol.java Fri Mar 4 04:22:20 2011 @@ -41,13 +41,12 @@ public interface RefreshUserMappingsProt * @param conf * @throws IOException */ - public void refreshUserToGroupsMappings(Configuration conf) throws IOException; + public void refreshUserToGroupsMappings() throws IOException; /** * Refresh superuser proxy group list - * @param conf * @throws IOException */ - public void refreshSuperUserGroupsConfiguration(Configuration conf) + public void refreshSuperUserGroupsConfiguration() throws IOException; } Modified: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ProxyUsers.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ProxyUsers.java?rev=1077511&r1=1077510&r2=1077511&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ProxyUsers.java (original) +++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ProxyUsers.java Fri Mar 4 04:22:20 2011 @@ -34,7 +34,7 @@ public class ProxyUsers { public static final String CONF_GROUPS = ".groups"; public static final String CONF_HADOOP_PROXYUSER = "hadoop.proxyuser."; public static final String CONF_HADOOP_PROXYUSER_RE = "hadoop\\.proxyuser\\."; - private static Configuration conf=null; + private static boolean init = false; // list of groups and hosts per proxyuser private static Map> proxyGroups = new HashMap>(); @@ -44,13 +44,20 @@ public class ProxyUsers { /** * reread the conf and get new values for "hadoop.proxyuser.*.groups/hosts" */ - public static synchronized void refreshSuperUserGroupsConfiguration(Configuration cn) { - conf = cn; - + public static void refreshSuperUserGroupsConfiguration() { + //load server side configuration; + refreshSuperUserGroupsConfiguration(new Configuration()); + } + + /** + * refresh configuration + * @param conf + */ + public static synchronized void refreshSuperUserGroupsConfiguration(Configuration conf) { // remove alle existing stuff proxyGroups.clear(); proxyHosts.clear(); - + // get all the new keys for groups String regex = CONF_HADOOP_PROXYUSER_RE+"[^.]*\\"+CONF_GROUPS; Map allMatchKeys = conf.getValByRegex(regex); @@ -66,6 +73,8 @@ public class ProxyUsers { proxyHosts.put(entry.getKey(), StringUtils.getStringCollection(entry.getValue())); } + + init = true; } /** @@ -99,8 +108,8 @@ public class ProxyUsers { public static synchronized void authorize(UserGroupInformation user, String remoteAddress, Configuration newConf) throws AuthorizationException { - if(conf == null) { - refreshSuperUserGroupsConfiguration(newConf); + if(!init) { + refreshSuperUserGroupsConfiguration(); } if (user.getRealUser() == null) { @@ -113,7 +122,7 @@ public class ProxyUsers { Collection allowedUserGroups = proxyGroups.get( getProxySuperuserGroupConfKey(superUser.getShortUserName())); - if (!allowedUserGroups.isEmpty()) { + if (allowedUserGroups != null && !allowedUserGroups.isEmpty()) { for (String group : user.getGroupNames()) { if (allowedUserGroups.contains(group)) { groupAuthorized = true; @@ -130,7 +139,7 @@ public class ProxyUsers { Collection ipList = proxyHosts.get( getProxySuperuserIpConfKey(superUser.getShortUserName())); - if (!ipList.isEmpty()) { + if (ipList != null && !ipList.isEmpty()) { for (String allowedHost : ipList) { InetAddress hostAddr; try { Modified: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java?rev=1077511&r1=1077510&r2=1077511&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java (original) +++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java Fri Mar 4 04:22:20 2011 @@ -1017,17 +1017,17 @@ public class NameNode implements ClientP } @Override - public void refreshUserToGroupsMappings(Configuration conf) throws IOException { + public void refreshUserToGroupsMappings() throws IOException { LOG.info("Refreshing all user-to-groups mappings. Requested by user: " + UserGroupInformation.getCurrentUser().getShortUserName()); - Groups.getUserToGroupsMappingService(conf).refresh(); + Groups.getUserToGroupsMappingService().refresh(); } @Override - public void refreshSuperUserGroupsConfiguration(Configuration conf) { + public void refreshSuperUserGroupsConfiguration() { LOG.info("Refreshing SuperUser proxy group mapping list "); - ProxyUsers.refreshSuperUserGroupsConfiguration(conf); + ProxyUsers.refreshSuperUserGroupsConfiguration(); } private static void printUsage() { Modified: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/tools/DFSAdmin.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/tools/DFSAdmin.java?rev=1077511&r1=1077510&r2=1077511&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/tools/DFSAdmin.java (original) +++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/tools/DFSAdmin.java Fri Mar 4 04:22:20 2011 @@ -681,7 +681,7 @@ public class DFSAdmin extends FsShell { RefreshUserMappingsProtocol.class)); // Refresh the user-to-groups mappings - refreshProtocol.refreshUserToGroupsMappings(conf); + refreshProtocol.refreshUserToGroupsMappings(); return 0; } @@ -711,7 +711,7 @@ public class DFSAdmin extends FsShell { RefreshUserMappingsProtocol.class)); // Refresh the user-to-groups mappings - refreshProtocol.refreshSuperUserGroupsConfiguration(conf); + refreshProtocol.refreshSuperUserGroupsConfiguration(); return 0; } Modified: hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobTracker.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobTracker.java?rev=1077511&r1=1077510&r2=1077511&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobTracker.java (original) +++ hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobTracker.java Fri Mar 4 04:22:20 2011 @@ -4802,18 +4802,18 @@ public class JobTracker implements MRCon } @Override - public void refreshSuperUserGroupsConfiguration(Configuration conf) { + public void refreshSuperUserGroupsConfiguration() { LOG.info("Refreshing superuser proxy groups mapping "); - ProxyUsers.refreshSuperUserGroupsConfiguration(conf); + ProxyUsers.refreshSuperUserGroupsConfiguration(); } @Override - public void refreshUserToGroupsMappings(Configuration conf) throws IOException { + public void refreshUserToGroupsMappings() throws IOException { LOG.info("Refreshing all user-to-groups mappings. Requested by user: " + UserGroupInformation.getCurrentUser().getShortUserName()); - Groups.getUserToGroupsMappingService(conf).refresh(); + Groups.getUserToGroupsMappingService().refresh(); } private boolean perTaskMemoryConfigurationSetOnJT() { Modified: hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/tools/MRAdmin.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/tools/MRAdmin.java?rev=1077511&r1=1077510&r2=1077511&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/tools/MRAdmin.java (original) +++ hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/tools/MRAdmin.java Fri Mar 4 04:22:20 2011 @@ -236,7 +236,7 @@ public class MRAdmin extends Configured RefreshUserMappingsProtocol.class)); // Refresh the user-to-groups mappings - refreshProtocol.refreshSuperUserGroupsConfiguration(conf); + refreshProtocol.refreshSuperUserGroupsConfiguration(); return 0; } @@ -269,7 +269,7 @@ public class MRAdmin extends Configured RefreshUserMappingsProtocol.class)); // Refresh the user-to-groups mappings - refreshProtocol.refreshUserToGroupsMappings(conf); + refreshProtocol.refreshUserToGroupsMappings(); return 0; } Modified: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestDelegationTokenForProxyUser.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestDelegationTokenForProxyUser.java?rev=1077511&r1=1077510&r2=1077511&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestDelegationTokenForProxyUser.java (original) +++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestDelegationTokenForProxyUser.java Fri Mar 4 04:22:20 2011 @@ -99,6 +99,7 @@ public class TestDelegationTokenForProxy null, null); cluster.waitActive(); cluster.getNameNode().getNamesystem().getDelegationTokenSecretManager().startThreads(); + ProxyUsers.refreshSuperUserGroupsConfiguration(config); } @After Modified: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/server/namenode/NNThroughputBenchmark.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/server/namenode/NNThroughputBenchmark.java?rev=1077511&r1=1077510&r2=1077511&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/server/namenode/NNThroughputBenchmark.java (original) +++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/server/namenode/NNThroughputBenchmark.java Fri Mar 4 04:22:20 2011 @@ -388,7 +388,7 @@ public class NNThroughputBenchmark { void benchmarkOne() throws IOException { for(int idx = 0; idx < opsPerThread; idx++) { if((localNumOpsExecuted+1) % statsOp.ugcRefreshCount == 0) - nameNode.refreshUserToGroupsMappings(config); + nameNode.refreshUserToGroupsMappings(); long stat = statsOp.executeOp(daemonId, idx, arg1); localNumOpsExecuted++; localCumulativeTime += stat; Modified: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestDoAsEffectiveUser.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestDoAsEffectiveUser.java?rev=1077511&r1=1077510&r2=1077511&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestDoAsEffectiveUser.java (original) +++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestDoAsEffectiveUser.java Fri Mar 4 04:22:20 2011 @@ -148,6 +148,8 @@ public class TestDoAsEffectiveUser { Server server = RPC.getServer(new TestImpl(), ADDRESS, 0, 5, true, conf, null); + refreshConf(conf); + try { server.start(); @@ -188,6 +190,8 @@ public class TestDoAsEffectiveUser { Server server = RPC.getServer(new TestImpl(), ADDRESS, 0, 2, false, conf, null); + refreshConf(conf); + try { server.start(); @@ -274,6 +278,8 @@ public class TestDoAsEffectiveUser { Server server = RPC.getServer(new TestImpl(), ADDRESS, 0, 2, false, conf, null); + refreshConf(conf); + try { server.start(); @@ -312,6 +318,8 @@ public class TestDoAsEffectiveUser { Server server = RPC.getServer(new TestImpl(), ADDRESS, 0, 2, false, conf, null); + refreshConf(conf); + try { server.start(); @@ -352,6 +360,8 @@ public class TestDoAsEffectiveUser { Server server = RPC.getServer(new TestImpl(), ADDRESS, 0, 2, false, conf, null); + refreshConf(conf); + try { server.start(); Modified: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestMapredGroupMappingServiceRefresh.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestMapredGroupMappingServiceRefresh.java?rev=1077511&r1=1077510&r2=1077511&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestMapredGroupMappingServiceRefresh.java (original) +++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestMapredGroupMappingServiceRefresh.java Fri Mar 4 04:22:20 2011 @@ -20,9 +20,17 @@ package org.apache.hadoop.security; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; +import static org.junit.Assert.fail; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; +import java.io.File; +import java.io.FileNotFoundException; +import java.io.FileOutputStream; import java.io.IOException; +import java.io.PrintWriter; import java.net.URI; +import java.net.URL; import java.util.ArrayList; import java.util.Arrays; import java.util.List; @@ -31,10 +39,13 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.FileSystem; +import org.apache.hadoop.fs.Path; import org.apache.hadoop.hdfs.MiniDFSCluster; import org.apache.hadoop.mapred.JobConf; import org.apache.hadoop.mapred.MiniMRCluster; import org.apache.hadoop.mapred.tools.MRAdmin; +import org.apache.hadoop.security.authorize.AuthorizationException; +import org.apache.hadoop.security.authorize.ProxyUsers; import org.junit.After; import org.junit.Before; import org.junit.Test; @@ -43,6 +54,7 @@ public class TestMapredGroupMappingServi private MiniDFSCluster cluster; JobConf config; private static long groupRefreshTimeoutSec = 2; + private String tempResource = null; private static final Log LOG = LogFactory .getLog(TestMapredGroupMappingServiceRefresh.class); @@ -89,6 +101,7 @@ public class TestMapredGroupMappingServi 3, null, null, config); config.set("mapred.job.tracker", "localhost:"+miniMRCluster.getJobTrackerPort()); + ProxyUsers.refreshSuperUserGroupsConfiguration(config); } @After @@ -96,6 +109,10 @@ public class TestMapredGroupMappingServi if(cluster!=null) { cluster.shutdown(); } + if(tempResource!=null) { + File f = new File(tempResource); + f.delete(); + } } @Test @@ -140,4 +157,103 @@ public class TestMapredGroupMappingServi assertFalse("Should be different group ", g3.get(i).equals(g4.get(i))); } } + + @Test + public void testRefreshSuperUserGroupsConfiguration() throws Exception { + final String SUPER_USER = "super_user"; + final String [] GROUP_NAMES1 = new String [] {"gr1" , "gr2"}; + final String [] GROUP_NAMES2 = new String [] {"gr3" , "gr4"}; + + //keys in conf + String userKeyGroups = ProxyUsers.getProxySuperuserGroupConfKey(SUPER_USER); + String userKeyHosts = ProxyUsers.getProxySuperuserIpConfKey (SUPER_USER); + + config.set(userKeyGroups, "gr3,gr4,gr5"); // superuser can proxy for this group + config.set(userKeyHosts,"127.0.0.1"); + ProxyUsers.refreshSuperUserGroupsConfiguration(config); + + UserGroupInformation ugi1 = mock(UserGroupInformation.class); + UserGroupInformation ugi2 = mock(UserGroupInformation.class); + UserGroupInformation suUgi = mock(UserGroupInformation.class); + when(ugi1.getRealUser()).thenReturn(suUgi); + when(ugi2.getRealUser()).thenReturn(suUgi); + + when(suUgi.getShortUserName()).thenReturn(SUPER_USER); // super user + when(suUgi.getUserName()).thenReturn(SUPER_USER+"L"); // super user + + when(ugi1.getShortUserName()).thenReturn("user1"); + when(ugi2.getShortUserName()).thenReturn("user2"); + + when(ugi1.getUserName()).thenReturn("userL1"); + when(ugi2.getUserName()).thenReturn("userL2"); + + // set groups for users + when(ugi1.getGroupNames()).thenReturn(GROUP_NAMES1); + when(ugi2.getGroupNames()).thenReturn(GROUP_NAMES2); + + + // check before + try { + ProxyUsers.authorize(ugi1, "127.0.0.1", config); + fail("first auth for " + ugi1.getShortUserName() + " should've failed "); + } catch (AuthorizationException e) { + // expected + System.err.println("auth for " + ugi1.getUserName() + " failed"); + } + try { + ProxyUsers.authorize(ugi2, "127.0.0.1", config); + System.err.println("auth for " + ugi2.getUserName() + " succeeded"); + // expected + } catch (AuthorizationException e) { + fail("first auth for " + ugi2.getShortUserName() + " should've succeeded: " + e.getLocalizedMessage()); + } + + // refresh will look at configuration on the server side + // add additional resource with the new value + // so the server side will pick it up + String rsrc = "testRefreshSuperUserGroupsConfiguration_rsrc.xml"; + addNewConfigResource(rsrc, userKeyGroups, "gr2", userKeyHosts, "127.0.0.1"); + + MRAdmin admin = new MRAdmin(config); + String [] args = new String[]{"-refreshSuperUserGroupsConfiguration"}; + admin.run(args); + + try { + ProxyUsers.authorize(ugi2, "127.0.0.1", config); + fail("second auth for " + ugi2.getShortUserName() + " should've failed "); + } catch (AuthorizationException e) { + // expected + System.err.println("auth for " + ugi2.getUserName() + " failed"); + } + try { + ProxyUsers.authorize(ugi1, "127.0.0.1", config); + System.err.println("auth for " + ugi1.getUserName() + " succeeded"); + // expected + } catch (AuthorizationException e) { + fail("second auth for " + ugi1.getShortUserName() + " should've succeeded: " + e.getLocalizedMessage()); + } + } + + private void addNewConfigResource(String rsrcName, String keyGroup, + String groups, String keyHosts, String hosts) throws FileNotFoundException { + // location for temp resource should be in CLASSPATH + URL url = config.getResource("mapred-default.xml"); + Path p = new Path(url.getPath()); + Path dir = p.getParent(); + tempResource = dir.toString() + "/" + rsrcName; + + + String newResource = + ""+ + "" + keyGroup + ""+groups+"" + + "" + keyHosts + ""+hosts+"" + + ""; + PrintWriter writer = new PrintWriter(new FileOutputStream(tempResource)); + writer.println(newResource); + writer.close(); + + Configuration.addDefaultResource(rsrcName); + } + + } Modified: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestRefreshUserMappings.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestRefreshUserMappings.java?rev=1077511&r1=1077510&r2=1077511&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestRefreshUserMappings.java (original) +++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestRefreshUserMappings.java Fri Mar 4 04:22:20 2011 @@ -25,15 +25,20 @@ import static org.junit.Assert.fail; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; +import java.io.File; +import java.io.FileNotFoundException; +import java.io.FileOutputStream; import java.io.IOException; +import java.io.PrintWriter; +import java.net.URL; import java.util.ArrayList; import java.util.Arrays; import java.util.List; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.FileSystem; +import org.apache.hadoop.fs.Path; import org.apache.hadoop.hdfs.MiniDFSCluster; -import org.apache.hadoop.hdfs.server.namenode.NameNode; import org.apache.hadoop.hdfs.tools.DFSAdmin; import org.apache.hadoop.security.authorize.AuthorizationException; import org.apache.hadoop.security.authorize.ProxyUsers; @@ -45,6 +50,7 @@ public class TestRefreshUserMappings { private MiniDFSCluster cluster; Configuration config; private static long groupRefreshTimeoutSec = 1; + private String tempResource = null; public static class MockUnixGroupsMapping implements GroupMappingServiceProvider { private int i=0; @@ -81,6 +87,10 @@ public class TestRefreshUserMappings { if(cluster!=null) { cluster.shutdown(); } + if(tempResource!=null) { + File f = new File(tempResource); + f.delete(); + } } @Test @@ -135,6 +145,7 @@ public class TestRefreshUserMappings { config.set(userKeyGroups, "gr3,gr4,gr5"); // superuser can proxy for this group config.set(userKeyHosts,"127.0.0.1"); + ProxyUsers.refreshSuperUserGroupsConfiguration(config); UserGroupInformation ugi1 = mock(UserGroupInformation.class); UserGroupInformation ugi2 = mock(UserGroupInformation.class); @@ -172,16 +183,21 @@ public class TestRefreshUserMappings { fail("first auth for " + ugi2.getShortUserName() + " should've succeeded: " + e.getLocalizedMessage()); } + // refresh will look at configuration on the server side + // add additional resource with the new value + // so the server side will pick it up + String rsrc = "testGroupMappingRefresh_rsrc.xml"; + addNewConfigResource(rsrc, userKeyGroups, "gr2", userKeyHosts, "127.0.0.1"); + + DFSAdmin admin = new DFSAdmin(config); String [] args = new String[]{"-refreshSuperUserGroupsConfiguration"}; - NameNode nn = cluster.getNameNode(); - Configuration conf = new Configuration(config); - conf.set(userKeyGroups, "gr2"); // superuser can proxy for this group - admin.setConf(conf); + //NameNode nn = cluster.getNameNode(); + //Configuration conf = new Configuration(config); + //conf.set(userKeyGroups, "gr2"); // superuser can proxy for this group + //admin.setConf(conf); admin.run(args); - //check after... - try { ProxyUsers.authorize(ugi2, "127.0.0.1", config); fail("second auth for " + ugi2.getShortUserName() + " should've failed "); @@ -197,5 +213,27 @@ public class TestRefreshUserMappings { fail("second auth for " + ugi1.getShortUserName() + " should've succeeded: " + e.getLocalizedMessage()); } } + + // create a resource file with the new settings + private void addNewConfigResource(String rsrcName, String keyGroup, + String groups, String keyHosts, String hosts) throws FileNotFoundException { + // location for temp resource should be in CLASSPATH + Configuration conf = new Configuration(); + URL url = conf.getResource("hdfs-default.xml"); + Path p = new Path(url.getPath()); + Path dir = p.getParent(); + tempResource = dir.toString() + "/" + rsrcName; + + + String newResource = + ""+ + "" + keyGroup + ""+groups+"" + + "" + keyHosts + ""+hosts+"" + + ""; + PrintWriter writer = new PrintWriter(new FileOutputStream(tempResource)); + writer.println(newResource); + writer.close(); + Configuration.addDefaultResource(rsrcName); + } }