in qa/kerberos/src/main/java/org/elasticsearch/hadoop/qa/kerberos/setup/SetupKerberosUsers.java [35:128]
public void run(String[] args) throws Exception {
String rawUsers = getProperty(USERS);
String rawPrincipals = getProperty(PRINCIPALS);
String rawProxiers = getProperty(PROXIERS);
Settings settings = new PropertiesSettings();
settings.asProperties().putAll(System.getProperties());
System.out.println(settings.getNodes());
System.out.println(settings.getNetworkHttpAuthUser());
System.out.println(settings.getNetworkHttpAuthPass());
InitializationUtils.discoverClusterInfo(settings, LogFactory.getLog(SetupKerberosUsers.class));
int idx = 0;
ExtendedClient client = new ExtendedClient(settings);
for (String user : StringUtils.tokenize(rawUsers)) {
client.post("_security/user/" + user, (
"{\n" +
" \"enabled\" : true,\n" +
" \"password\" : \"password\",\n" +
" \"roles\" : [ \"superuser\" ],\n" +
" \"full_name\" : \"Client "+user+"\"\n" +
"}").getBytes());
System.out.println("Added user for [" + user + "]");
idx++;
}
for (String principal : StringUtils.tokenize(rawPrincipals)) {
client.post("_security/role_mapping/kerberos_client_mapping_"+idx,
("{" +
"\"roles\":[\"superuser\"]," +
"\"enabled\":true," +
"\"rules\":{" +
"\"field\":{" +
"\"username\":\"" + principal + "\"" +
"}" +
"}" +
"}").getBytes()
);
System.out.println("Added role mapping for principal [" + principal + "]");
idx++;
}
System.out.println("Creating proxy role");
client.post("_security/role/proxier", (
"{\n" +
" \"cluster\": [\n" +
" \"all\"\n" +
" ],\n" +
" \"indices\": [\n" +
" {\n" +
" \"names\": [\n" +
" \"*\"\n" +
" ],\n" +
" \"privileges\": [\n" +
" \"all\"\n" +
" ],\n" +
" \"allow_restricted_indices\": true\n" +
" }\n" +
" ],\n" +
" \"applications\": [\n" +
" {\n" +
" \"application\": \"*\",\n" +
" \"privileges\": [\n" +
" \"*\"\n" +
" ],\n" +
" \"resources\": [\n" +
" \"*\"\n" +
" ]\n" +
" }\n" +
" ],\n" +
" \"run_as\": [\n" +
" \"*\"\n" +
" ],\n" +
" \"transient_metadata\": {}\n" +
"}").getBytes());
for (String proxier : StringUtils.tokenize(rawProxiers)) {
client.post("_security/role_mapping/kerberos_client_mapping_"+idx,
("{" +
"\"roles\":[\"proxier\"]," +
"\"enabled\":true," +
"\"rules\":{" +
"\"field\":{" +
"\"username\":\"" + proxier + "\"" +
"}" +
"}" +
"}").getBytes()
);
System.out.println("Added role mapping for principal [" + proxier + "] to perform impersonation");
idx++;
}
}