in qa/kerberos/src/itest/java/org/elasticsearch/hadoop/qa/kerberos/AbstractKerberosClientTest.java [189:317]
public void testProxyKerberosAuth() throws Exception {
String hivePrincipal = System.getProperty("tests.hive.principal");
Assert.hasText(hivePrincipal, "Needs tests.hive.principal system property");
String hiveKeytab = System.getProperty("tests.hive.keytab");
Assert.hasText(hiveKeytab, "Needs tests.hive.keytab system property");
String realUserName = hivePrincipal;
String proxyUserName = "client";
// Create a user that the real user will proxy as
LOG.info("Creating proxied user");
RestUtils.postData("_security/user/" + proxyUserName, (
"{\n" +
" \"enabled\" : true,\n" +
" \"password\" : \"password\",\n" +
" \"roles\" : [ \"superuser\" ],\n" +
" \"full_name\" : \"Client McClientFace\"\n" +
"}").getBytes());
// This just mirrors the superuser role as they can impersonate all users
LOG.info("Creating proxy role");
RestUtils.postData("_security/role/proxier", (
"{\n" +
" \"cluster\": [\n" +
" \"all\"\n" +
" ],\n" +
" \"indices\": [\n" +
" {\n" +
" \"names\": [\n" +
" \"*\"\n" +
" ],\n" +
" \"privileges\": [\n" +
" \"all\"\n" +
" ],\n" +
" \"allow_restricted_indices\": true\n" +
" }\n" +
" ],\n" +
" \"applications\": [\n" +
" {\n" +
" \"application\": \"*\",\n" +
" \"privileges\": [\n" +
" \"*\"\n" +
" ],\n" +
" \"resources\": [\n" +
" \"*\"\n" +
" ]\n" +
" }\n" +
" ],\n" +
" \"run_as\": [\n" +
" \"*\"\n" +
" ],\n" +
" \"transient_metadata\": {}\n" +
"}").getBytes());
LOG.info("Creating mapping for hive principal to proxier role");
RestUtils.postData("_security/role_mapping/kerberos_proxy_client_mapping",
("{\"roles\":[\"proxier\"],\"enabled\":true,\"rules\":{\"field\":{\"username\":\""+realUserName+"\"}}}").getBytes());
org.apache.hadoop.conf.Configuration configuration = new org.apache.hadoop.conf.Configuration();
SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
UserGroupInformation.setConfiguration(configuration);
UserGroupInformation realUser = UserGroupInformation.loginUserFromKeytabAndReturnUGI(hivePrincipal, hiveKeytab);
UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(proxyUserName, realUser);
proxyUser.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
assertEquals("client", currentUser.getUserName());
assertEquals("hive/build.elastic.co@BUILD.ELASTIC.CO", currentUser.getRealUser().getUserName());
assertFalse(currentUser.hasKerberosCredentials());
assertEquals(UserGroupInformation.AuthenticationMethod.PROXY, currentUser.getAuthenticationMethod());
assertEquals(UserGroupInformation.AuthenticationMethod.KERBEROS, currentUser.getRealAuthenticationMethod());
Settings testSettings = new TestSettings();
testSettings.asProperties().remove(ConfigurationOptions.ES_NET_HTTP_AUTH_USER);
testSettings.asProperties().remove(ConfigurationOptions.ES_NET_HTTP_AUTH_PASS);
InitializationUtils.setUserProviderIfNotSet(testSettings, HadoopUserProvider.class, new NoOpLog());
testSettings.setProperty(ConfigurationOptions.ES_SECURITY_AUTHENTICATION, "kerberos");
testSettings.setProperty(ConfigurationOptions.ES_NET_SPNEGO_AUTH_ELASTICSEARCH_PRINCIPAL, "HTTP/build.elastic.co@BUILD.ELASTIC.CO");
UserProvider userProvider = UserProvider.create(testSettings);
assertTrue(userProvider.isEsKerberosEnabled());
LOG.info("Getting cluster info");
InitializationUtils.discoverClusterInfo(testSettings, LOG);
LOG.info("Checking authenticate with Proxied User");
NetworkClient network = new NetworkClient(testSettings);
try {
network.execute(new SimpleRequest(Request.Method.GET, "", "/_security/_authenticate", ""));
} finally {
network.close();
}
LOG.info("Getting an API Token");
RestClient client = new RestClient(testSettings);
EsToken proxyToken;
try {
proxyToken = client.createNewApiToken("proxyToken");
} finally {
client.close();
}
LOG.info("Making another client without the token available yet");
network = new NetworkClient(testSettings);
try {
LOG.info("Checking authenticate to make sure it's still SPNEGO");
network.execute(new SimpleRequest(Request.Method.GET, "", "/_security/_authenticate", ""));
LOG.info("Adding token to user now");
userProvider.getUser().addEsToken(proxyToken);
LOG.info("Checking authenticate with same client again to make sure it's still SPNEGO");
network.execute(new SimpleRequest(Request.Method.GET, "", "/_security/_authenticate", ""));
} finally {
network.close();
}
LOG.info("Making new client to pick up newly added token");
network = new NetworkClient(testSettings);
try {
network.execute(new SimpleRequest(Request.Method.GET, "", "/_security/_authenticate", ""));
} finally {
network.close();
}
return null;
}
});
RestUtils.delete("_security/role_mapping/kerberos_proxy_client_mapping");
}