Repository: knox Updated Branches: refs/heads/master 5169480b3 -> 1a67f33db
KNOX-349: Knox API for Topology Management. Adds default admin topology to install and negative tests. Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/1a67f33d Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/1a67f33d Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/1a67f33d Branch: refs/heads/master Commit: 1a67f33dbe3ce5ae609307c6808fd4ef769be0be Parents: 5169480 Author: Kevin Minder <[email protected]> Authored: Wed Jul 23 19:01:12 2014 -0400 Committer: Kevin Minder <[email protected]> Committed: Wed Jul 23 19:01:12 2014 -0400 ---------------------------------------------------------------------- gateway-release/home/conf/topologies/admin.xml | 102 +++++++++++++++++++ gateway-release/home/conf/users.ldif | 12 ++- .../gateway/GatewayAdminTopologyFuncTest.java | 70 +++++++++++-- .../GatewayAdminTopologyFuncTest/users.ldif | 12 ++- 4 files changed, 184 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/1a67f33d/gateway-release/home/conf/topologies/admin.xml ---------------------------------------------------------------------- diff --git a/gateway-release/home/conf/topologies/admin.xml b/gateway-release/home/conf/topologies/admin.xml new file mode 100644 index 0000000..b024c42 --- /dev/null +++ b/gateway-release/home/conf/topologies/admin.xml @@ -0,0 +1,102 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<topology> + + <gateway> + + <provider> + <role>authentication</role> + <name>ShiroProvider</name> + <enabled>true</enabled> + <param> + <!-- + session timeout in minutes, this is really idle timeout, + defaults to 30mins, if the property value is not defined,, + current client authentication would expire if client idles contiuosly for more than this value + --> + <name>sessionTimeout</name> + <value>30</value> + </param> + <param> + <name>main.ldapRealm</name> + <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> + </param> + <param> + <name>main.ldapRealm.userDnTemplate</name> + <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value> + </param> + <param> + <name>main.ldapRealm.contextFactory.url</name> + <value>ldap://localhost:33389</value> + </param> + <param> + <name>main.ldapRealm.contextFactory.authenticationMechanism</name> + <value>simple</value> + </param> + <param> + <name>urls./**</name> + <value>authcBasic</value> + </param> + </provider> + + <provider> + <role>authorization</role> + <name>AclsAuthz</name> + <enabled>true</enabled> + <param> + <name>knox.acl</name> + <value>admin;*;*</value> + </param> + </provider> + + <provider> + <role>identity-assertion</role> + <name>Pseudo</name> + <enabled>true</enabled> + </provider> + + <!-- + Defines rules for mapping host names internal to a Hadoop cluster to externally accessible host names. + For example, a hadoop service running in AWS may return a response that includes URLs containing the + some AWS internal host name. If the client needs to make a subsequent request to the host identified + in those URLs they need to be mapped to external host names that the client Knox can use to connect. + + If the external hostname and internal host names are same turn of this provider by setting the value of + enabled parameter as false. + + The name parameter specifies the external host names in a comma separated list. + The value parameter specifies corresponding internal host names in a comma separated list. + + Note that when you are using Sandbox, the external hostname needs to be localhost, as seen in out + of box sandbox.xml. This is because Sandbox uses port mapping to allow clients to connect to the + Hadoop services using localhost. In real clusters, external host names would almost never be localhost. + --> + <provider> + <role>hostmap</role> + <name>static</name> + <enabled>true</enabled> + <param><name>localhost</name><value>sandbox,sandbox.hortonworks.com</value></param> + </provider> + + </gateway> + + <service> + <role>KNOX</role> + </service> + +</topology> http://git-wip-us.apache.org/repos/asf/knox/blob/1a67f33d/gateway-release/home/conf/users.ldif ---------------------------------------------------------------------- diff --git a/gateway-release/home/conf/users.ldif b/gateway-release/home/conf/users.ldif index e23503a..f5afe6d 100644 --- a/gateway-release/home/conf/users.ldif +++ b/gateway-release/home/conf/users.ldif @@ -40,4 +40,14 @@ objectclass:inetOrgPerson cn: Guest sn: User uid: guest -userPassword:guest-password \ No newline at end of file +userPassword:guest-password + +dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass:person +objectclass:organizationalPerson +objectclass:inetOrgPerson +cn: Admin +sn: Admin +uid: admin +userPassword:admin-password \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/1a67f33d/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayAdminTopologyFuncTest.java ---------------------------------------------------------------------- diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayAdminTopologyFuncTest.java b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayAdminTopologyFuncTest.java index 7d1b723..613700e 100644 --- a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayAdminTopologyFuncTest.java +++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayAdminTopologyFuncTest.java @@ -17,6 +17,7 @@ */ package org.apache.hadoop.gateway; +import com.jayway.restassured.http.ContentType; import com.jayway.restassured.response.ResponseBody; import com.mycila.xmltool.XMLDoc; import com.mycila.xmltool.XMLTag; @@ -27,8 +28,6 @@ import org.apache.hadoop.gateway.services.DefaultGatewayServices; import org.apache.hadoop.gateway.services.ServiceLifecycleException; import org.apache.http.HttpStatus; import org.apache.log4j.Appender; -import org.eclipse.jetty.util.ajax.JSON; -import org.glassfish.jersey.server.JSONP; import org.hamcrest.MatcherAssert; import org.hamcrest.Matchers; import org.junit.AfterClass; @@ -51,8 +50,6 @@ import java.util.UUID; import static com.jayway.restassured.RestAssured.*; import static org.hamcrest.CoreMatchers.*; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertSame; import static org.junit.Assert.assertThat; public class GatewayAdminTopologyFuncTest { @@ -209,7 +206,14 @@ public class GatewayAdminTopologyFuncTest { .addTag( "param" ) .addTag( "name" ).addText( "urls./**" ) .addTag( "value" ).addText( "authcBasic" ).gotoParent().gotoParent() - .addTag( "provider" ) + .addTag("provider") + .addTag( "role" ).addText( "authorization" ) + .addTag( "name" ).addText( "AclsAuthz" ) + .addTag( "enabled" ).addText( "true" ) + .addTag("param") + .addTag("name").addText("knox.acl") + .addTag("value").addText("admin;*;*").gotoParent().gotoParent() + .addTag("provider") .addTag( "role" ).addText( "identity-assertion" ) .addTag( "enabled" ).addText( "true" ) .addTag( "name" ).addText( "Pseudo" ).gotoParent() @@ -256,11 +260,11 @@ public class GatewayAdminTopologyFuncTest { @Test public void testTopologyCollection() throws ClassNotFoundException { - String username = "guest"; - String password = "guest-password"; + String username = "admin"; + String password = "admin-password"; String serviceUrl = clusterUrl + "/api/v1/topologies"; String href = given() - .log().all() + //.log().all() .auth().preemptive().basic(username, password) .expect() //.log().all() @@ -289,8 +293,8 @@ public class GatewayAdminTopologyFuncTest { @Test public void testTopologyObject() throws ClassNotFoundException { - String username = "guest"; - String password = "guest-password"; + String username = "admin"; + String password = "admin-password"; String serviceUrl = clusterUrl + "/api/v1/topologies"; String href = given() //.log().all() @@ -326,4 +330,50 @@ public class GatewayAdminTopologyFuncTest { } + @Test + public void testPositiveAuthorization() throws ClassNotFoundException{ + + + String adminUser = "admin"; + String adminPass = "admin-password"; + String url = clusterUrl + "/api/v1/topologies"; + + given() + //.log().all() + .auth().preemptive().basic(adminUser, adminPass) + .expect() + //.log().all() + .statusCode(HttpStatus.SC_OK) + .contentType(ContentType.JSON) + .body("name[0]", not(nullValue())) + .body("name[1]", not(nullValue())) + .body("uri[0]", not(nullValue())) + .body("uri[1]", not(nullValue())) + .body("href[0]", not(nullValue())) + .body("href[1]", not(nullValue())) + .body("timestamp[0]", not(nullValue())) + .body("timestamp[1]", not(nullValue())) + .get(url); + + } + + @Test + public void testNegativeAuthorization() throws ClassNotFoundException{ + + String guestUser = "guest"; + String guestPass = "guest-password"; + String url = clusterUrl + "/api/v1/topologies"; + + given() + //.log().all() + .auth().basic(guestUser, guestPass) + .expect() + //.log().all() + .statusCode(HttpStatus.SC_FORBIDDEN) + .get(url); + + + + } + } http://git-wip-us.apache.org/repos/asf/knox/blob/1a67f33d/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewayAdminTopologyFuncTest/users.ldif ---------------------------------------------------------------------- diff --git a/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewayAdminTopologyFuncTest/users.ldif b/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewayAdminTopologyFuncTest/users.ldif index b982cb3..c7bff35 100644 --- a/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewayAdminTopologyFuncTest/users.ldif +++ b/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewayAdminTopologyFuncTest/users.ldif @@ -39,4 +39,14 @@ objectclass:inetOrgPerson cn: Guest sn: User uid: guest -userPassword:guest-password \ No newline at end of file +userPassword:guest-password + +dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass:person +objectclass:organizationalPerson +objectclass:inetOrgPerson +cn: Admin +sn: Admin +uid: admin +userPassword:admin-password \ No newline at end of file
