http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderMessages.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderMessages.java b/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderMessages.java deleted file mode 100644 index d67b811..0000000 --- a/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderMessages.java +++ /dev/null @@ -1,43 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.gateway.identityasserter.hadoop.groups.filter; - -import org.apache.hadoop.gateway.i18n.messages.Message; -import org.apache.hadoop.gateway.i18n.messages.MessageLevel; -import org.apache.hadoop.gateway.i18n.messages.Messages; -import org.apache.hadoop.gateway.i18n.messages.StackTrace; - -/** - * Messages for provider - HadoopGroupProvider - * - * @since 0.11 - */ - -@Messages(logger="org.apache.hadoop.gateway") -public interface HadoopGroupProviderMessages { - - @Message( level = MessageLevel.ERROR, text = "Error getting groups for principal {0}" ) - void errorGettingUserGroups(final String principal , @StackTrace( level = MessageLevel.DEBUG ) Exception e ); - - @Message( level = MessageLevel.INFO, text = "No groups for principal {0} found" ) - void noGroupsFound(final String principal); - - @Message( level = MessageLevel.DEBUG, text = "Found groups for principal {0} : {1}" ) - void groupsFound(final String principal, final String groups ); - -}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributor.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributor.java b/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributor.java new file mode 100644 index 0000000..d04713d --- /dev/null +++ b/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributor.java @@ -0,0 +1,64 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.identityasserter.hadoop.groups.filter; + +import org.apache.knox.gateway.identityasserter.common.filter.AbstractIdentityAsserterDeploymentContributor; + +/** + * A provider deployment contributor for looking up authenticated user groups as + * seen by Hadoop implementation. + * + * @since 0.11.0 + */ + +public class HadoopGroupProviderDeploymentContributor + extends AbstractIdentityAsserterDeploymentContributor { + + /** + * Name of our <b>identity-assertion</b> provider. + */ + public static final String HADOOP_GROUP_PROVIDER = "HadoopGroupProvider"; + + /* create an instance */ + public HadoopGroupProviderDeploymentContributor() { + super(); + } + + /* + * (non-Javadoc) + * + * @see + * ProviderDeploymentContributor#getName() + */ + @Override + public String getName() { + return HADOOP_GROUP_PROVIDER; + } + + /* + * (non-Javadoc) + * + * @see org.apache.hadoop.gateway.identityasserter.common.filter. + * AbstractIdentityAsserterDeploymentContributor#getFilterClassname() + */ + @Override + protected String getFilterClassname() { + return HadoopGroupProviderFilter.class.getName(); + } + +} http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilter.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilter.java b/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilter.java new file mode 100644 index 0000000..7709f68 --- /dev/null +++ b/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilter.java @@ -0,0 +1,121 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.identityasserter.hadoop.groups.filter; + +import java.io.IOException; +import java.util.Enumeration; +import java.util.List; + +import javax.security.auth.Subject; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; + +import org.apache.hadoop.conf.Configuration; +import org.apache.knox.gateway.i18n.messages.MessagesFactory; +import org.apache.knox.gateway.identityasserter.common.filter.CommonIdentityAssertionFilter; +import org.apache.hadoop.security.GroupMappingServiceProvider; +import org.apache.hadoop.security.Groups; + +/** + * A filter that integrates the Hadoop {@link GroupMappingServiceProvider} for + * looking up group membership of the authenticated (asserted) identity. + * + * @since 0.11.0 + */ +public class HadoopGroupProviderFilter extends CommonIdentityAssertionFilter { + + /** + * Logging + */ + public static HadoopGroupProviderMessages LOG = MessagesFactory + .get(HadoopGroupProviderMessages.class); + + /** + * Configuration object needed by for hadoop classes + */ + private Configuration hadoopConfig; + + /** + * Hadoop Groups implementation. + */ + private Groups hadoopGroups; + + /* create an instance */ + public HadoopGroupProviderFilter() { + super(); + } + + @Override + public void init(final FilterConfig filterConfig) throws ServletException { + super.init(filterConfig); + + try { + hadoopConfig = new Configuration(false); + + if (filterConfig.getInitParameterNames() != null) { + + for (final Enumeration<String> keys = filterConfig + .getInitParameterNames(); keys.hasMoreElements();) { + + final String key = keys.nextElement(); + hadoopConfig.set(key, filterConfig.getInitParameter(key)); + + } + + } + hadoopGroups = new Groups(hadoopConfig); + + } catch (final Exception e) { + throw new ServletException(e); + } + + } + + /** + * Query the Hadoop implementation of {@link Groups} to retrieve groups for + * provided user. + */ + public String[] mapGroupPrincipals(final String mappedPrincipalName, + final Subject subject) { + /* return the groups as seen by Hadoop */ + String[] groups = null; + try { + final List<String> groupList = hadoopGroups + .getGroups(mappedPrincipalName); + LOG.groupsFound(mappedPrincipalName, groupList.toString()); + groups = groupList.toArray(new String[0]); + + } catch (final IOException e) { + if (e.toString().contains("No groups found for user")) { + /* no groups found move on */ + LOG.noGroupsFound(mappedPrincipalName); + } else { + /* Log the error and return empty group */ + LOG.errorGettingUserGroups(mappedPrincipalName, e); + } + groups = new String[0]; + } + return groups; + } + + public String mapUserPrincipal(final String principalName) { + /* return the passed principal */ + return principalName; + } + +} http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderMessages.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderMessages.java b/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderMessages.java new file mode 100644 index 0000000..311b00a --- /dev/null +++ b/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderMessages.java @@ -0,0 +1,43 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.identityasserter.hadoop.groups.filter; + +import org.apache.knox.gateway.i18n.messages.Message; +import org.apache.knox.gateway.i18n.messages.MessageLevel; +import org.apache.knox.gateway.i18n.messages.Messages; +import org.apache.knox.gateway.i18n.messages.StackTrace; + +/** + * Messages for provider - HadoopGroupProvider + * + * @since 0.11 + */ + +@Messages(logger="org.apache.hadoop.gateway") +public interface HadoopGroupProviderMessages { + + @Message( level = MessageLevel.ERROR, text = "Error getting groups for principal {0}" ) + void errorGettingUserGroups(final String principal , @StackTrace( level = MessageLevel.DEBUG ) Exception e ); + + @Message( level = MessageLevel.INFO, text = "No groups for principal {0} found" ) + void noGroupsFound(final String principal); + + @Message( level = MessageLevel.DEBUG, text = "Found groups for principal {0} : {1}" ) + void groupsFound(final String principal, final String groups ); + +} http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-hadoop-groups/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor b/gateway-provider-identity-assertion-hadoop-groups/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor deleted file mode 100644 index 5445ddc..0000000 --- a/gateway-provider-identity-assertion-hadoop-groups/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor +++ /dev/null @@ -1,19 +0,0 @@ -########################################################################## -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -########################################################################## - -org.apache.hadoop.gateway.identityasserter.hadoop.groups.filter.HadoopGroupProviderDeploymentContributor \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-hadoop-groups/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor b/gateway-provider-identity-assertion-hadoop-groups/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor new file mode 100644 index 0000000..2191300 --- /dev/null +++ b/gateway-provider-identity-assertion-hadoop-groups/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor @@ -0,0 +1,19 @@ +########################################################################## +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +########################################################################## + +org.apache.knox.gateway.identityasserter.hadoop.groups.filter.HadoopGroupProviderDeploymentContributor \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributorTest.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributorTest.java b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributorTest.java deleted file mode 100644 index b146b7c..0000000 --- a/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributorTest.java +++ /dev/null @@ -1,54 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.gateway.identityasserter.hadoop.groups.filter; - -import static org.hamcrest.MatcherAssert.assertThat; -import static org.junit.Assert.fail; - -import java.util.Iterator; -import java.util.ServiceLoader; - -import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor; -import org.junit.Test; - -/** - * Test for {@link HadoopGroupProviderDeploymentContributor} - * @since 0.11 - */ -public class HadoopGroupProviderDeploymentContributorTest { - - @Test - public void testServiceLoader() throws Exception { - - ServiceLoader<ProviderDeploymentContributor> loader = ServiceLoader - .load(ProviderDeploymentContributor.class); - - Iterator<ProviderDeploymentContributor> iterator = loader.iterator(); - assertThat("Service iterator empty.", iterator.hasNext()); - while (iterator.hasNext()) { - Object object = iterator.next(); - if (object instanceof HadoopGroupProviderDeploymentContributor) { - return; - } - } - fail("Failed to find " - + HadoopGroupProviderDeploymentContributor.class.getName() - + " via service loader."); - } - -} http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java deleted file mode 100644 index c8305fa..0000000 --- a/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java +++ /dev/null @@ -1,218 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.gateway.identityasserter.hadoop.groups.filter; - -import static org.hamcrest.CoreMatchers.is; -import static org.hamcrest.MatcherAssert.assertThat; - -import java.security.Principal; -import java.util.Arrays; -import java.util.List; -import java.util.Vector; - -import javax.security.auth.Subject; -import javax.servlet.FilterConfig; -import javax.servlet.ServletContext; -import javax.servlet.ServletException; - -import org.apache.hadoop.gateway.security.PrimaryPrincipal; -import org.apache.hadoop.security.LdapGroupsMapping; -import org.apache.hadoop.security.ShellBasedUnixGroupsMapping; -import org.easymock.EasyMock; -import org.junit.Test; - -/** - * Test for {@link HadoopGroupProviderFilter} - * - * @since 0.11.0 - */ -public class HadoopGroupProviderFilterTest { - - /** - * System username - */ - private static final String failUsername = "highly_unlikely_username_to_have"; - - /** - * System username - */ - private static final String username = System.getProperty("user.name"); - - /** - * Configuration object needed by for hadoop classes - */ - - /** - * Hadoop Groups implementation. - */ - - /* create an instance */ - public HadoopGroupProviderFilterTest() { - super(); - } - - /** - * Test that valid groups are retrieved for a legitimate user. - * - * @throws ServletException - */ - @Test - public void testGroups() throws ServletException { - - final FilterConfig config = EasyMock.createNiceMock(FilterConfig.class); - EasyMock.expect(config.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); - ServletContext context = EasyMock.createNiceMock(ServletContext.class); - EasyMock.expect(config.getServletContext() ).andReturn( context ).anyTimes(); - EasyMock.expect(context.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); - EasyMock.replay( config ); - EasyMock.replay( context ); - - final HadoopGroupProviderFilter filter = new HadoopGroupProviderFilter(); - - final Subject subject = new Subject(); - subject.getPrincipals().add(new PrimaryPrincipal(username)); - - filter.init(config); - final String principal = filter.mapUserPrincipal( - ((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]) - .getName()); - final String[] groups = filter.mapGroupPrincipals(principal, subject); - - assertThat(principal, is(username)); - assertThat( - "No groups assosciated with the user, most likely this is a failure, it is only OK when 'bash -c groups' command returns 0 groups. ", - groups.length > 0); - - } - - /** - * Test that no groups are retrieved for a dummy user. - * - * @throws ServletException - */ - @Test - public void testUnknownUser() throws ServletException { - - final FilterConfig config = EasyMock.createNiceMock(FilterConfig.class); - EasyMock.expect(config.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); - ServletContext context = EasyMock.createNiceMock(ServletContext.class); - EasyMock.expect(config.getServletContext() ).andReturn( context ).anyTimes(); - EasyMock.expect(context.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); - EasyMock.replay( config ); - EasyMock.replay( context ); - - final HadoopGroupProviderFilter filter = new HadoopGroupProviderFilter(); - - final Subject subject = new Subject(); - subject.getPrincipals().add(new PrimaryPrincipal(failUsername)); - - filter.init(config); - final String principal = filter.mapUserPrincipal( - ((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]) - .getName()); - final String[] groups = filter.mapGroupPrincipals(principal, subject); - - assertThat(principal, is(failUsername)); - assertThat( - "Somehow groups were found for this user, how is it possible ! check 'bash -c groups' command ", - groups.length == 0); - - } - - /** - * Test for a bad config (nonexistent). This test proves, we are not falling - * back on {@link ShellBasedUnixGroupsMapping} because we explicitly use - * {@link LdapGroupsMapping} and in case of bad config we get empty groups - * (Hadoop way). - * - * @throws ServletException - */ - @SuppressWarnings({ "unchecked", "rawtypes" }) - @Test - public void badConfigTest() throws ServletException { - - final List<String> keysList = Arrays.asList("hadoop.security.group.mapping", - "hadoop.security.group.mapping.ldap.bind.user", - "hadoop.security.group.mapping.ldap.bind.password", - "hadoop.security.group.mapping.ldap.url", - "hadoop.security.group.mapping.ldap.search.filter.group", - "hadoop.security.group.mapping.ldap.search.attr.member", - "hadoop.security.group.mapping.ldap.search.filter.user"); - - final FilterConfig config = EasyMock.createNiceMock(FilterConfig.class); - EasyMock.expect(config.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); - ServletContext context = EasyMock.createNiceMock(ServletContext.class); - EasyMock.expect(config.getServletContext() ).andReturn( context ).anyTimes(); - EasyMock.expect(context.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); - - EasyMock.expect(config.getInitParameter("hadoop.security.group.mapping")) - .andReturn("org.apache.hadoop.security.LdapGroupsMapping").anyTimes(); - EasyMock - .expect(config - .getInitParameter("hadoop.security.group.mapping.ldap.bind.user")) - .andReturn("uid=dummy,ou=people,dc=hadoop,dc=apache,dc=org").anyTimes(); - EasyMock - .expect(config.getInitParameter( - "hadoop.security.group.mapping.ldap.bind.password")) - .andReturn("unbind-me-please").anyTimes(); - EasyMock - .expect( - config.getInitParameter("hadoop.security.group.mapping.ldap.url")) - .andReturn("ldap://nomansland:33389").anyTimes(); - EasyMock - .expect(config.getInitParameter( - "hadoop.security.group.mapping.ldap.search.filter.group")) - .andReturn("(objectclass=groupOfNames)").anyTimes(); - EasyMock - .expect(config.getInitParameter( - "hadoop.security.group.mapping.ldap.search.attr.member")) - .andReturn("member").anyTimes(); - EasyMock - .expect(config.getInitParameter( - "hadoop.security.group.mapping.ldap.search.filter.user")) - .andReturn( - "(&(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))") - .anyTimes(); - EasyMock.expect(config.getInitParameterNames()) - .andReturn(new Vector(keysList).elements()).anyTimes(); - - EasyMock.replay( config ); - EasyMock.replay( context ); - - final HadoopGroupProviderFilter filter = new HadoopGroupProviderFilter(); - - final Subject subject = new Subject(); - subject.getPrincipals().add(new PrimaryPrincipal(username)); - - filter.init(config); - final String principal = filter.mapUserPrincipal( - ((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]) - .getName()); - final String[] groups = filter.mapGroupPrincipals(principal, subject); - - assertThat(principal, is(username)); - - /* - * Unfortunately, Hadoop does not let us know what went wrong all we get is - * empty groups - */ - assertThat(groups.length, is(0)); - - } - -} http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupsTest.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupsTest.java b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupsTest.java deleted file mode 100644 index fee2438..0000000 --- a/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupsTest.java +++ /dev/null @@ -1,85 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.gateway.identityasserter.hadoop.groups.filter; - -import static org.hamcrest.MatcherAssert.assertThat; - -import java.util.List; - -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.security.Groups; -import org.junit.Before; -import org.junit.Test; - -/** - * Test Hadoop {@link Groups} class. Basically to make sure that the - * interface we depend on does not change. - * - * @since 0.11.0 - */ -public class HadoopGroupsTest { - - /** - * Use the default group mapping - */ - public static final String GROUP_MAPPING = "org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback"; - - /** - * Username - */ - private String username; - - /** - * Configuration object needed by for hadoop classes - */ - private Configuration hadoopConfig; - - /** - * Hadoop Groups implementation. - */ - private Groups hadoopGroups; - - /* create instance */ - public HadoopGroupsTest() { - super(); - } - - @Before - public void init() { - username = System.getProperty("user.name"); - - hadoopConfig = new Configuration(false); - - hadoopConfig.set("hadoop.security.group.mapping", GROUP_MAPPING); - - hadoopGroups = new Groups(hadoopConfig); - - } - - /** - * Test Groups on the machine running the unit test. - */ - @Test - public void testLocalGroups() throws Exception { - - final List<String> groupList = hadoopGroups.getGroups(username); - - assertThat("No groups found for user " + username, !groupList.isEmpty()); - - } -} http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributorTest.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributorTest.java b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributorTest.java new file mode 100644 index 0000000..ce86f02 --- /dev/null +++ b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributorTest.java @@ -0,0 +1,54 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.identityasserter.hadoop.groups.filter; + +import static org.hamcrest.MatcherAssert.assertThat; +import static org.junit.Assert.fail; + +import java.util.Iterator; +import java.util.ServiceLoader; + +import org.apache.knox.gateway.deploy.ProviderDeploymentContributor; +import org.junit.Test; + +/** + * Test for {@link HadoopGroupProviderDeploymentContributor} + * @since 0.11 + */ +public class HadoopGroupProviderDeploymentContributorTest { + + @Test + public void testServiceLoader() throws Exception { + + ServiceLoader<ProviderDeploymentContributor> loader = ServiceLoader + .load(ProviderDeploymentContributor.class); + + Iterator<ProviderDeploymentContributor> iterator = loader.iterator(); + assertThat("Service iterator empty.", iterator.hasNext()); + while (iterator.hasNext()) { + Object object = iterator.next(); + if (object instanceof HadoopGroupProviderDeploymentContributor) { + return; + } + } + fail("Failed to find " + + HadoopGroupProviderDeploymentContributor.class.getName() + + " via service loader."); + } + +} http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java new file mode 100644 index 0000000..d5f5501 --- /dev/null +++ b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java @@ -0,0 +1,218 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.identityasserter.hadoop.groups.filter; + +import static org.hamcrest.CoreMatchers.is; +import static org.hamcrest.MatcherAssert.assertThat; + +import java.security.Principal; +import java.util.Arrays; +import java.util.List; +import java.util.Vector; + +import javax.security.auth.Subject; +import javax.servlet.FilterConfig; +import javax.servlet.ServletContext; +import javax.servlet.ServletException; + +import org.apache.knox.gateway.security.PrimaryPrincipal; +import org.apache.hadoop.security.LdapGroupsMapping; +import org.apache.hadoop.security.ShellBasedUnixGroupsMapping; +import org.easymock.EasyMock; +import org.junit.Test; + +/** + * Test for {@link HadoopGroupProviderFilter} + * + * @since 0.11.0 + */ +public class HadoopGroupProviderFilterTest { + + /** + * System username + */ + private static final String failUsername = "highly_unlikely_username_to_have"; + + /** + * System username + */ + private static final String username = System.getProperty("user.name"); + + /** + * Configuration object needed by for hadoop classes + */ + + /** + * Hadoop Groups implementation. + */ + + /* create an instance */ + public HadoopGroupProviderFilterTest() { + super(); + } + + /** + * Test that valid groups are retrieved for a legitimate user. + * + * @throws ServletException + */ + @Test + public void testGroups() throws ServletException { + + final FilterConfig config = EasyMock.createNiceMock(FilterConfig.class); + EasyMock.expect(config.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); + ServletContext context = EasyMock.createNiceMock(ServletContext.class); + EasyMock.expect(config.getServletContext() ).andReturn( context ).anyTimes(); + EasyMock.expect(context.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); + EasyMock.replay( config ); + EasyMock.replay( context ); + + final HadoopGroupProviderFilter filter = new HadoopGroupProviderFilter(); + + final Subject subject = new Subject(); + subject.getPrincipals().add(new PrimaryPrincipal(username)); + + filter.init(config); + final String principal = filter.mapUserPrincipal( + ((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]) + .getName()); + final String[] groups = filter.mapGroupPrincipals(principal, subject); + + assertThat(principal, is(username)); + assertThat( + "No groups assosciated with the user, most likely this is a failure, it is only OK when 'bash -c groups' command returns 0 groups. ", + groups.length > 0); + + } + + /** + * Test that no groups are retrieved for a dummy user. + * + * @throws ServletException + */ + @Test + public void testUnknownUser() throws ServletException { + + final FilterConfig config = EasyMock.createNiceMock(FilterConfig.class); + EasyMock.expect(config.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); + ServletContext context = EasyMock.createNiceMock(ServletContext.class); + EasyMock.expect(config.getServletContext() ).andReturn( context ).anyTimes(); + EasyMock.expect(context.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); + EasyMock.replay( config ); + EasyMock.replay( context ); + + final HadoopGroupProviderFilter filter = new HadoopGroupProviderFilter(); + + final Subject subject = new Subject(); + subject.getPrincipals().add(new PrimaryPrincipal(failUsername)); + + filter.init(config); + final String principal = filter.mapUserPrincipal( + ((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]) + .getName()); + final String[] groups = filter.mapGroupPrincipals(principal, subject); + + assertThat(principal, is(failUsername)); + assertThat( + "Somehow groups were found for this user, how is it possible ! check 'bash -c groups' command ", + groups.length == 0); + + } + + /** + * Test for a bad config (nonexistent). This test proves, we are not falling + * back on {@link ShellBasedUnixGroupsMapping} because we explicitly use + * {@link LdapGroupsMapping} and in case of bad config we get empty groups + * (Hadoop way). + * + * @throws ServletException + */ + @SuppressWarnings({ "unchecked", "rawtypes" }) + @Test + public void badConfigTest() throws ServletException { + + final List<String> keysList = Arrays.asList("hadoop.security.group.mapping", + "hadoop.security.group.mapping.ldap.bind.user", + "hadoop.security.group.mapping.ldap.bind.password", + "hadoop.security.group.mapping.ldap.url", + "hadoop.security.group.mapping.ldap.search.filter.group", + "hadoop.security.group.mapping.ldap.search.attr.member", + "hadoop.security.group.mapping.ldap.search.filter.user"); + + final FilterConfig config = EasyMock.createNiceMock(FilterConfig.class); + EasyMock.expect(config.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); + ServletContext context = EasyMock.createNiceMock(ServletContext.class); + EasyMock.expect(config.getServletContext() ).andReturn( context ).anyTimes(); + EasyMock.expect(context.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); + + EasyMock.expect(config.getInitParameter("hadoop.security.group.mapping")) + .andReturn("org.apache.hadoop.security.LdapGroupsMapping").anyTimes(); + EasyMock + .expect(config + .getInitParameter("hadoop.security.group.mapping.ldap.bind.user")) + .andReturn("uid=dummy,ou=people,dc=hadoop,dc=apache,dc=org").anyTimes(); + EasyMock + .expect(config.getInitParameter( + "hadoop.security.group.mapping.ldap.bind.password")) + .andReturn("unbind-me-please").anyTimes(); + EasyMock + .expect( + config.getInitParameter("hadoop.security.group.mapping.ldap.url")) + .andReturn("ldap://nomansland:33389").anyTimes(); + EasyMock + .expect(config.getInitParameter( + "hadoop.security.group.mapping.ldap.search.filter.group")) + .andReturn("(objectclass=groupOfNames)").anyTimes(); + EasyMock + .expect(config.getInitParameter( + "hadoop.security.group.mapping.ldap.search.attr.member")) + .andReturn("member").anyTimes(); + EasyMock + .expect(config.getInitParameter( + "hadoop.security.group.mapping.ldap.search.filter.user")) + .andReturn( + "(&(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))") + .anyTimes(); + EasyMock.expect(config.getInitParameterNames()) + .andReturn(new Vector(keysList).elements()).anyTimes(); + + EasyMock.replay( config ); + EasyMock.replay( context ); + + final HadoopGroupProviderFilter filter = new HadoopGroupProviderFilter(); + + final Subject subject = new Subject(); + subject.getPrincipals().add(new PrimaryPrincipal(username)); + + filter.init(config); + final String principal = filter.mapUserPrincipal( + ((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]) + .getName()); + final String[] groups = filter.mapGroupPrincipals(principal, subject); + + assertThat(principal, is(username)); + + /* + * Unfortunately, Hadoop does not let us know what went wrong all we get is + * empty groups + */ + assertThat(groups.length, is(0)); + + } + +} http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupsTest.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupsTest.java b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupsTest.java new file mode 100644 index 0000000..fa5e48c --- /dev/null +++ b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupsTest.java @@ -0,0 +1,85 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.identityasserter.hadoop.groups.filter; + +import static org.hamcrest.MatcherAssert.assertThat; + +import java.util.List; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.Groups; +import org.junit.Before; +import org.junit.Test; + +/** + * Test Hadoop {@link Groups} class. Basically to make sure that the + * interface we depend on does not change. + * + * @since 0.11.0 + */ +public class HadoopGroupsTest { + + /** + * Use the default group mapping + */ + public static final String GROUP_MAPPING = "org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback"; + + /** + * Username + */ + private String username; + + /** + * Configuration object needed by for hadoop classes + */ + private Configuration hadoopConfig; + + /** + * Hadoop Groups implementation. + */ + private Groups hadoopGroups; + + /* create instance */ + public HadoopGroupsTest() { + super(); + } + + @Before + public void init() { + username = System.getProperty("user.name"); + + hadoopConfig = new Configuration(false); + + hadoopConfig.set("hadoop.security.group.mapping", GROUP_MAPPING); + + hadoopGroups = new Groups(hadoopConfig); + + } + + /** + * Test Groups on the machine running the unit test. + */ + @Test + public void testLocalGroups() throws Exception { + + final List<String> groupList = hadoopGroups.getGroups(username); + + assertThat("No groups found for user " + username, !groupList.isEmpty()); + + } +} http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/IdentityAsserterMessages.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/IdentityAsserterMessages.java b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/IdentityAsserterMessages.java deleted file mode 100644 index c4ada6b..0000000 --- a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/IdentityAsserterMessages.java +++ /dev/null @@ -1,31 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.gateway; - -import org.apache.hadoop.gateway.i18n.messages.Message; -import org.apache.hadoop.gateway.i18n.messages.MessageLevel; -import org.apache.hadoop.gateway.i18n.messages.Messages; -import org.apache.hadoop.gateway.i18n.messages.StackTrace; - -@Messages(logger="org.apache.hadoop.gateway") -public interface IdentityAsserterMessages { - - @Message( level = MessageLevel.WARN, text = "Skipping unencodable parameter {0}={1}, {2}: {3}" ) - void skippingUnencodableParameter( String name, String value, String encoding, @StackTrace( level = MessageLevel.DEBUG ) Exception e ); - -} http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/identityasserter/filter/DefaultIdentityAsserterDeploymentContributor.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/identityasserter/filter/DefaultIdentityAsserterDeploymentContributor.java b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/identityasserter/filter/DefaultIdentityAsserterDeploymentContributor.java deleted file mode 100644 index bd4343e..0000000 --- a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/identityasserter/filter/DefaultIdentityAsserterDeploymentContributor.java +++ /dev/null @@ -1,32 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.gateway.identityasserter.filter; - -/** - * This class renames the Pseudo identity asserter to Default - * while still providing backward compatibility. - */ -public class DefaultIdentityAsserterDeploymentContributor extends - IdentityAsserterDeploymentContributor { - - @Override - public String getName() { - return "Default"; - } - -} http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/identityasserter/filter/IdentityAsserterDeploymentContributor.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/identityasserter/filter/IdentityAsserterDeploymentContributor.java b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/identityasserter/filter/IdentityAsserterDeploymentContributor.java deleted file mode 100644 index b261138..0000000 --- a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/identityasserter/filter/IdentityAsserterDeploymentContributor.java +++ /dev/null @@ -1,58 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.gateway.identityasserter.filter; - -import org.apache.hadoop.gateway.deploy.DeploymentContext; -import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase; -import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor; -import org.apache.hadoop.gateway.descriptor.ResourceDescriptor; -import org.apache.hadoop.gateway.identityasserter.common.filter.AbstractIdentityAsserterDeploymentContributor; -import org.apache.hadoop.gateway.topology.Provider; -import org.apache.hadoop.gateway.topology.Service; - -import java.util.List; - -public class IdentityAsserterDeploymentContributor extends AbstractIdentityAsserterDeploymentContributor { - - private static final String FILTER_CLASSNAME = IdentityAsserterFilter.class.getName(); - private static final String PRINCIPAL_MAPPING_PARAM_NAME = "principal.mapping"; - private static final String GROUP_PRINCIPAL_MAPPING_PARAM_NAME = "group.principal.mapping"; - - @Override - public String getName() { - return "Pseudo"; - } - - @Override - public void contributeProvider( DeploymentContext context, Provider provider ) { - super.contributeProvider(context, provider); - String mappings = provider.getParams().get(PRINCIPAL_MAPPING_PARAM_NAME); - String groupMappings = provider.getParams().get(GROUP_PRINCIPAL_MAPPING_PARAM_NAME); - - context.getWebAppDescriptor().createContextParam().paramName(PRINCIPAL_MAPPING_PARAM_NAME).paramValue(mappings); - context.getWebAppDescriptor().createContextParam().paramName(GROUP_PRINCIPAL_MAPPING_PARAM_NAME).paramValue(groupMappings); - } - - /* (non-Javadoc) - * @see org.apache.hadoop.gateway.identityasserter.common.filter.AbstractIdentityAsserterDeploymentContributor#getFilterClassname() - */ - @Override - protected String getFilterClassname() { - return FILTER_CLASSNAME; - } -} http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/identityasserter/filter/IdentityAsserterFilter.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/identityasserter/filter/IdentityAsserterFilter.java b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/identityasserter/filter/IdentityAsserterFilter.java deleted file mode 100644 index 8f82481..0000000 --- a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/identityasserter/filter/IdentityAsserterFilter.java +++ /dev/null @@ -1,42 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.gateway.identityasserter.filter; - - -import javax.security.auth.Subject; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; -import org.apache.hadoop.gateway.identityasserter.common.filter.CommonIdentityAssertionFilter; - -public class IdentityAsserterFilter extends CommonIdentityAssertionFilter { - - @Override - public void init(FilterConfig filterConfig) throws ServletException { - super.init(filterConfig); - } - - @Override - public String[] mapGroupPrincipals(String mappedPrincipalName, Subject subject) { - return mapGroupPrincipalsBase(mappedPrincipalName, subject); - } - - @Override - public String mapUserPrincipal(String principalName) { - return mapUserPrincipalBase(principalName); - } -} http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/knox/gateway/IdentityAsserterMessages.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/knox/gateway/IdentityAsserterMessages.java b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/knox/gateway/IdentityAsserterMessages.java new file mode 100644 index 0000000..e614c25 --- /dev/null +++ b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/knox/gateway/IdentityAsserterMessages.java @@ -0,0 +1,31 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway; + +import org.apache.knox.gateway.i18n.messages.Message; +import org.apache.knox.gateway.i18n.messages.MessageLevel; +import org.apache.knox.gateway.i18n.messages.Messages; +import org.apache.knox.gateway.i18n.messages.StackTrace; + +@Messages(logger="org.apache.hadoop.gateway") +public interface IdentityAsserterMessages { + + @Message( level = MessageLevel.WARN, text = "Skipping unencodable parameter {0}={1}, {2}: {3}" ) + void skippingUnencodableParameter( String name, String value, String encoding, @StackTrace( level = MessageLevel.DEBUG ) Exception e ); + +} http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/knox/gateway/identityasserter/filter/DefaultIdentityAsserterDeploymentContributor.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/knox/gateway/identityasserter/filter/DefaultIdentityAsserterDeploymentContributor.java b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/knox/gateway/identityasserter/filter/DefaultIdentityAsserterDeploymentContributor.java new file mode 100644 index 0000000..44299a4 --- /dev/null +++ b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/knox/gateway/identityasserter/filter/DefaultIdentityAsserterDeploymentContributor.java @@ -0,0 +1,32 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.identityasserter.filter; + +/** + * This class renames the Pseudo identity asserter to Default + * while still providing backward compatibility. + */ +public class DefaultIdentityAsserterDeploymentContributor extends + IdentityAsserterDeploymentContributor { + + @Override + public String getName() { + return "Default"; + } + +} http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/knox/gateway/identityasserter/filter/IdentityAsserterDeploymentContributor.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/knox/gateway/identityasserter/filter/IdentityAsserterDeploymentContributor.java b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/knox/gateway/identityasserter/filter/IdentityAsserterDeploymentContributor.java new file mode 100644 index 0000000..49993b4 --- /dev/null +++ b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/knox/gateway/identityasserter/filter/IdentityAsserterDeploymentContributor.java @@ -0,0 +1,52 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.identityasserter.filter; + +import org.apache.knox.gateway.deploy.DeploymentContext; +import org.apache.knox.gateway.identityasserter.common.filter.AbstractIdentityAsserterDeploymentContributor; +import org.apache.knox.gateway.topology.Provider; + +public class IdentityAsserterDeploymentContributor extends AbstractIdentityAsserterDeploymentContributor { + + private static final String FILTER_CLASSNAME = IdentityAsserterFilter.class.getName(); + private static final String PRINCIPAL_MAPPING_PARAM_NAME = "principal.mapping"; + private static final String GROUP_PRINCIPAL_MAPPING_PARAM_NAME = "group.principal.mapping"; + + @Override + public String getName() { + return "Pseudo"; + } + + @Override + public void contributeProvider( DeploymentContext context, Provider provider ) { + super.contributeProvider(context, provider); + String mappings = provider.getParams().get(PRINCIPAL_MAPPING_PARAM_NAME); + String groupMappings = provider.getParams().get(GROUP_PRINCIPAL_MAPPING_PARAM_NAME); + + context.getWebAppDescriptor().createContextParam().paramName(PRINCIPAL_MAPPING_PARAM_NAME).paramValue(mappings); + context.getWebAppDescriptor().createContextParam().paramName(GROUP_PRINCIPAL_MAPPING_PARAM_NAME).paramValue(groupMappings); + } + + /* (non-Javadoc) + * @see AbstractIdentityAsserterDeploymentContributor#getFilterClassname() + */ + @Override + protected String getFilterClassname() { + return FILTER_CLASSNAME; + } +} http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/knox/gateway/identityasserter/filter/IdentityAsserterFilter.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/knox/gateway/identityasserter/filter/IdentityAsserterFilter.java b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/knox/gateway/identityasserter/filter/IdentityAsserterFilter.java new file mode 100644 index 0000000..18cec8f --- /dev/null +++ b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/knox/gateway/identityasserter/filter/IdentityAsserterFilter.java @@ -0,0 +1,42 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.identityasserter.filter; + + +import javax.security.auth.Subject; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import org.apache.knox.gateway.identityasserter.common.filter.CommonIdentityAssertionFilter; + +public class IdentityAsserterFilter extends CommonIdentityAssertionFilter { + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + super.init(filterConfig); + } + + @Override + public String[] mapGroupPrincipals(String mappedPrincipalName, Subject subject) { + return mapGroupPrincipalsBase(mappedPrincipalName, subject); + } + + @Override + public String mapUserPrincipal(String principalName) { + return mapUserPrincipalBase(principalName); + } +} http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-pseudo/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-pseudo/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor b/gateway-provider-identity-assertion-pseudo/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor deleted file mode 100644 index d5b3601..0000000 --- a/gateway-provider-identity-assertion-pseudo/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor +++ /dev/null @@ -1,20 +0,0 @@ -########################################################################## -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -########################################################################## - -org.apache.hadoop.gateway.identityasserter.filter.IdentityAsserterDeploymentContributor -org.apache.hadoop.gateway.identityasserter.filter.DefaultIdentityAsserterDeploymentContributor \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-pseudo/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-pseudo/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor b/gateway-provider-identity-assertion-pseudo/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor new file mode 100644 index 0000000..e825a77 --- /dev/null +++ b/gateway-provider-identity-assertion-pseudo/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor @@ -0,0 +1,20 @@ +########################################################################## +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +########################################################################## + +org.apache.knox.gateway.identityasserter.filter.IdentityAsserterDeploymentContributor +org.apache.knox.gateway.identityasserter.filter.DefaultIdentityAsserterDeploymentContributor \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-identity-assertion-pseudo/src/test/java/org/apache/hadoop/gateway/identityasserter/filter/DefaultIdentityAssertionFilterTest.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-pseudo/src/test/java/org/apache/hadoop/gateway/identityasserter/filter/DefaultIdentityAssertionFilterTest.java b/gateway-provider-identity-assertion-pseudo/src/test/java/org/apache/hadoop/gateway/identityasserter/filter/DefaultIdentityAssertionFilterTest.java deleted file mode 100644 index 9795a99..0000000 --- a/gateway-provider-identity-assertion-pseudo/src/test/java/org/apache/hadoop/gateway/identityasserter/filter/DefaultIdentityAssertionFilterTest.java +++ /dev/null @@ -1,173 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.gateway.identityasserter.filter; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNull; -import static org.junit.Assert.assertTrue; - -import java.security.Principal; - -import javax.security.auth.Subject; -import javax.servlet.FilterConfig; -import javax.servlet.ServletContext; - -import org.apache.hadoop.gateway.security.GroupPrincipal; -import org.apache.hadoop.gateway.security.PrimaryPrincipal; -import org.easymock.EasyMock; -import org.junit.Test; - -/** - * - */ -public class DefaultIdentityAssertionFilterTest { - - @Test - public void testInitParameters() throws Exception { - FilterConfig config = EasyMock.createNiceMock( FilterConfig.class ); - EasyMock.expect(config.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); - ServletContext context = EasyMock.createNiceMock(ServletContext.class); - EasyMock.expect(config.getServletContext() ).andReturn( context ).anyTimes(); - EasyMock.expect(context.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); - EasyMock.replay( config ); - EasyMock.replay( context ); - - IdentityAsserterFilter filter = new IdentityAsserterFilter(); - Subject subject = new Subject(); - - subject.getPrincipals().add(new PrimaryPrincipal("lmccay")); - subject.getPrincipals().add(new GroupPrincipal("users")); - subject.getPrincipals().add(new GroupPrincipal("admin")); - - filter.init(config); - String username = filter.mapUserPrincipal(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName()); - String[] groups = filter.mapGroupPrincipals(username, subject); - assertEquals("lmccay", username); - assertNull(groups); // means for the caller to use the existing subject groups - - config = EasyMock.createNiceMock( FilterConfig.class ); - EasyMock.expect(config.getInitParameter("principal.mapping") ).andReturn( "lmccay,kminder=hdfs;newuser=mapred" ).anyTimes(); - EasyMock.expect(config.getInitParameter("group.principal.mapping") ).andReturn( "kminder=group1;lmccay=mrgroup,mrducks" ).anyTimes(); - context = EasyMock.createNiceMock(ServletContext.class); - EasyMock.expect(config.getServletContext() ).andReturn( context ).anyTimes(); - EasyMock.replay( config ); - filter.init(config); - username = filter.mapUserPrincipal(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName()); - String[] mappedGroups = filter.mapGroupPrincipals(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName(), subject); - assertEquals("hdfs", username); - assertTrue("mrgroup not found in groups: " + mappedGroups, groupFoundIn("mrgroup", mappedGroups)); - assertTrue("mrducks not found in groups: " + mappedGroups, groupFoundIn("mrducks", mappedGroups)); - assertFalse("group1 WAS found in groups: " + mappedGroups, groupFoundIn("group1", mappedGroups)); - - subject = new Subject(); - - subject.getPrincipals().add(new PrimaryPrincipal("kminder")); - subject.getPrincipals().add(new GroupPrincipal("users")); - subject.getPrincipals().add(new GroupPrincipal("admin")); - - config = EasyMock.createNiceMock( FilterConfig.class ); - EasyMock.expect(config.getInitParameter("principal.mapping") ).andReturn( "lmccay,kminder=hdfs;newuser=mapred" ).anyTimes(); - EasyMock.expect(config.getInitParameter("group.principal.mapping") ).andReturn( "kminder=group1;lmccay=mrgroup,mrducks" ).anyTimes(); - context = EasyMock.createNiceMock(ServletContext.class); - EasyMock.expect(config.getServletContext() ).andReturn( context ).anyTimes(); - EasyMock.replay( config ); - filter.init(config); - username = filter.mapUserPrincipal(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName()); - mappedGroups = filter.mapGroupPrincipals(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName(), subject); - assertEquals("hdfs", username); - assertTrue("group1 not found in groups: " + mappedGroups, groupFoundIn("group1", mappedGroups)); - } - - /** - * @param string - * @return - */ - private boolean groupFoundIn(String expected, String[] mappedGroups) { - if (mappedGroups == null) return false; - for(int i = 0; i < mappedGroups.length; i++) { - if (mappedGroups[i].equals(expected)) { - return true; - } - } - return false; - } - - @Test - public void testContextParameters() throws Exception { - // for backward compatibility of old deployment contributor's method - // of adding init params to the servlet context instead of to the filter. - // There is the possibility that previously deployed topologies will have - // init params in web.xml at the context level instead of the filter level. - FilterConfig config = EasyMock.createNiceMock( FilterConfig.class ); - EasyMock.expect(config.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); - ServletContext context = EasyMock.createNiceMock(ServletContext.class); - EasyMock.expect(config.getServletContext() ).andReturn( context ).anyTimes(); - EasyMock.replay( config ); - EasyMock.replay( context ); - - IdentityAsserterFilter filter = new IdentityAsserterFilter(); - Subject subject = new Subject(); - - subject.getPrincipals().add(new PrimaryPrincipal("lmccay")); - subject.getPrincipals().add(new GroupPrincipal("users")); - subject.getPrincipals().add(new GroupPrincipal("admin")); - - filter.init(config); - String username = filter.mapUserPrincipal(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName()); - String[] groups = filter.mapGroupPrincipals(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName(), subject); -// String[] groups = filter.mapGroupPrincipals(username, subject); - assertEquals("lmccay", username); - assertNull(groups); // means for the caller to use the existing subject groups - - config = EasyMock.createNiceMock( FilterConfig.class ); - EasyMock.expect(config.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); - context = EasyMock.createNiceMock(ServletContext.class); - EasyMock.expect(config.getServletContext() ).andReturn( context ).anyTimes(); - EasyMock.expect(context.getInitParameter("principal.mapping") ).andReturn( "lmccay,kminder=hdfs;newuser=mapred" ).anyTimes(); - EasyMock.expect(context.getInitParameter("group.principal.mapping") ).andReturn( "kminder=group1;lmccay=mrgroup,mrducks" ).anyTimes(); - EasyMock.replay( config ); - EasyMock.replay( context ); - filter.init(config); - username = filter.mapUserPrincipal(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName()); - groups = filter.mapGroupPrincipals(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName(), subject); - assertEquals("hdfs", username); - assertTrue("mrgroup not found in groups: " + groups, groupFoundIn("mrgroup", groups)); - assertTrue("mrducks not found in groups: " + groups, groupFoundIn("mrducks", groups)); - assertFalse("group1 WAS found in groups: " + groups, groupFoundIn("group1", groups)); - - subject = new Subject(); - - subject.getPrincipals().add(new PrimaryPrincipal("kminder")); - subject.getPrincipals().add(new GroupPrincipal("users")); - subject.getPrincipals().add(new GroupPrincipal("admin")); - - config = EasyMock.createNiceMock( FilterConfig.class ); - EasyMock.expect(config.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); - context = EasyMock.createNiceMock(ServletContext.class); - EasyMock.expect(config.getServletContext() ).andReturn( context ).anyTimes(); - EasyMock.expect(context.getInitParameter("principal.mapping") ).andReturn( "lmccay,kminder=hdfs;newuser=mapred" ).anyTimes(); - EasyMock.expect(context.getInitParameter("group.principal.mapping") ).andReturn( "kminder=group1;lmccay=mrgroup,mrducks" ).anyTimes(); - EasyMock.replay( config ); - EasyMock.replay( context ); - filter.init(config); - username = filter.mapUserPrincipal(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName()); - assertEquals("hdfs", username); - } - -}