def test_user_can_write_and_read(kerberos):
try:
client_app_def = config.get_kerberized_hdfs_client_app()
client_app_def["secrets"]["hdfs_keytab"][
"source"] = kerberos.get_keytab_path()
client_app_def["env"]["REALM"] = kerberos.get_realm()
client_app_def["env"]["KDC_ADDRESS"] = kerberos.get_kdc_address()
sdk_marathon.install_app(client_app_def)
client_task_id = client_app_def["id"]
sdk_auth.kinit(client_task_id,
keytab=config.KEYTAB,
principal=config.GENERIC_HDFS_USER_PRINCIPAL)
write_cmd = "/bin/bash -c '{}'".format(
config.hdfs_write_command(config.TEST_FILE_1_NAME,
config.TEST_CONTENT_SMALL))
sdk_tasks.task_exec(client_task_id, write_cmd)
read_cmd = "/bin/bash -c '{}'".format(
config.hdfs_read_command(config.TEST_FILE_1_NAME))
_, stdout, _ = sdk_tasks.task_exec(client_task_id, read_cmd)
assert stdout == config.TEST_CONTENT_SMALL
finally:
sdk_marathon.destroy_app(client_task_id)
def verify_shared_executor(pod_name, expected_files=['essential', 'nonessential'], delete_files=True):
'''verify that both tasks share the same executor:
- matching ExecutorInfo
- both 'essential' and 'nonessential' present in shared-volume/ across both tasks
'''
tasks = sdk_cmd.svc_cli(config.PACKAGE_NAME, config.SERVICE_NAME, 'pod info {}'.format(pod_name), json=True)
assert len(tasks) == 2
# check that the task executors all match
executor = tasks[0]['info']['executor']
for task in tasks[1:]:
assert executor == task['info']['executor']
# for each task, check shared volume content matches what's expected
task_names = [task['info']['name'] for task in tasks]
for task_name in task_names:
# 1.9 just uses the host filesystem in 'task exec', so use 'task ls' across the board instead
filenames = sdk_cmd.run_cli('task ls {} shared-volume/'.format(task_name)).strip().split()
assert set(expected_files) == set(filenames)
# delete files from volume in preparation for a following task relaunch
if delete_files:
if sdk_utils.dcos_version_less_than("1.10"):
# 1.9 just uses the host filesystem in 'task exec', so figure out the absolute volume path manually
expected_file_path = sdk_tasks.task_exec(
task_names[0],
'find /var/lib/mesos/slave/volumes -iname ' + filenames[0])[1].strip()
# volume dir is parent of the expected file path.
volume_dir = os.path.dirname(expected_file_path)
else:
# 1.10+ works correctly: path is relative to sandbox
volume_dir = 'shared-volume/'
sdk_tasks.task_exec(task_names[0], 'rm ' + ' '.join([os.path.join(volume_dir, name) for name in filenames]))
def create_keystore_truststore(cn: str, task: str):
pub_path = "{}_pub.crt".format(cn)
priv_path = "{}_priv.key".format(cn)
keystore_path = "{}_keystore.jks".format(cn)
truststore_path = "{}_truststore.jks".format(cn)
log.info("Generating keystore and truststore, task:{}".format(task))
output = sdk_tasks.task_exec(
task, "curl -k -v leader.mesos/ca/dcos-ca.crt -o dcos-ca.crt")
# Convert to a PKCS12 key
output = sdk_tasks.task_exec(
task, 'bash -c "export RANDFILE=/mnt/mesos/sandbox/.rnd && \
openssl pkcs12 -export -in {} -inkey {} \
-out keypair.p12 -name keypair -passout pass:export \
-CAfile dcos-ca.crt -caname root"'.format(pub_path, priv_path))
log.info(output)
assert output[0] is 0
log.info("Generating certificate: importing into keystore and truststore")
# Import into the keystore and truststore
output = sdk_tasks.task_exec(
task, "keytool -importkeystore \
-deststorepass changeit -destkeypass changeit -destkeystore {} \
-srckeystore keypair.p12 -srcstoretype PKCS12 -srcstorepass export \
-alias keypair".format(keystore_path))
log.info(output)
assert output[0] is 0
output = sdk_tasks.task_exec(
task, "keytool -import -trustcacerts -noprompt \
-file dcos-ca.crt -storepass changeit \
-keystore {}".format(truststore_path))
log.info(output)
assert output[0] is 0
def setup_history_server(hdfs_with_kerberos, setup_hdfs_client,
configure_universe):
try:
sdk_tasks.task_exec(HDFS_CLIENT_ID, "bin/hdfs dfs -mkdir /history")
shakedown.install_package(
package_name=utils.HISTORY_PACKAGE_NAME,
options_json={
"service": {
"hdfs-config-url":
"http://api.{}.marathon.l4lb.thisdcos.directory/v1/endpoints"
.format(HDFS_SERVICE_NAME)
},
"security": {
"kerberos": {
"krb5conf": utils.HDFS_KRB5_CONF,
"principal": GENERIC_HDFS_USER_PRINCIPAL,
"keytab": KEYTAB_SECRET_PATH
}
}
},
wait_for_completion=True # wait for it to become healthy
)
yield
finally:
sdk_marathon.destroy_app(utils.HISTORY_SERVICE_NAME)
def kinit(task_id: str, keytab: str, principal: str):
"""
Performs a kinit command to authenticate the specified principal.
:param task_id: The task in whose environment the kinit will run.
:param keytab: The keytab used by kinit to authenticate.
:param principal: The name of the principal the user wants to authenticate as.
"""
kinit_cmd = "kinit -kt {keytab} {principal}".format(keytab=keytab,
principal=principal)
sdk_tasks.task_exec(task_id, kinit_cmd)
def write_client_properties(cn: str, task: str) -> str:
sdk_tasks.task_exec(
task, """bash -c \"cat >{cn}-client.properties << EOL
security.protocol = SSL
ssl.truststore.location = {cn}_truststore.jks
ssl.truststore.password = changeit
ssl.keystore.location = {cn}_keystore.jks
ssl.keystore.password = changeit
EOL\"""".format(cn=cn))
return "{}-client.properties".format(cn)
def test_changing_discovery_replaces_certificate_sans(hello_world_service):
"""
Update service configuration to change discovery prefix of a task.
Scheduler should update task and new SANs should be generated.
"""
original_tasks = sdk_tasks.get_task_ids(config.PACKAGE_NAME, 'discovery')
assert len(original_tasks) == 1, 'Expecting exactly one task ID'
task_id = original_tasks[0]
assert task_id
# Load end-entity certificate from PEM encoded file
_, stdout, _ = sdk_tasks.task_exec(task_id, 'cat server.crt')
end_entity_cert = x509.load_pem_x509_certificate(stdout.encode('ascii'),
DEFAULT_BACKEND)
san_extension = end_entity_cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
sans = [
san.value for san in san_extension.value._general_names._general_names
]
expected_san = (
'{name}-0.{service_name}.autoip.dcos.thisdcos.directory'.format(
name=DISCOVERY_TASK_PREFIX, service_name=config.SERVICE_NAME))
assert expected_san in sans
# Run task update with new discovery prefix
marathon_config = sdk_marathon.get_config(config.SERVICE_NAME)
marathon_config['env'][
'DISCOVERY_TASK_PREFIX'] = DISCOVERY_TASK_PREFIX + '-new'
sdk_marathon.update_app(config.SERVICE_NAME, marathon_config)
sdk_tasks.check_tasks_updated(config.SERVICE_NAME, 'discovery',
original_tasks)
sdk_tasks.check_running(config.SERVICE_NAME, 4)
new_task_id = sdk_tasks.get_task_ids(config.SERVICE_NAME, "discovery")[0]
assert task_id != new_task_id
_, stdout, _ = sdk_tasks.task_exec(new_task_id, 'cat server.crt')
new_cert = x509.load_pem_x509_certificate(stdout.encode('ascii'),
DEFAULT_BACKEND)
san_extension = new_cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
sans = [
san.value for san in san_extension.value._general_names._general_names
]
expected_san = (
'{name}-0.{service_name}.autoip.dcos.thisdcos.directory'.format(
name=DISCOVERY_TASK_PREFIX + '-new',
service_name=config.SERVICE_NAME))
assert expected_san in sans
def test_user_can_auth_and_write_and_read(kerberized_hdfs_client):
sdk_auth.kinit(kerberized_hdfs_client,
keytab=config.KEYTAB,
principal=config.CLIENT_PRINCIPALS["hdfs"])
write_cmd = "/bin/bash -c '{}'".format(
config.hdfs_write_command(config.TEST_CONTENT_SMALL,
config.TEST_FILE_1_NAME))
sdk_tasks.task_exec(kerberized_hdfs_client, write_cmd)
read_cmd = "/bin/bash -c '{}'".format(
config.hdfs_read_command(config.TEST_FILE_1_NAME))
_, stdout, _ = sdk_tasks.task_exec(kerberized_hdfs_client, read_cmd)
assert stdout == config.TEST_CONTENT_SMALL
def test_java_keystore(hello_world_service):
"""
Java `keystore-app` presents itself with provided TLS certificate
from keystore.
"""
task_id = sdk_tasks.get_task_ids(config.SERVICE_NAME, 'artifacts')[0]
assert task_id
# Make a curl request from artifacts container to `keystore-app`
# and make sure that mesos curl can verify certificate served by app
curl = ('curl -v -i '
'--cacert secure-tls-pod.ca '
'https://' + sdk_hosts.vip_host(config.SERVICE_NAME,
KEYSTORE_TASK_HTTPS_PORT_NAME) +
'/hello-world')
_, output = sdk_tasks.task_exec(task_id,
curl,
return_stderr_in_stdout=True)
# Check that HTTP request was successful with response 200 and make sure
# that curl with pre-configured cert was used and that task was matched
# by SAN in certificate.
assert 'HTTP/1.1 200 OK' in output
assert 'CAfile: secure-tls-pod.ca' in output
tls_verification_msg = (
'host "keystore-https.hello-world.l4lb.thisdcos.directory" matched '
'cert\'s "keystore-https.hello-world.l4lb.thisdcos.directory"')
assert tls_verification_msg in output
def test_tls_basic_artifacts(hello_world_service):
task_id = sdk_tasks.get_task_ids(config.SERVICE_NAME, 'artifacts')[0]
assert task_id
# Load end-entity certificate from keystore and root CA cert from truststore
stdout = sdk_tasks.task_exec(task_id,
'cat secure-tls-pod.crt')[1].encode('ascii')
end_entity_cert = x509.load_pem_x509_certificate(stdout, DEFAULT_BACKEND)
root_ca_cert_in_truststore = _export_cert_from_task_keystore(
task_id, 'keystore.truststore', 'dcos-root')
# Check that certificate subject maches the service name
common_name = end_entity_cert.subject.get_attributes_for_oid(
NameOID.COMMON_NAME)[0].value
assert common_name in sdk_hosts.autoip_host(config.SERVICE_NAME,
'artifacts-0-node')
san_extension = end_entity_cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
sans = san_extension.value._general_names._general_names
assert len(sans) == 1
cluster_root_ca_cert = x509.load_pem_x509_certificate(
sdk_cmd.request('get',
shakedown.dcos_url_path('/ca/dcos-ca.crt')).content,
DEFAULT_BACKEND)
assert root_ca_cert_in_truststore.signature == cluster_root_ca_cert.signature
def resolve_hosts(task_id: str, hosts: list) -> bool:
"""
Use bootstrap to resolve the specified list of hosts
"""
bootstrap_cmd = [
'bootstrap', '-print-env=false', '-myfw=false', '-install-certs=false',
'-resolve-hosts', ','.join(hosts)
]
LOG.info("Running bootstrap to wait for DNS resolution of %s\n\t%s", hosts,
bootstrap_cmd)
return_code, bootstrap_stdout, bootstrap_stderr = sdk_tasks.task_exec(
task_id, ' '.join(bootstrap_cmd))
LOG.info("bootstrap return code: %s", return_code)
LOG.info("bootstrap STDOUT: %s", bootstrap_stdout)
LOG.info("bootstrap STDERR: %s", bootstrap_stderr)
# Note that bootstrap returns its output in STDERR
resolved = 'SDK Bootstrap successful.' in bootstrap_stderr
if not resolved:
for host in hosts:
resolved_host_string = "Resolved '{host}' =>".format(host=host)
host_resolved = resolved_host_string in bootstrap_stdout
if not host_resolved:
LOG.error("Could not resolve: %s", host)
return resolved
def _export_cert_from_task_keystore(task,
keystore_path,
alias,
password=KEYSTORE_PASS):
"""
Retrieves certificate from the keystore with given alias by executing
a keytool in context of running container and loads the certificate to
memory.
Args:
task (str): Task id of container that contains the keystore
keystore_path (str): Path inside container to keystore containing
the certificate
alias (str): Alias of the certificate in the keystore
Returns:
x509.Certificate object
"""
args = ['-rfc']
if password:
args.append('-storepass "{password}"'.format(password=password))
args_str = ' '.join(args)
cert_bytes = sdk_tasks.task_exec(
task, _keystore_export_command(keystore_path, alias,
args_str))[1].encode('ascii')
return x509.load_pem_x509_certificate(cert_bytes, DEFAULT_BACKEND)
def __run_kadmin(self, options: list, cmd: str, args: list):
"""
Invokes Kerberos' kadmin binary inside the container to run some command.
:param options (list): A list of options given to kadmin.
:param cmd (str): The name of the sub command to run.
:param args (list): A list of arguments passed to the sub command. This should also include any flags
needed to be set for the sub command.
:raises a generic Exception if the invocation fails.
"""
kadmin_cmd = "/usr/sbin/kadmin {options} {cmd} {args}".format(
options=' '.join(options), cmd=cmd, args=' '.join(args))
log.info("Running kadmin: {}".format(kadmin_cmd))
try:
sdk_tasks.task_exec(self.task_id, kadmin_cmd)
except Exception as e:
log.error("Failed to run kadmin: {}".format(repr(e)))
raise e
def create_tls_artifacts(cn: str, task: str) -> str:
pub_path = "{}_pub.crt".format(cn)
priv_path = "{}_priv.key".format(cn)
log.info("Generating certificate. cn={}, task={}".format(cn, task))
output = sdk_tasks.task_exec(
task,
'openssl req -nodes -newkey rsa:2048 -keyout {} -out request.csr \
-subj "/C=US/ST=CA/L=SF/O=Mesosphere/OU=Mesosphere/CN={}"'.format(
priv_path, cn))
log.info(output)
assert output[0] is 0
raw_csr = sdk_tasks.task_exec(task, 'cat request.csr')
assert raw_csr[0] is 0
request = {
"certificate_request":
raw_csr[1] # The actual content is second in the array
}
token = sdk_cmd.run_cli("config show core.dcos_acs_token")
cmd = "curl -X POST \
-H 'Authorization: token={}' \
leader.mesos/ca/api/v2/sign \
-d '{}'".format(token, json.dumps(request))
output = sdk_tasks.task_exec(
task, "curl -X POST \
-H 'Authorization: token={}' \
leader.mesos/ca/api/v2/sign \
-d '{}'".format(token, json.dumps(request)))
log.info(output)
assert output[0] is 0
# Write the public cert to the client
certificate = json.loads(output[1])["result"]["certificate"]
output = sdk_tasks.task_exec(
task, "bash -c \"echo '{}' > {}\"".format(certificate, pub_path))
log.info(output)
assert output[0] is 0
create_keystore_truststore(cn, task)
return "CN={},OU=Mesosphere,O=Mesosphere,L=SF,ST=CA,C=US".format(cn)
def test_client_can_read_and_write(kafka_client):
topics = sdk_cmd.svc_cli(config.PACKAGE_NAME,
config.SERVICE_NAME,
"topic create securetest",
json=True)
log.info("Created topic: %s", topics)
brokers = sdk_cmd.svc_cli(config.PACKAGE_NAME,
config.SERVICE_NAME,
"endpoint broker",
json=True)
broker_dns = list(map(lambda x: x.split(':')[0], brokers["dns"]))
log.info("Running bootstrap to wait for DNS resolution")
bootstrap_cmd = [
'/opt/bootstrap', '-resolve-hosts', ','.join(broker_dns), '-verbose'
]
bootstrap_output = sdk_tasks.task_exec(kafka_client,
' '.join(bootstrap_cmd))
log.info(bootstrap_output)
message = uuid.uuid4()
producer_cmd = ['/tmp/kafkaconfig/start.sh', 'producer', str(message)]
for i in range(2):
log.info("Running(%s) %s", i, producer_cmd)
producer_output = sdk_tasks.task_exec(kafka_client,
' '.join(producer_cmd))
log.info("Producer output(%s): %s", i, producer_output)
assert "Sent message: '{message}'".format(
message=str(message)) in ' '.join(str(p) for p in producer_output)
consumer_cmd = ['/tmp/kafkaconfig/start.sh', 'consumer', 'single']
log.info("Running %s", consumer_cmd)
consumer_output = sdk_tasks.task_exec(kafka_client, ' '.join(consumer_cmd))
log.info("Consumer output: %s", consumer_output)
assert str(message) in ' '.join(str(c) for c in consumer_output)
def wait_for_brokers(client: str, brokers: list):
"""
Run bootstrap on the specified client to resolve the list of brokers
"""
LOG.info("Running bootstrap to wait for DNS resolution")
bootstrap_cmd = [
'/opt/bootstrap', '-print-env=false', '-template=false',
'-install-certs=false', '-resolve-hosts', ','.join(brokers)
]
bootstrap_output = sdk_tasks.task_exec(client, ' '.join(bootstrap_cmd))
LOG.info(bootstrap_output)
assert "SDK Bootstrap successful" in ' '.join(
str(bo) for bo in bootstrap_output)
def write_client_properties(primary: str, task: str) -> str:
output_file = "{primary}-client.properties".format(primary=primary)
LOG.info("Generating %s", output_file)
output_cmd = """bash -c \"cat >{output_file} << EOL
security.protocol=SASL_PLAINTEXT
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka
EOL\"""".format(output_file=output_file, primary=primary)
LOG.info("Running: %s", output_cmd)
output = sdk_tasks.task_exec(task, output_cmd)
LOG.info(output)
return output_file
def _add_role_acls(role: str,
user: str,
task: str,
topic: str,
zookeeper_endpoint: str,
env_str=None):
cmd = "bash -c \"{setup_env}kafka-acls \
--topic {topic_name} \
--authorizer-properties zookeeper.connect={zookeeper_endpoint} \
--add \
--allow-principal User:{user} \
--{role}\"".format(
setup_env="{} && ".format(env_str) if env_str else "",
topic_name=topic,
zookeeper_endpoint=zookeeper_endpoint,
user=user,
role=role)
LOG.info("Running: %s", cmd)
output = sdk_tasks.task_exec(task, cmd)
LOG.info(output)
def write_krb5_config_file(task: str) -> str:
output_file = "krb5.config"
LOG.info("Generating %s", output_file)
# TODO: Set realm and kdc properties
output_cmd = """bash -c \"cat >{output_file} << EOL
[libdefaults]
default_realm = LOCAL
[realms]
LOCAL = {{
kdc = kdc.marathon.autoip.dcos.thisdcos.directory:2500
}}
EOL\"""".format(output_file=output_file)
LOG.info("Running: %s", output_cmd)
output = sdk_tasks.task_exec(task, output_cmd)
LOG.info(output)
return output_file
def test_java_truststore(hello_world_service):
"""
Make an HTTP request from CLI to nginx exposed service.
Test that CLI reads and uses truststore to verify HTTPS connection.
"""
task_id = sdk_tasks.get_task_ids(config.SERVICE_NAME, "keystore")[0]
assert task_id
# Make an http request from a CLI app using configured keystore to the
# service itself exposed via VIP.
# This will test whether the service is serving correct end-entity
# certificate from keystore and if CLI client can verify certificate
# with custom truststore configuration.
command = _java_command(
'java -jar ' + KEYSTORE_APP_JAR_NAME + ' truststoretest '
'integration-test.yml '
'https://' +
sdk_hosts.vip_host(config.SERVICE_NAME, NGINX_TASK_HTTPS_PORT_NAME))
_, output, _ = sdk_tasks.task_exec(task_id, command)
# Unfortunately the `dcos task exec` doesn't respect the return code
# from executed command in container so we need to manually assert for
# expected output.
assert 'status=200' in output
def write_jaas_config_file(primary: str, task: str) -> str:
output_file = "{primary}-client-jaas.config".format(primary=primary)
LOG.info("Generating %s", output_file)
# TODO: use kafka_client keytab path
output_cmd = """bash -c \"cat >{output_file} << EOL
KafkaClient {{
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useTicketCache=true
principal=\\"{primary}@LOCAL\\"
useKeyTab=true
serviceName=\\"kafka\\"
keyTab=\\"/tmp/kafkaconfig/kafka-client.keytab\\"
client=true;
}};
EOL\"""".format(output_file=output_file, primary=primary)
LOG.info("Running: %s", output_cmd)
output = sdk_tasks.task_exec(task, output_cmd)
LOG.info(output)
return output_file
def test_tls_nginx(hello_world_service):
"""
Checks that NGINX exposes TLS service with correct PEM encoded end-entity
certificate.
"""
# Use keystore-app `truststoretest` CLI command to run request against
# the NGINX container to verify that nginx presents itself with end-entity
# certificate that can be verified by with truststore.
task_id = sdk_tasks.get_task_ids(config.SERVICE_NAME, 'keystore')[0]
assert task_id
command = _java_command(
'java -jar ' + KEYSTORE_APP_JAR_NAME + ' truststoretest '
'integration-test.yml '
'https://' +
sdk_hosts.vip_host(config.SERVICE_NAME, NGINX_TASK_HTTPS_PORT_NAME) +
'/')
_, output, _ = sdk_tasks.task_exec(task_id, command)
# Unfortunately the `dcos task exec` doesn't respect the return code
# from executed command in container so we need to manually assert for
# expected output.
assert 'status=200' in output
def test_soak_secrets_update():
secret_content_alternative = "hello-world-secret-data-alternative"
test_soak_secrets_framework_alive()
sdk_cmd.run_cli("package install --cli dcos-enterprise-cli --yes")
sdk_cmd.run_cli("package install --cli hello-world --yes")
sdk_cmd.run_cli(
"security secrets update --value={} secrets/secret1".format(
secret_content_alternative))
sdk_cmd.run_cli(
"security secrets update --value={} secrets/secret2".format(
secret_content_alternative))
sdk_cmd.run_cli(
"security secrets update --value={} secrets/secret3".format(
secret_content_alternative))
test_soak_secrets_restart_hello0()
# get new task ids - only first pod
hello_tasks = sdk_tasks.get_task_ids(FRAMEWORK_NAME, "hello-0")
world_tasks = sdk_tasks.get_task_ids(FRAMEWORK_NAME, "world-0")
# make sure content is changed
assert secret_content_alternative == sdk_tasks.task_exec(
world_tasks[0], "bash -c 'echo $WORLD_SECRET1_ENV'")[1]
assert secret_content_alternative == sdk_tasks.task_exec(
world_tasks[0], "cat WORLD_SECRET2_FILE")[1]
assert secret_content_alternative == sdk_tasks.task_exec(
world_tasks[0], "cat secrets/secret3")[1]
# make sure content is changed
assert secret_content_alternative == sdk_tasks.task_exec(
hello_tasks[0], "bash -c 'echo $HELLO_SECRET1_ENV'")[1]
assert secret_content_alternative == sdk_tasks.task_exec(
hello_tasks[0], "cat HELLO_SECRET1_FILE")[1]
assert secret_content_alternative == sdk_tasks.task_exec(
hello_tasks[0], "cat HELLO_SECRET2_FILE")[1]
# revert back to some other value
sdk_cmd.run_cli("security secrets update --value=SECRET1 secrets/secret1")
sdk_cmd.run_cli("security secrets update --value=SECRET2 secrets/secret2")
sdk_cmd.run_cli("security secrets update --value=SECRET3 secrets/secret3")
test_soak_secrets_restart_hello0()
def kdestroy(task_id: str):
"""
Performs a kdestroy command to erase an auth session for a principal.
:param task_id: The task in whose environment the kinit will run.
"""
sdk_tasks.task_exec(task_id, "kdestroy")
def test_users_have_appropriate_permissions(kerberized_hdfs_client):
# "hdfs" is a superuser
sdk_auth.kinit(kerberized_hdfs_client,
keytab=config.KEYTAB,
principal=config.CLIENT_PRINCIPALS["hdfs"])
log.info("Creating directory for alice")
make_user_directory_cmd = config.hdfs_command("mkdir -p /users/alice")
sdk_tasks.task_exec(kerberized_hdfs_client, make_user_directory_cmd)
change_ownership_cmd = config.hdfs_command(
"chown alice:users /users/alice")
sdk_tasks.task_exec(kerberized_hdfs_client, change_ownership_cmd)
change_permissions_cmd = config.hdfs_command("chmod 700 /users/alice")
sdk_tasks.task_exec(kerberized_hdfs_client, change_permissions_cmd)
# alice has read/write access to her directory
sdk_auth.kdestroy(kerberized_hdfs_client)
sdk_auth.kinit(kerberized_hdfs_client,
keytab=config.KEYTAB,
principal=config.CLIENT_PRINCIPALS["alice"])
write_access_cmd = "/bin/bash -c \"{}\"".format(
config.hdfs_write_command(
config.TEST_CONTENT_SMALL,
"/users/alice/{}".format(config.TEST_FILE_1_NAME)))
log.info("Alice can write: {}".format(write_access_cmd))
rc, stdout, _ = sdk_tasks.task_exec(kerberized_hdfs_client,
write_access_cmd)
assert stdout == '' and rc == 0
read_access_cmd = config.hdfs_read_command("/users/alice/{}".format(
config.TEST_FILE_1_NAME))
log.info("Alice can read: {}".format(read_access_cmd))
_, stdout, _ = sdk_tasks.task_exec(kerberized_hdfs_client, read_access_cmd)
assert stdout == config.TEST_CONTENT_SMALL
ls_cmd = config.hdfs_command("ls /users/alice")
_, stdout, _ = sdk_tasks.task_exec(kerberized_hdfs_client, ls_cmd)
assert "/users/alice/{}".format(config.TEST_FILE_1_NAME) in stdout
# bob doesn't have read/write access to alice's directory
sdk_auth.kdestroy(kerberized_hdfs_client)
sdk_auth.kinit(kerberized_hdfs_client,
keytab=config.KEYTAB,
principal=config.CLIENT_PRINCIPALS["bob"])
log.info(
"Bob tries to wrtie to alice's directory: {}".format(write_access_cmd))
_, _, stderr = sdk_tasks.task_exec(kerberized_hdfs_client,
write_access_cmd)
log.info(
"Bob can't write to alice's directory: {}".format(write_access_cmd))
assert "put: Permission denied: user=bob" in stderr
log.info(
"Bob tries to read from alice's directory: {}".format(read_access_cmd))
_, _, stderr = sdk_tasks.task_exec(kerberized_hdfs_client, read_access_cmd)
log.info(
"Bob can't read from alice's directory: {}".format(read_access_cmd))
assert "cat: Permission denied: user=bob" in stderr
def hdfs_cmd(cmd):
sdk_tasks.task_exec(HDFS_CLIENT_ID, "bin/hdfs dfs -{}".format(cmd))
def cmd(pod_name, command):
return sdk_tasks.task_exec(
'{}-server'.format(pod_name),
"bash -c 'JAVA_HOME=$(ls -d jre*/) apache-cassandra-*/bin/nodetool {}'".format(command))
def read_wrapper():
LOG.info("Running: %s", read_cmd)
rc, stdout, stderr = sdk_tasks.task_exec(task, read_cmd)
LOG.info("rc=%s\nstdout=%s\nstderr=%s\n", rc, stdout, stderr)
return rc, stdout, stderr
