Ejemplo n.º 1
0
def test_users_have_appropriate_permissions(kerberized_hdfs_client):
    # "hdfs" is a superuser
    sdk_auth.kinit(kerberized_hdfs_client,
                   keytab=config.KEYTAB,
                   principal=config.CLIENT_PRINCIPALS["hdfs"])

    log.info("Creating directory for alice")
    make_user_directory_cmd = config.hdfs_command("mkdir -p /users/alice")
    sdk_cmd.task_exec(kerberized_hdfs_client, make_user_directory_cmd)

    change_ownership_cmd = config.hdfs_command(
        "chown alice:users /users/alice")
    sdk_cmd.task_exec(kerberized_hdfs_client, change_ownership_cmd)

    change_permissions_cmd = config.hdfs_command("chmod 700 /users/alice")
    sdk_cmd.task_exec(kerberized_hdfs_client, change_permissions_cmd)

    test_filename = "test_user_permissions"  # must be unique among tests in this suite

    # alice has read/write access to her directory
    sdk_auth.kdestroy(kerberized_hdfs_client)
    sdk_auth.kinit(kerberized_hdfs_client,
                   keytab=config.KEYTAB,
                   principal=config.CLIENT_PRINCIPALS["alice"])
    write_access_cmd = "/bin/bash -c \"{}\"".format(
        config.hdfs_write_command(config.TEST_CONTENT_SMALL,
                                  "/users/alice/{}".format(test_filename)))
    log.info("Alice can write: {}".format(write_access_cmd))
    rc, stdout, _ = sdk_cmd.task_exec(kerberized_hdfs_client, write_access_cmd)
    assert stdout == '' and rc == 0

    read_access_cmd = config.hdfs_read_command(
        "/users/alice/{}".format(test_filename))
    log.info("Alice can read: {}".format(read_access_cmd))
    _, stdout, _ = sdk_cmd.task_exec(kerberized_hdfs_client, read_access_cmd)
    assert stdout == config.TEST_CONTENT_SMALL

    ls_cmd = config.hdfs_command("ls /users/alice")
    _, stdout, _ = sdk_cmd.task_exec(kerberized_hdfs_client, ls_cmd)
    assert "/users/alice/{}".format(test_filename) in stdout

    # bob doesn't have read/write access to alice's directory
    sdk_auth.kdestroy(kerberized_hdfs_client)
    sdk_auth.kinit(kerberized_hdfs_client,
                   keytab=config.KEYTAB,
                   principal=config.CLIENT_PRINCIPALS["bob"])

    log.info(
        "Bob tries to wrtie to alice's directory: {}".format(write_access_cmd))
    _, _, stderr = sdk_cmd.task_exec(kerberized_hdfs_client, write_access_cmd)
    log.info(
        "Bob can't write to alice's directory: {}".format(write_access_cmd))
    assert "put: Permission denied: user=bob" in stderr

    log.info(
        "Bob tries to read from alice's directory: {}".format(read_access_cmd))
    _, _, stderr = sdk_cmd.task_exec(kerberized_hdfs_client, read_access_cmd)
    log.info(
        "Bob can't read from alice's directory: {}".format(read_access_cmd))
    assert "cat: Permission denied: user=bob" in stderr
Ejemplo n.º 2
0
def test_users_have_appropriate_permissions(hdfs_client, kerberos):
    # "hdfs" is a superuser

    sdk_auth.kinit(hdfs_client["id"],
                   keytab=config.KEYTAB,
                   principal=kerberos.get_principal("hdfs"))

    log.info("Creating directory for alice")
    make_user_directory_cmd = config.hdfs_command("mkdir -p /users/alice")
    sdk_cmd.task_exec(hdfs_client["id"], make_user_directory_cmd)

    change_ownership_cmd = config.hdfs_command(
        "chown alice:users /users/alice")
    sdk_cmd.task_exec(hdfs_client["id"], change_ownership_cmd)

    change_permissions_cmd = config.hdfs_command("chmod 700 /users/alice")
    sdk_cmd.task_exec(hdfs_client["id"], change_permissions_cmd)

    test_filename = "test_user_permissions-{}".format(str(uuid.uuid4()))

    # alice has read/write access to her directory
    sdk_auth.kdestroy(hdfs_client["id"])
    sdk_auth.kinit(hdfs_client["id"],
                   keytab=config.KEYTAB,
                   principal=kerberos.get_principal("alice"))
    write_access_cmd = "/bin/bash -c \"{}\"".format(
        config.hdfs_write_command(config.TEST_CONTENT_SMALL,
                                  "/users/alice/{}".format(test_filename)))
    log.info("Alice can write: %s", write_access_cmd)
    rc, stdout, _ = sdk_cmd.task_exec(hdfs_client["id"], write_access_cmd)
    assert stdout == '' and rc == 0

    read_access_cmd = config.hdfs_read_command(
        "/users/alice/{}".format(test_filename))
    log.info("Alice can read: %s", read_access_cmd)
    _, stdout, _ = sdk_cmd.task_exec(hdfs_client["id"], read_access_cmd)
    assert stdout == config.TEST_CONTENT_SMALL

    ls_cmd = config.hdfs_command("ls /users/alice")
    _, stdout, _ = sdk_cmd.task_exec(hdfs_client["id"], ls_cmd)
    assert "/users/alice/{}".format(test_filename) in stdout

    # bob doesn't have read/write access to alice's directory
    sdk_auth.kdestroy(hdfs_client["id"])
    sdk_auth.kinit(hdfs_client["id"],
                   keytab=config.KEYTAB,
                   principal=kerberos.get_principal("bob"))

    log.info("Bob tries to wrtie to alice's directory: %s", write_access_cmd)
    _, _, stderr = sdk_cmd.task_exec(hdfs_client["id"], write_access_cmd)
    log.info("Bob can't write to alice's directory: %s", write_access_cmd)
    assert "put: Permission denied: user=bob" in stderr

    log.info("Bob tries to read from alice's directory: %s", read_access_cmd)
    _, _, stderr = sdk_cmd.task_exec(hdfs_client["id"], read_access_cmd)
    log.info("Bob can't read from alice's directory: %s", read_access_cmd)
    assert "cat: Permission denied: user=bob" in stderr
def test_users_have_appropriate_permissions(hdfs_client, kerberos):
    # "hdfs" is a superuser

    sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs"))

    log.info("Creating directory for alice")
    make_user_directory_cmd = config.hdfs_command("mkdir -p /users/alice")
    sdk_cmd.marathon_task_exec(hdfs_client["id"], make_user_directory_cmd)

    change_ownership_cmd = config.hdfs_command("chown alice:users /users/alice")
    sdk_cmd.marathon_task_exec(hdfs_client["id"], change_ownership_cmd)

    change_permissions_cmd = config.hdfs_command("chmod 700 /users/alice")
    sdk_cmd.marathon_task_exec(hdfs_client["id"], change_permissions_cmd)

    test_filename = "test_user_permissions-{}".format(str(uuid.uuid4()))

    # alice has read/write access to her directory
    sdk_auth.kdestroy(hdfs_client["id"])
    sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("alice"))
    write_access_cmd = "/bin/bash -c \"{}\"".format(config.hdfs_write_command(
        config.TEST_CONTENT_SMALL,
        "/users/alice/{}".format(test_filename)))
    log.info("Alice can write: %s", write_access_cmd)
    rc, stdout, _ = sdk_cmd.marathon_task_exec(hdfs_client["id"], write_access_cmd)
    assert stdout == '' and rc == 0

    read_access_cmd = config.hdfs_read_command("/users/alice/{}".format(test_filename))
    log.info("Alice can read: %s", read_access_cmd)
    _, stdout, _ = sdk_cmd.marathon_task_exec(hdfs_client["id"], read_access_cmd)
    assert stdout == config.TEST_CONTENT_SMALL

    ls_cmd = config.hdfs_command("ls /users/alice")
    _, stdout, _ = sdk_cmd.marathon_task_exec(hdfs_client["id"], ls_cmd)
    assert "/users/alice/{}".format(test_filename) in stdout

    # bob doesn't have read/write access to alice's directory
    sdk_auth.kdestroy(hdfs_client["id"])
    sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("bob"))

    log.info("Bob tries to wrtie to alice's directory: %s", write_access_cmd)
    _, _, stderr = sdk_cmd.marathon_task_exec(hdfs_client["id"], write_access_cmd)
    log.info("Bob can't write to alice's directory: %s", write_access_cmd)
    assert "put: Permission denied: user=bob" in stderr

    log.info("Bob tries to read from alice's directory: %s", read_access_cmd)
    _, _, stderr = sdk_cmd.marathon_task_exec(hdfs_client["id"], read_access_cmd)
    log.info("Bob can't read from alice's directory: %s", read_access_cmd)
    assert "cat: Permission denied: user=bob" in stderr
Ejemplo n.º 4
0
def test_users_have_appropriate_permissions(hdfs_client, kerberos):
    # "hdfs" is a superuser
    sdk_auth.kinit(
        hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs")
    )

    alice_dir = "/users/alice"
    config.run_client_command(" && ".join([
        config.hdfs_command(c) for c in [
            "mkdir -p {}".format(alice_dir),
            "chown alice:users {}".format(alice_dir),
            "chmod 700 {}".format(alice_dir),
        ]
    ]))

    test_filename = "{}/{}".format(alice_dir, config.get_unique_filename("test_kerberos_auth_user_permissions"))

    # alice has read/write access to her directory
    sdk_auth.kdestroy(hdfs_client["id"])
    sdk_auth.kinit(
        hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("alice")
    )

    config.hdfs_client_write_data(test_filename)
    config.hdfs_client_read_data(test_filename)
    _, stdout, _ = config.hdfs_client_list_files(alice_dir)
    assert test_filename in stdout

    # bob doesn't have read/write access to alice's directory
    sdk_auth.kdestroy(hdfs_client["id"])
    sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("bob"))

    config.hdfs_client_write_data(test_filename, expect_failure_message="put: Permission denied: user=bob")
    config.hdfs_client_read_data(test_filename, expect_failure_message="cat: Permission denied: user=bob")
def test_users_have_appropriate_permissions(hdfs_client, kerberos):
    # "hdfs" is a superuser
    sdk_auth.kinit(
        hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs")
    )

    alice_dir = "/users/alice"
    config.run_client_command(" && ".join([
        config.hdfs_command(c) for c in [
            "mkdir -p {}".format(alice_dir),
            "chown alice:users {}".format(alice_dir),
            "chmod 700 {}".format(alice_dir),
        ]
    ]))

    test_filename = "{}/{}".format(alice_dir, config.get_unique_filename("test_ssl_kerberos_auth_user_permissions"))

    # alice has read/write access to her directory
    sdk_auth.kdestroy(hdfs_client["id"])
    sdk_auth.kinit(
        hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("alice")
    )

    config.hdfs_client_write_data(test_filename)
    config.hdfs_client_read_data(test_filename)
    _, stdout, _ = config.hdfs_client_list_files(alice_dir)
    assert test_filename in stdout

    # bob doesn't have read/write access to alice's directory
    sdk_auth.kdestroy(hdfs_client["id"])
    sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("bob"))

    config.hdfs_client_write_data(test_filename, expect_failure_message="put: Permission denied: user=bob")
    config.hdfs_client_read_data(test_filename, expect_failure_message="cat: Permission denied: user=bob")
Ejemplo n.º 6
0
def test_users_have_appropriate_permissions(hdfs_client, kerberos):
    # "hdfs" is a superuser
    sdk_auth.kinit(hdfs_client["id"],
                   keytab=config.KEYTAB,
                   principal=kerberos.get_principal("hdfs"))

    alice_dir = "/users/alice"
    success = True
    cmd_lists = [
        ["mkdir", "-p", alice_dir],
        ["chown", "alice:users", alice_dir],
        ["chmod", "700", alice_dir],
    ]
    for cmd_list in cmd_lists:
        cmd = config.hdfs_command(" ".join(cmd_list))
        cmd_success = config.run_client_command(cmd)
        if not cmd_success:
            log.error("Error executing: %s", cmd)
        success = success and cmd_success

    if not success:
        log.error("Error creating %s", alice_dir)
        raise Exception("Error creating user directory")

    # alice has read/write access to her directory
    sdk_auth.kdestroy(hdfs_client["id"])
    sdk_auth.kinit(hdfs_client["id"],
                   keytab=config.KEYTAB,
                   principal=kerberos.get_principal("alice"))

    test_filename = "{}/{}".format(
        alice_dir,
        config.get_unique_filename("test_kerberos_auth_user_permissions"))
    config.hdfs_client_write_data(test_filename)
    config.hdfs_client_read_data(test_filename)
    _, stdout, _ = config.hdfs_client_list_files(alice_dir)
    assert test_filename in stdout

    # bob doesn't have read/write access to alice's directory
    sdk_auth.kdestroy(hdfs_client["id"])
    sdk_auth.kinit(hdfs_client["id"],
                   keytab=config.KEYTAB,
                   principal=kerberos.get_principal("bob"))

    config.hdfs_client_write_data(
        test_filename,
        expect_failure_message="put: Permission denied: user=bob")
    config.hdfs_client_read_data(
        test_filename,
        expect_failure_message="cat: Permission denied: user=bob")
Ejemplo n.º 7
0
def test_users_have_appropriate_permissions(hdfs_client, kerberos):
    # "hdfs" is a superuser
    sdk_auth.kinit(
        hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs")
    )

    alice_dir = "/users/alice"
    success = True
    cmd_lists = [
        ["mkdir", "-p", alice_dir],
        ["chown", "alice:users", alice_dir],
        ["chmod", "700", alice_dir],
    ]
    for cmd_list in cmd_lists:
        cmd = config.hdfs_command(" ".join(cmd_list))
        cmd_success = config.run_client_command(cmd)
        if not cmd_success:
            log.error("Error executing: %s", cmd)
        success = success and cmd_success

    if not success:
        log.error("Error creating %s", alice_dir)
        raise Exception("Error creating user directory")

    # alice has read/write access to her directory
    sdk_auth.kdestroy(hdfs_client["id"])
    sdk_auth.kinit(
        hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("alice")
    )

    test_filename = "{}/{}".format(alice_dir, config.get_unique_filename("test_kerberos_auth_user_permissions"))
    config.hdfs_client_write_data(test_filename)
    config.hdfs_client_read_data(test_filename)
    _, stdout, _ = config.hdfs_client_list_files(alice_dir)
    assert test_filename in stdout

    # bob doesn't have read/write access to alice's directory
    sdk_auth.kdestroy(hdfs_client["id"])
    sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("bob"))

    config.hdfs_client_write_data(test_filename, expect_failure_message="put: Permission denied: user=bob")
    config.hdfs_client_read_data(test_filename, expect_failure_message="cat: Permission denied: user=bob")