def test_user_can_write_and_read(kerberos):
try:
client_app_def = config.get_kerberized_hdfs_client_app()
client_app_def["secrets"]["hdfs_keytab"][
"source"] = kerberos.get_keytab_path()
client_app_def["env"]["REALM"] = kerberos.get_realm()
client_app_def["env"]["KDC_ADDRESS"] = kerberos.get_kdc_address()
sdk_marathon.install_app(client_app_def)
client_task_id = client_app_def["id"]
sdk_auth.kinit(client_task_id,
keytab=config.KEYTAB,
principal=config.GENERIC_HDFS_USER_PRINCIPAL)
write_cmd = "/bin/bash -c '{}'".format(
config.hdfs_write_command(config.TEST_FILE_1_NAME,
config.TEST_CONTENT_SMALL))
sdk_tasks.task_exec(client_task_id, write_cmd)
read_cmd = "/bin/bash -c '{}'".format(
config.hdfs_read_command(config.TEST_FILE_1_NAME))
_, stdout, _ = sdk_tasks.task_exec(client_task_id, read_cmd)
assert stdout == config.TEST_CONTENT_SMALL
finally:
sdk_marathon.destroy_app(client_task_id)
def setup_history_server(hdfs_with_kerberos, setup_hdfs_client,
configure_universe):
try:
sdk_auth.kinit(HDFS_CLIENT_ID,
keytab="hdfs.keytab",
principal=GENERIC_HDFS_USER_PRINCIPAL)
hdfs_cmd("mkdir /history")
hdfs_cmd("chmod 1777 /history")
shakedown.install_package(
package_name=utils.HISTORY_PACKAGE_NAME,
options_json={
"service": {
"user":
SPARK_HISTORY_USER,
"hdfs-config-url":
"http://api.{}.marathon.l4lb.thisdcos.directory/v1/endpoints"
.format(HDFS_SERVICE_NAME)
},
"security": {
"kerberos": {
"enabled": True,
"krb5conf": utils.HDFS_KRB5_CONF,
"principal": GENERIC_HDFS_USER_PRINCIPAL,
"keytab": KEYTAB_SECRET_PATH
}
}
},
wait_for_completion=True # wait for it to become healthy
)
yield
finally:
sdk_marathon.destroy_app(utils.HISTORY_SERVICE_NAME)
def test_user_can_auth_and_write_and_read(hdfs_client, kerberos):
sdk_auth.kinit(
hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs")
)
test_filename = config.get_unique_filename("test_ssl_kerberos_auth_write_read")
config.hdfs_client_write_data(test_filename)
config.hdfs_client_read_data(test_filename)
def test_user_can_auth_and_write_and_read(hdfs_client, kerberos):
sdk_auth.kinit(hdfs_client["id"],
keytab=config.KEYTAB,
principal=kerberos.get_principal("hdfs"))
test_filename = config.get_unique_filename("test_kerberos_auth_write_read")
config.hdfs_client_write_data(test_filename)
config.hdfs_client_read_data(test_filename)
def test_user_can_auth_and_write_and_read(hdfs_client, kerberos):
sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs"))
test_filename = "test_auth_write_read-{}".format(str(uuid.uuid4()))
write_cmd = "/bin/bash -c '{}'".format(config.hdfs_write_command(config.TEST_CONTENT_SMALL, test_filename))
sdk_cmd.task_exec(hdfs_client["id"], write_cmd)
read_cmd = "/bin/bash -c '{}'".format(config.hdfs_read_command(test_filename))
_, stdout, _ = sdk_cmd.task_exec(hdfs_client["id"], read_cmd)
assert stdout == config.TEST_CONTENT_SMALL
def test_user_can_auth_and_write_and_read(hdfs_client, kerberos):
sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs"))
test_filename = "test_auth_write_read-{}".format(str(uuid.uuid4()))
write_cmd = "/bin/bash -c \"{}\"".format(config.hdfs_write_command(config.TEST_CONTENT_SMALL, test_filename))
sdk_cmd.marathon_task_exec(hdfs_client["id"], write_cmd)
read_cmd = "/bin/bash -c \"{}\"".format(config.hdfs_read_command(test_filename))
_, stdout, _ = sdk_cmd.marathon_task_exec(hdfs_client["id"], read_cmd)
assert stdout == config.TEST_CONTENT_SMALL
def test_user_can_auth_and_write_and_read(hdfs_client, kerberos):
sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs"))
test_filename = "test_auth_write_read" # must be unique among tests in this suite
write_cmd = "/bin/bash -c '{}'".format(config.hdfs_write_command(config.TEST_CONTENT_SMALL, test_filename))
sdk_cmd.marathon_task_exec(hdfs_client["id"], write_cmd)
read_cmd = "/bin/bash -c '{}'".format(config.hdfs_read_command(test_filename))
_, stdout, _ = sdk_cmd.marathon_task_exec(hdfs_client["id"], read_cmd)
assert stdout == config.TEST_CONTENT_SMALL
def setup_hdfs_paths():
sdk_auth.kinit(HDFS_CLIENT_ID,
keytab="hdfs.keytab",
principal=GENERIC_HDFS_USER_PRINCIPAL)
hdfs_cmd("rm -r -f -skipTrash {}".format(HDFS_CHECKPOINT_DIR))
hdfs_cmd("mkdir {}".format(HDFS_CHECKPOINT_DIR))
hdfs_cmd("chmod 1777 {}".format(HDFS_CHECKPOINT_DIR))
hdfs_cmd("rm -r -f -skipTrash {}".format(HDFS_TMP_DIR))
hdfs_cmd("mkdir {}".format(HDFS_TMP_DIR))
hdfs_cmd("chmod 1777 {}".format(HDFS_TMP_DIR))
def test_user_can_auth_and_write_and_read(kerberized_hdfs_client):
sdk_auth.kinit(kerberized_hdfs_client,
keytab=config.KEYTAB,
principal=config.CLIENT_PRINCIPALS["hdfs"])
write_cmd = "/bin/bash -c '{}'".format(
config.hdfs_write_command(config.TEST_CONTENT_SMALL,
config.TEST_FILE_1_NAME))
sdk_tasks.task_exec(kerberized_hdfs_client, write_cmd)
read_cmd = "/bin/bash -c '{}'".format(
config.hdfs_read_command(config.TEST_FILE_1_NAME))
_, stdout, _ = sdk_tasks.task_exec(kerberized_hdfs_client, read_cmd)
assert stdout == config.TEST_CONTENT_SMALL
def test_user_can_auth_and_write_and_read(kerberized_hdfs_client):
sdk_auth.kinit(kerberized_hdfs_client,
keytab=config.KEYTAB,
principal=config.CLIENT_PRINCIPALS["hdfs"])
test_filename = "test_auth_write_read" # must be unique among tests in this suite
write_cmd = "/bin/bash -c '{}'".format(
config.hdfs_write_command(config.TEST_CONTENT_SMALL, test_filename))
sdk_cmd.task_exec(kerberized_hdfs_client, write_cmd)
read_cmd = "/bin/bash -c '{}'".format(
config.hdfs_read_command(test_filename))
_, stdout, _ = sdk_cmd.task_exec(kerberized_hdfs_client, read_cmd)
assert stdout == config.TEST_CONTENT_SMALL
def test_user_can_auth_and_write_and_read(hdfs_client, kerberos):
sdk_auth.kinit(hdfs_client["id"],
keytab=config.KEYTAB,
principal=kerberos.get_principal("hdfs"))
test_filename = "test_auth_write_read" # must be unique among tests in this suite
write_cmd = "/bin/bash -c '{}'".format(
config.hdfs_write_command(config.TEST_CONTENT_SMALL, test_filename))
sdk_cmd.marathon_task_exec(hdfs_client["id"], write_cmd)
read_cmd = "/bin/bash -c '{}'".format(
config.hdfs_read_command(test_filename))
_, stdout, _ = sdk_cmd.marathon_task_exec(hdfs_client["id"], read_cmd)
assert stdout == config.TEST_CONTENT_SMALL
def setup_history_server(hdfs_with_kerberos, setup_hdfs_client,
configure_universe):
try:
LOGGER.info('Preparing to install History Server')
sdk_auth.kinit(HDFS_CLIENT_ID,
keytab="hdfs.keytab",
principal=GENERIC_HDFS_USER_PRINCIPAL)
LOGGER.info('Creating History Server HDFS directory')
hdfs_cmd("rm -r -f -skipTrash {}".format(HDFS_HISTORY_DIR))
hdfs_cmd("mkdir {}".format(HDFS_HISTORY_DIR))
hdfs_cmd("chmod 1777 {}".format(HDFS_HISTORY_DIR))
sdk_install.uninstall(HISTORY_PACKAGE_NAME, HISTORY_SERVICE_NAME)
sdk_install.install(
HISTORY_PACKAGE_NAME,
HISTORY_SERVICE_NAME,
0,
additional_options={
"service": {
"name":
HISTORY_SERVICE_NAME,
"user":
SPARK_HISTORY_USER,
"log-dir":
"hdfs://hdfs{}".format(HDFS_HISTORY_DIR),
"hdfs-config-url":
"http://api.{}.marathon.l4lb.thisdcos.directory/v1/endpoints"
.format(HDFS_SERVICE_NAME)
},
"security": {
"kerberos": {
"enabled": True,
"krb5conf": HDFS_KRB5_CONF,
"principal": GENERIC_HDFS_USER_PRINCIPAL,
"keytab": KEYTAB_SECRET_PATH
}
}
},
wait_for_deployment=False, # no deploy plan
insert_strict_options=False
) # no standard service_account/etc options
yield
finally:
sdk_install.uninstall(HISTORY_PACKAGE_NAME, HISTORY_SERVICE_NAME)
def setup_hdfs_client(hdfs_with_kerberos):
try:
curr_dir = os.path.dirname(os.path.realpath(__file__))
app_def_path = "{}/resources/hdfsclient.json".format(curr_dir)
with open(app_def_path) as f:
hdfsclient_app_def = json.load(f)
hdfsclient_app_def["id"] = HDFS_CLIENT_ID
hdfsclient_app_def["secrets"]["hdfs_keytab"][
"source"] = KEYTAB_SECRET_PATH
sdk_marathon.install_app(hdfsclient_app_def)
sdk_auth.kinit(HDFS_CLIENT_ID,
keytab="hdfs.keytab",
principal=GENERIC_HDFS_USER_PRINCIPAL)
yield
finally:
sdk_marathon.destroy_app(HDFS_CLIENT_ID)
def test_users_have_appropriate_permissions(hdfs_client, kerberos):
# "hdfs" is a superuser
sdk_auth.kinit(
hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs")
)
alice_dir = "/users/alice"
config.run_client_command(" && ".join([
config.hdfs_command(c) for c in [
"mkdir -p {}".format(alice_dir),
"chown alice:users {}".format(alice_dir),
"chmod 700 {}".format(alice_dir),
]
]))
test_filename = "{}/{}".format(alice_dir, config.get_unique_filename("test_kerberos_auth_user_permissions"))
# alice has read/write access to her directory
sdk_auth.kdestroy(hdfs_client["id"])
sdk_auth.kinit(
hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("alice")
)
config.hdfs_client_write_data(test_filename)
config.hdfs_client_read_data(test_filename)
_, stdout, _ = config.hdfs_client_list_files(alice_dir)
assert test_filename in stdout
# bob doesn't have read/write access to alice's directory
sdk_auth.kdestroy(hdfs_client["id"])
sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("bob"))
config.hdfs_client_write_data(test_filename, expect_failure_message="put: Permission denied: user=bob")
config.hdfs_client_read_data(test_filename, expect_failure_message="cat: Permission denied: user=bob")
def test_users_have_appropriate_permissions(hdfs_client, kerberos):
# "hdfs" is a superuser
sdk_auth.kinit(
hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs")
)
alice_dir = "/users/alice"
config.run_client_command(" && ".join([
config.hdfs_command(c) for c in [
"mkdir -p {}".format(alice_dir),
"chown alice:users {}".format(alice_dir),
"chmod 700 {}".format(alice_dir),
]
]))
test_filename = "{}/{}".format(alice_dir, config.get_unique_filename("test_ssl_kerberos_auth_user_permissions"))
# alice has read/write access to her directory
sdk_auth.kdestroy(hdfs_client["id"])
sdk_auth.kinit(
hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("alice")
)
config.hdfs_client_write_data(test_filename)
config.hdfs_client_read_data(test_filename)
_, stdout, _ = config.hdfs_client_list_files(alice_dir)
assert test_filename in stdout
# bob doesn't have read/write access to alice's directory
sdk_auth.kdestroy(hdfs_client["id"])
sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("bob"))
config.hdfs_client_write_data(test_filename, expect_failure_message="put: Permission denied: user=bob")
config.hdfs_client_read_data(test_filename, expect_failure_message="cat: Permission denied: user=bob")
def test_users_have_appropriate_permissions(hdfs_client, kerberos):
# "hdfs" is a superuser
sdk_auth.kinit(
hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs")
)
alice_dir = "/users/alice"
test_filename = config.check_test_users_have_appropriate_permissions(alice_dir)
# alice has read/write access to her directory
sdk_auth.kdestroy(hdfs_client["id"])
sdk_auth.kinit(
hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("alice")
)
config.hdfs_client_write_data(test_filename)
config.hdfs_client_read_data(test_filename)
_, stdout, _ = config.hdfs_client_list_files(alice_dir)
assert test_filename in stdout
# bob doesn't have read/write access to alice's directory
sdk_auth.kdestroy(hdfs_client["id"])
sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("bob"))
config.hdfs_client_write_data(
test_filename, expect_failure_message="put: Permission denied: user=bob"
)
config.hdfs_client_read_data(
test_filename, expect_failure_message="cat: Permission denied: user=bob"
)
def test_users_have_appropriate_permissions(kerberized_hdfs_client):
# "hdfs" is a superuser
sdk_auth.kinit(kerberized_hdfs_client,
keytab=config.KEYTAB,
principal=config.CLIENT_PRINCIPALS["hdfs"])
log.info("Creating directory for alice")
make_user_directory_cmd = config.hdfs_command("mkdir -p /users/alice")
sdk_cmd.task_exec(kerberized_hdfs_client, make_user_directory_cmd)
change_ownership_cmd = config.hdfs_command(
"chown alice:users /users/alice")
sdk_cmd.task_exec(kerberized_hdfs_client, change_ownership_cmd)
change_permissions_cmd = config.hdfs_command("chmod 700 /users/alice")
sdk_cmd.task_exec(kerberized_hdfs_client, change_permissions_cmd)
test_filename = "test_user_permissions" # must be unique among tests in this suite
# alice has read/write access to her directory
sdk_auth.kdestroy(kerberized_hdfs_client)
sdk_auth.kinit(kerberized_hdfs_client,
keytab=config.KEYTAB,
principal=config.CLIENT_PRINCIPALS["alice"])
write_access_cmd = "/bin/bash -c \"{}\"".format(
config.hdfs_write_command(config.TEST_CONTENT_SMALL,
"/users/alice/{}".format(test_filename)))
log.info("Alice can write: {}".format(write_access_cmd))
rc, stdout, _ = sdk_cmd.task_exec(kerberized_hdfs_client, write_access_cmd)
assert stdout == '' and rc == 0
read_access_cmd = config.hdfs_read_command(
"/users/alice/{}".format(test_filename))
log.info("Alice can read: {}".format(read_access_cmd))
_, stdout, _ = sdk_cmd.task_exec(kerberized_hdfs_client, read_access_cmd)
assert stdout == config.TEST_CONTENT_SMALL
ls_cmd = config.hdfs_command("ls /users/alice")
_, stdout, _ = sdk_cmd.task_exec(kerberized_hdfs_client, ls_cmd)
assert "/users/alice/{}".format(test_filename) in stdout
# bob doesn't have read/write access to alice's directory
sdk_auth.kdestroy(kerberized_hdfs_client)
sdk_auth.kinit(kerberized_hdfs_client,
keytab=config.KEYTAB,
principal=config.CLIENT_PRINCIPALS["bob"])
log.info(
"Bob tries to wrtie to alice's directory: {}".format(write_access_cmd))
_, _, stderr = sdk_cmd.task_exec(kerberized_hdfs_client, write_access_cmd)
log.info(
"Bob can't write to alice's directory: {}".format(write_access_cmd))
assert "put: Permission denied: user=bob" in stderr
log.info(
"Bob tries to read from alice's directory: {}".format(read_access_cmd))
_, _, stderr = sdk_cmd.task_exec(kerberized_hdfs_client, read_access_cmd)
log.info(
"Bob can't read from alice's directory: {}".format(read_access_cmd))
assert "cat: Permission denied: user=bob" in stderr
def test_users_have_appropriate_permissions(hdfs_client, kerberos):
# "hdfs" is a superuser
sdk_auth.kinit(hdfs_client["id"],
keytab=config.KEYTAB,
principal=kerberos.get_principal("hdfs"))
log.info("Creating directory for alice")
make_user_directory_cmd = config.hdfs_command("mkdir -p /users/alice")
sdk_cmd.task_exec(hdfs_client["id"], make_user_directory_cmd)
change_ownership_cmd = config.hdfs_command(
"chown alice:users /users/alice")
sdk_cmd.task_exec(hdfs_client["id"], change_ownership_cmd)
change_permissions_cmd = config.hdfs_command("chmod 700 /users/alice")
sdk_cmd.task_exec(hdfs_client["id"], change_permissions_cmd)
test_filename = "test_user_permissions-{}".format(str(uuid.uuid4()))
# alice has read/write access to her directory
sdk_auth.kdestroy(hdfs_client["id"])
sdk_auth.kinit(hdfs_client["id"],
keytab=config.KEYTAB,
principal=kerberos.get_principal("alice"))
write_access_cmd = "/bin/bash -c \"{}\"".format(
config.hdfs_write_command(config.TEST_CONTENT_SMALL,
"/users/alice/{}".format(test_filename)))
log.info("Alice can write: %s", write_access_cmd)
rc, stdout, _ = sdk_cmd.task_exec(hdfs_client["id"], write_access_cmd)
assert stdout == '' and rc == 0
read_access_cmd = config.hdfs_read_command(
"/users/alice/{}".format(test_filename))
log.info("Alice can read: %s", read_access_cmd)
_, stdout, _ = sdk_cmd.task_exec(hdfs_client["id"], read_access_cmd)
assert stdout == config.TEST_CONTENT_SMALL
ls_cmd = config.hdfs_command("ls /users/alice")
_, stdout, _ = sdk_cmd.task_exec(hdfs_client["id"], ls_cmd)
assert "/users/alice/{}".format(test_filename) in stdout
# bob doesn't have read/write access to alice's directory
sdk_auth.kdestroy(hdfs_client["id"])
sdk_auth.kinit(hdfs_client["id"],
keytab=config.KEYTAB,
principal=kerberos.get_principal("bob"))
log.info("Bob tries to wrtie to alice's directory: %s", write_access_cmd)
_, _, stderr = sdk_cmd.task_exec(hdfs_client["id"], write_access_cmd)
log.info("Bob can't write to alice's directory: %s", write_access_cmd)
assert "put: Permission denied: user=bob" in stderr
log.info("Bob tries to read from alice's directory: %s", read_access_cmd)
_, _, stderr = sdk_cmd.task_exec(hdfs_client["id"], read_access_cmd)
log.info("Bob can't read from alice's directory: %s", read_access_cmd)
assert "cat: Permission denied: user=bob" in stderr
def test_users_have_appropriate_permissions(hdfs_client, kerberos):
# "hdfs" is a superuser
sdk_auth.kinit(hdfs_client["id"],
keytab=config.KEYTAB,
principal=kerberos.get_principal("hdfs"))
alice_dir = "/users/alice"
success = True
cmd_lists = [
["mkdir", "-p", alice_dir],
["chown", "alice:users", alice_dir],
["chmod", "700", alice_dir],
]
for cmd_list in cmd_lists:
cmd = config.hdfs_command(" ".join(cmd_list))
cmd_success = config.run_client_command(cmd)
if not cmd_success:
log.error("Error executing: %s", cmd)
success = success and cmd_success
if not success:
log.error("Error creating %s", alice_dir)
raise Exception("Error creating user directory")
# alice has read/write access to her directory
sdk_auth.kdestroy(hdfs_client["id"])
sdk_auth.kinit(hdfs_client["id"],
keytab=config.KEYTAB,
principal=kerberos.get_principal("alice"))
test_filename = "{}/{}".format(
alice_dir,
config.get_unique_filename("test_kerberos_auth_user_permissions"))
config.hdfs_client_write_data(test_filename)
config.hdfs_client_read_data(test_filename)
_, stdout, _ = config.hdfs_client_list_files(alice_dir)
assert test_filename in stdout
# bob doesn't have read/write access to alice's directory
sdk_auth.kdestroy(hdfs_client["id"])
sdk_auth.kinit(hdfs_client["id"],
keytab=config.KEYTAB,
principal=kerberos.get_principal("bob"))
config.hdfs_client_write_data(
test_filename,
expect_failure_message="put: Permission denied: user=bob")
config.hdfs_client_read_data(
test_filename,
expect_failure_message="cat: Permission denied: user=bob")
def test_users_have_appropriate_permissions(hdfs_client, kerberos):
# "hdfs" is a superuser
sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs"))
log.info("Creating directory for alice")
make_user_directory_cmd = config.hdfs_command("mkdir -p /users/alice")
sdk_cmd.marathon_task_exec(hdfs_client["id"], make_user_directory_cmd)
change_ownership_cmd = config.hdfs_command("chown alice:users /users/alice")
sdk_cmd.marathon_task_exec(hdfs_client["id"], change_ownership_cmd)
change_permissions_cmd = config.hdfs_command("chmod 700 /users/alice")
sdk_cmd.marathon_task_exec(hdfs_client["id"], change_permissions_cmd)
test_filename = "test_user_permissions-{}".format(str(uuid.uuid4()))
# alice has read/write access to her directory
sdk_auth.kdestroy(hdfs_client["id"])
sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("alice"))
write_access_cmd = "/bin/bash -c \"{}\"".format(config.hdfs_write_command(
config.TEST_CONTENT_SMALL,
"/users/alice/{}".format(test_filename)))
log.info("Alice can write: %s", write_access_cmd)
rc, stdout, _ = sdk_cmd.marathon_task_exec(hdfs_client["id"], write_access_cmd)
assert stdout == '' and rc == 0
read_access_cmd = config.hdfs_read_command("/users/alice/{}".format(test_filename))
log.info("Alice can read: %s", read_access_cmd)
_, stdout, _ = sdk_cmd.marathon_task_exec(hdfs_client["id"], read_access_cmd)
assert stdout == config.TEST_CONTENT_SMALL
ls_cmd = config.hdfs_command("ls /users/alice")
_, stdout, _ = sdk_cmd.marathon_task_exec(hdfs_client["id"], ls_cmd)
assert "/users/alice/{}".format(test_filename) in stdout
# bob doesn't have read/write access to alice's directory
sdk_auth.kdestroy(hdfs_client["id"])
sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("bob"))
log.info("Bob tries to wrtie to alice's directory: %s", write_access_cmd)
_, _, stderr = sdk_cmd.marathon_task_exec(hdfs_client["id"], write_access_cmd)
log.info("Bob can't write to alice's directory: %s", write_access_cmd)
assert "put: Permission denied: user=bob" in stderr
log.info("Bob tries to read from alice's directory: %s", read_access_cmd)
_, _, stderr = sdk_cmd.marathon_task_exec(hdfs_client["id"], read_access_cmd)
log.info("Bob can't read from alice's directory: %s", read_access_cmd)
assert "cat: Permission denied: user=bob" in stderr
def test_users_have_appropriate_permissions(hdfs_client, kerberos):
# "hdfs" is a superuser
sdk_auth.kinit(
hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs")
)
alice_dir = "/users/alice"
success = True
cmd_lists = [
["mkdir", "-p", alice_dir],
["chown", "alice:users", alice_dir],
["chmod", "700", alice_dir],
]
for cmd_list in cmd_lists:
cmd = config.hdfs_command(" ".join(cmd_list))
cmd_success = config.run_client_command(cmd)
if not cmd_success:
log.error("Error executing: %s", cmd)
success = success and cmd_success
if not success:
log.error("Error creating %s", alice_dir)
raise Exception("Error creating user directory")
# alice has read/write access to her directory
sdk_auth.kdestroy(hdfs_client["id"])
sdk_auth.kinit(
hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("alice")
)
test_filename = "{}/{}".format(alice_dir, config.get_unique_filename("test_kerberos_auth_user_permissions"))
config.hdfs_client_write_data(test_filename)
config.hdfs_client_read_data(test_filename)
_, stdout, _ = config.hdfs_client_list_files(alice_dir)
assert test_filename in stdout
# bob doesn't have read/write access to alice's directory
sdk_auth.kdestroy(hdfs_client["id"])
sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("bob"))
config.hdfs_client_write_data(test_filename, expect_failure_message="put: Permission denied: user=bob")
config.hdfs_client_read_data(test_filename, expect_failure_message="cat: Permission denied: user=bob")
def test_user_can_auth_and_write_and_read(hdfs_client, kerberos):
sdk_auth.kinit(
hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs")
)
config.check_user_can_auth_and_write_and_read()
