def test_user_can_write_and_read(kerberos): try: client_app_def = config.get_kerberized_hdfs_client_app() client_app_def["secrets"]["hdfs_keytab"][ "source"] = kerberos.get_keytab_path() client_app_def["env"]["REALM"] = kerberos.get_realm() client_app_def["env"]["KDC_ADDRESS"] = kerberos.get_kdc_address() sdk_marathon.install_app(client_app_def) client_task_id = client_app_def["id"] sdk_auth.kinit(client_task_id, keytab=config.KEYTAB, principal=config.GENERIC_HDFS_USER_PRINCIPAL) write_cmd = "/bin/bash -c '{}'".format( config.hdfs_write_command(config.TEST_FILE_1_NAME, config.TEST_CONTENT_SMALL)) sdk_tasks.task_exec(client_task_id, write_cmd) read_cmd = "/bin/bash -c '{}'".format( config.hdfs_read_command(config.TEST_FILE_1_NAME)) _, stdout, _ = sdk_tasks.task_exec(client_task_id, read_cmd) assert stdout == config.TEST_CONTENT_SMALL finally: sdk_marathon.destroy_app(client_task_id)
def verify_shared_executor(pod_name, expected_files=['essential', 'nonessential'], delete_files=True): '''verify that both tasks share the same executor: - matching ExecutorInfo - both 'essential' and 'nonessential' present in shared-volume/ across both tasks ''' tasks = sdk_cmd.svc_cli(config.PACKAGE_NAME, config.SERVICE_NAME, 'pod info {}'.format(pod_name), json=True) assert len(tasks) == 2 # check that the task executors all match executor = tasks[0]['info']['executor'] for task in tasks[1:]: assert executor == task['info']['executor'] # for each task, check shared volume content matches what's expected task_names = [task['info']['name'] for task in tasks] for task_name in task_names: # 1.9 just uses the host filesystem in 'task exec', so use 'task ls' across the board instead filenames = sdk_cmd.run_cli('task ls {} shared-volume/'.format(task_name)).strip().split() assert set(expected_files) == set(filenames) # delete files from volume in preparation for a following task relaunch if delete_files: if sdk_utils.dcos_version_less_than("1.10"): # 1.9 just uses the host filesystem in 'task exec', so figure out the absolute volume path manually expected_file_path = sdk_tasks.task_exec( task_names[0], 'find /var/lib/mesos/slave/volumes -iname ' + filenames[0])[1].strip() # volume dir is parent of the expected file path. volume_dir = os.path.dirname(expected_file_path) else: # 1.10+ works correctly: path is relative to sandbox volume_dir = 'shared-volume/' sdk_tasks.task_exec(task_names[0], 'rm ' + ' '.join([os.path.join(volume_dir, name) for name in filenames]))
def create_keystore_truststore(cn: str, task: str): pub_path = "{}_pub.crt".format(cn) priv_path = "{}_priv.key".format(cn) keystore_path = "{}_keystore.jks".format(cn) truststore_path = "{}_truststore.jks".format(cn) log.info("Generating keystore and truststore, task:{}".format(task)) output = sdk_tasks.task_exec( task, "curl -k -v leader.mesos/ca/dcos-ca.crt -o dcos-ca.crt") # Convert to a PKCS12 key output = sdk_tasks.task_exec( task, 'bash -c "export RANDFILE=/mnt/mesos/sandbox/.rnd && \ openssl pkcs12 -export -in {} -inkey {} \ -out keypair.p12 -name keypair -passout pass:export \ -CAfile dcos-ca.crt -caname root"'.format(pub_path, priv_path)) log.info(output) assert output[0] is 0 log.info("Generating certificate: importing into keystore and truststore") # Import into the keystore and truststore output = sdk_tasks.task_exec( task, "keytool -importkeystore \ -deststorepass changeit -destkeypass changeit -destkeystore {} \ -srckeystore keypair.p12 -srcstoretype PKCS12 -srcstorepass export \ -alias keypair".format(keystore_path)) log.info(output) assert output[0] is 0 output = sdk_tasks.task_exec( task, "keytool -import -trustcacerts -noprompt \ -file dcos-ca.crt -storepass changeit \ -keystore {}".format(truststore_path)) log.info(output) assert output[0] is 0
def setup_history_server(hdfs_with_kerberos, setup_hdfs_client, configure_universe): try: sdk_tasks.task_exec(HDFS_CLIENT_ID, "bin/hdfs dfs -mkdir /history") shakedown.install_package( package_name=utils.HISTORY_PACKAGE_NAME, options_json={ "service": { "hdfs-config-url": "http://api.{}.marathon.l4lb.thisdcos.directory/v1/endpoints" .format(HDFS_SERVICE_NAME) }, "security": { "kerberos": { "krb5conf": utils.HDFS_KRB5_CONF, "principal": GENERIC_HDFS_USER_PRINCIPAL, "keytab": KEYTAB_SECRET_PATH } } }, wait_for_completion=True # wait for it to become healthy ) yield finally: sdk_marathon.destroy_app(utils.HISTORY_SERVICE_NAME)
def kinit(task_id: str, keytab: str, principal: str): """ Performs a kinit command to authenticate the specified principal. :param task_id: The task in whose environment the kinit will run. :param keytab: The keytab used by kinit to authenticate. :param principal: The name of the principal the user wants to authenticate as. """ kinit_cmd = "kinit -kt {keytab} {principal}".format(keytab=keytab, principal=principal) sdk_tasks.task_exec(task_id, kinit_cmd)
def write_client_properties(cn: str, task: str) -> str: sdk_tasks.task_exec( task, """bash -c \"cat >{cn}-client.properties << EOL security.protocol = SSL ssl.truststore.location = {cn}_truststore.jks ssl.truststore.password = changeit ssl.keystore.location = {cn}_keystore.jks ssl.keystore.password = changeit EOL\"""".format(cn=cn)) return "{}-client.properties".format(cn)
def test_changing_discovery_replaces_certificate_sans(hello_world_service): """ Update service configuration to change discovery prefix of a task. Scheduler should update task and new SANs should be generated. """ original_tasks = sdk_tasks.get_task_ids(config.PACKAGE_NAME, 'discovery') assert len(original_tasks) == 1, 'Expecting exactly one task ID' task_id = original_tasks[0] assert task_id # Load end-entity certificate from PEM encoded file _, stdout, _ = sdk_tasks.task_exec(task_id, 'cat server.crt') end_entity_cert = x509.load_pem_x509_certificate(stdout.encode('ascii'), DEFAULT_BACKEND) san_extension = end_entity_cert.extensions.get_extension_for_oid( ExtensionOID.SUBJECT_ALTERNATIVE_NAME) sans = [ san.value for san in san_extension.value._general_names._general_names ] expected_san = ( '{name}-0.{service_name}.autoip.dcos.thisdcos.directory'.format( name=DISCOVERY_TASK_PREFIX, service_name=config.SERVICE_NAME)) assert expected_san in sans # Run task update with new discovery prefix marathon_config = sdk_marathon.get_config(config.SERVICE_NAME) marathon_config['env'][ 'DISCOVERY_TASK_PREFIX'] = DISCOVERY_TASK_PREFIX + '-new' sdk_marathon.update_app(config.SERVICE_NAME, marathon_config) sdk_tasks.check_tasks_updated(config.SERVICE_NAME, 'discovery', original_tasks) sdk_tasks.check_running(config.SERVICE_NAME, 4) new_task_id = sdk_tasks.get_task_ids(config.SERVICE_NAME, "discovery")[0] assert task_id != new_task_id _, stdout, _ = sdk_tasks.task_exec(new_task_id, 'cat server.crt') new_cert = x509.load_pem_x509_certificate(stdout.encode('ascii'), DEFAULT_BACKEND) san_extension = new_cert.extensions.get_extension_for_oid( ExtensionOID.SUBJECT_ALTERNATIVE_NAME) sans = [ san.value for san in san_extension.value._general_names._general_names ] expected_san = ( '{name}-0.{service_name}.autoip.dcos.thisdcos.directory'.format( name=DISCOVERY_TASK_PREFIX + '-new', service_name=config.SERVICE_NAME)) assert expected_san in sans
def test_user_can_auth_and_write_and_read(kerberized_hdfs_client): sdk_auth.kinit(kerberized_hdfs_client, keytab=config.KEYTAB, principal=config.CLIENT_PRINCIPALS["hdfs"]) write_cmd = "/bin/bash -c '{}'".format( config.hdfs_write_command(config.TEST_CONTENT_SMALL, config.TEST_FILE_1_NAME)) sdk_tasks.task_exec(kerberized_hdfs_client, write_cmd) read_cmd = "/bin/bash -c '{}'".format( config.hdfs_read_command(config.TEST_FILE_1_NAME)) _, stdout, _ = sdk_tasks.task_exec(kerberized_hdfs_client, read_cmd) assert stdout == config.TEST_CONTENT_SMALL
def test_java_keystore(hello_world_service): """ Java `keystore-app` presents itself with provided TLS certificate from keystore. """ task_id = sdk_tasks.get_task_ids(config.SERVICE_NAME, 'artifacts')[0] assert task_id # Make a curl request from artifacts container to `keystore-app` # and make sure that mesos curl can verify certificate served by app curl = ('curl -v -i ' '--cacert secure-tls-pod.ca ' 'https://' + sdk_hosts.vip_host(config.SERVICE_NAME, KEYSTORE_TASK_HTTPS_PORT_NAME) + '/hello-world') _, output = sdk_tasks.task_exec(task_id, curl, return_stderr_in_stdout=True) # Check that HTTP request was successful with response 200 and make sure # that curl with pre-configured cert was used and that task was matched # by SAN in certificate. assert 'HTTP/1.1 200 OK' in output assert 'CAfile: secure-tls-pod.ca' in output tls_verification_msg = ( 'host "keystore-https.hello-world.l4lb.thisdcos.directory" matched ' 'cert\'s "keystore-https.hello-world.l4lb.thisdcos.directory"') assert tls_verification_msg in output
def test_tls_basic_artifacts(hello_world_service): task_id = sdk_tasks.get_task_ids(config.SERVICE_NAME, 'artifacts')[0] assert task_id # Load end-entity certificate from keystore and root CA cert from truststore stdout = sdk_tasks.task_exec(task_id, 'cat secure-tls-pod.crt')[1].encode('ascii') end_entity_cert = x509.load_pem_x509_certificate(stdout, DEFAULT_BACKEND) root_ca_cert_in_truststore = _export_cert_from_task_keystore( task_id, 'keystore.truststore', 'dcos-root') # Check that certificate subject maches the service name common_name = end_entity_cert.subject.get_attributes_for_oid( NameOID.COMMON_NAME)[0].value assert common_name in sdk_hosts.autoip_host(config.SERVICE_NAME, 'artifacts-0-node') san_extension = end_entity_cert.extensions.get_extension_for_oid( ExtensionOID.SUBJECT_ALTERNATIVE_NAME) sans = san_extension.value._general_names._general_names assert len(sans) == 1 cluster_root_ca_cert = x509.load_pem_x509_certificate( sdk_cmd.request('get', shakedown.dcos_url_path('/ca/dcos-ca.crt')).content, DEFAULT_BACKEND) assert root_ca_cert_in_truststore.signature == cluster_root_ca_cert.signature
def resolve_hosts(task_id: str, hosts: list) -> bool: """ Use bootstrap to resolve the specified list of hosts """ bootstrap_cmd = [ 'bootstrap', '-print-env=false', '-myfw=false', '-install-certs=false', '-resolve-hosts', ','.join(hosts) ] LOG.info("Running bootstrap to wait for DNS resolution of %s\n\t%s", hosts, bootstrap_cmd) return_code, bootstrap_stdout, bootstrap_stderr = sdk_tasks.task_exec( task_id, ' '.join(bootstrap_cmd)) LOG.info("bootstrap return code: %s", return_code) LOG.info("bootstrap STDOUT: %s", bootstrap_stdout) LOG.info("bootstrap STDERR: %s", bootstrap_stderr) # Note that bootstrap returns its output in STDERR resolved = 'SDK Bootstrap successful.' in bootstrap_stderr if not resolved: for host in hosts: resolved_host_string = "Resolved '{host}' =>".format(host=host) host_resolved = resolved_host_string in bootstrap_stdout if not host_resolved: LOG.error("Could not resolve: %s", host) return resolved
def _export_cert_from_task_keystore(task, keystore_path, alias, password=KEYSTORE_PASS): """ Retrieves certificate from the keystore with given alias by executing a keytool in context of running container and loads the certificate to memory. Args: task (str): Task id of container that contains the keystore keystore_path (str): Path inside container to keystore containing the certificate alias (str): Alias of the certificate in the keystore Returns: x509.Certificate object """ args = ['-rfc'] if password: args.append('-storepass "{password}"'.format(password=password)) args_str = ' '.join(args) cert_bytes = sdk_tasks.task_exec( task, _keystore_export_command(keystore_path, alias, args_str))[1].encode('ascii') return x509.load_pem_x509_certificate(cert_bytes, DEFAULT_BACKEND)
def __run_kadmin(self, options: list, cmd: str, args: list): """ Invokes Kerberos' kadmin binary inside the container to run some command. :param options (list): A list of options given to kadmin. :param cmd (str): The name of the sub command to run. :param args (list): A list of arguments passed to the sub command. This should also include any flags needed to be set for the sub command. :raises a generic Exception if the invocation fails. """ kadmin_cmd = "/usr/sbin/kadmin {options} {cmd} {args}".format( options=' '.join(options), cmd=cmd, args=' '.join(args)) log.info("Running kadmin: {}".format(kadmin_cmd)) try: sdk_tasks.task_exec(self.task_id, kadmin_cmd) except Exception as e: log.error("Failed to run kadmin: {}".format(repr(e))) raise e
def create_tls_artifacts(cn: str, task: str) -> str: pub_path = "{}_pub.crt".format(cn) priv_path = "{}_priv.key".format(cn) log.info("Generating certificate. cn={}, task={}".format(cn, task)) output = sdk_tasks.task_exec( task, 'openssl req -nodes -newkey rsa:2048 -keyout {} -out request.csr \ -subj "/C=US/ST=CA/L=SF/O=Mesosphere/OU=Mesosphere/CN={}"'.format( priv_path, cn)) log.info(output) assert output[0] is 0 raw_csr = sdk_tasks.task_exec(task, 'cat request.csr') assert raw_csr[0] is 0 request = { "certificate_request": raw_csr[1] # The actual content is second in the array } token = sdk_cmd.run_cli("config show core.dcos_acs_token") cmd = "curl -X POST \ -H 'Authorization: token={}' \ leader.mesos/ca/api/v2/sign \ -d '{}'".format(token, json.dumps(request)) output = sdk_tasks.task_exec( task, "curl -X POST \ -H 'Authorization: token={}' \ leader.mesos/ca/api/v2/sign \ -d '{}'".format(token, json.dumps(request))) log.info(output) assert output[0] is 0 # Write the public cert to the client certificate = json.loads(output[1])["result"]["certificate"] output = sdk_tasks.task_exec( task, "bash -c \"echo '{}' > {}\"".format(certificate, pub_path)) log.info(output) assert output[0] is 0 create_keystore_truststore(cn, task) return "CN={},OU=Mesosphere,O=Mesosphere,L=SF,ST=CA,C=US".format(cn)
def test_client_can_read_and_write(kafka_client): topics = sdk_cmd.svc_cli(config.PACKAGE_NAME, config.SERVICE_NAME, "topic create securetest", json=True) log.info("Created topic: %s", topics) brokers = sdk_cmd.svc_cli(config.PACKAGE_NAME, config.SERVICE_NAME, "endpoint broker", json=True) broker_dns = list(map(lambda x: x.split(':')[0], brokers["dns"])) log.info("Running bootstrap to wait for DNS resolution") bootstrap_cmd = [ '/opt/bootstrap', '-resolve-hosts', ','.join(broker_dns), '-verbose' ] bootstrap_output = sdk_tasks.task_exec(kafka_client, ' '.join(bootstrap_cmd)) log.info(bootstrap_output) message = uuid.uuid4() producer_cmd = ['/tmp/kafkaconfig/start.sh', 'producer', str(message)] for i in range(2): log.info("Running(%s) %s", i, producer_cmd) producer_output = sdk_tasks.task_exec(kafka_client, ' '.join(producer_cmd)) log.info("Producer output(%s): %s", i, producer_output) assert "Sent message: '{message}'".format( message=str(message)) in ' '.join(str(p) for p in producer_output) consumer_cmd = ['/tmp/kafkaconfig/start.sh', 'consumer', 'single'] log.info("Running %s", consumer_cmd) consumer_output = sdk_tasks.task_exec(kafka_client, ' '.join(consumer_cmd)) log.info("Consumer output: %s", consumer_output) assert str(message) in ' '.join(str(c) for c in consumer_output)
def wait_for_brokers(client: str, brokers: list): """ Run bootstrap on the specified client to resolve the list of brokers """ LOG.info("Running bootstrap to wait for DNS resolution") bootstrap_cmd = [ '/opt/bootstrap', '-print-env=false', '-template=false', '-install-certs=false', '-resolve-hosts', ','.join(brokers) ] bootstrap_output = sdk_tasks.task_exec(client, ' '.join(bootstrap_cmd)) LOG.info(bootstrap_output) assert "SDK Bootstrap successful" in ' '.join( str(bo) for bo in bootstrap_output)
def write_client_properties(primary: str, task: str) -> str: output_file = "{primary}-client.properties".format(primary=primary) LOG.info("Generating %s", output_file) output_cmd = """bash -c \"cat >{output_file} << EOL security.protocol=SASL_PLAINTEXT sasl.mechanism=GSSAPI sasl.kerberos.service.name=kafka EOL\"""".format(output_file=output_file, primary=primary) LOG.info("Running: %s", output_cmd) output = sdk_tasks.task_exec(task, output_cmd) LOG.info(output) return output_file
def _add_role_acls(role: str, user: str, task: str, topic: str, zookeeper_endpoint: str, env_str=None): cmd = "bash -c \"{setup_env}kafka-acls \ --topic {topic_name} \ --authorizer-properties zookeeper.connect={zookeeper_endpoint} \ --add \ --allow-principal User:{user} \ --{role}\"".format( setup_env="{} && ".format(env_str) if env_str else "", topic_name=topic, zookeeper_endpoint=zookeeper_endpoint, user=user, role=role) LOG.info("Running: %s", cmd) output = sdk_tasks.task_exec(task, cmd) LOG.info(output)
def write_krb5_config_file(task: str) -> str: output_file = "krb5.config" LOG.info("Generating %s", output_file) # TODO: Set realm and kdc properties output_cmd = """bash -c \"cat >{output_file} << EOL [libdefaults] default_realm = LOCAL [realms] LOCAL = {{ kdc = kdc.marathon.autoip.dcos.thisdcos.directory:2500 }} EOL\"""".format(output_file=output_file) LOG.info("Running: %s", output_cmd) output = sdk_tasks.task_exec(task, output_cmd) LOG.info(output) return output_file
def test_java_truststore(hello_world_service): """ Make an HTTP request from CLI to nginx exposed service. Test that CLI reads and uses truststore to verify HTTPS connection. """ task_id = sdk_tasks.get_task_ids(config.SERVICE_NAME, "keystore")[0] assert task_id # Make an http request from a CLI app using configured keystore to the # service itself exposed via VIP. # This will test whether the service is serving correct end-entity # certificate from keystore and if CLI client can verify certificate # with custom truststore configuration. command = _java_command( 'java -jar ' + KEYSTORE_APP_JAR_NAME + ' truststoretest ' 'integration-test.yml ' 'https://' + sdk_hosts.vip_host(config.SERVICE_NAME, NGINX_TASK_HTTPS_PORT_NAME)) _, output, _ = sdk_tasks.task_exec(task_id, command) # Unfortunately the `dcos task exec` doesn't respect the return code # from executed command in container so we need to manually assert for # expected output. assert 'status=200' in output
def write_jaas_config_file(primary: str, task: str) -> str: output_file = "{primary}-client-jaas.config".format(primary=primary) LOG.info("Generating %s", output_file) # TODO: use kafka_client keytab path output_cmd = """bash -c \"cat >{output_file} << EOL KafkaClient {{ com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true principal=\\"{primary}@LOCAL\\" useKeyTab=true serviceName=\\"kafka\\" keyTab=\\"/tmp/kafkaconfig/kafka-client.keytab\\" client=true; }}; EOL\"""".format(output_file=output_file, primary=primary) LOG.info("Running: %s", output_cmd) output = sdk_tasks.task_exec(task, output_cmd) LOG.info(output) return output_file
def test_tls_nginx(hello_world_service): """ Checks that NGINX exposes TLS service with correct PEM encoded end-entity certificate. """ # Use keystore-app `truststoretest` CLI command to run request against # the NGINX container to verify that nginx presents itself with end-entity # certificate that can be verified by with truststore. task_id = sdk_tasks.get_task_ids(config.SERVICE_NAME, 'keystore')[0] assert task_id command = _java_command( 'java -jar ' + KEYSTORE_APP_JAR_NAME + ' truststoretest ' 'integration-test.yml ' 'https://' + sdk_hosts.vip_host(config.SERVICE_NAME, NGINX_TASK_HTTPS_PORT_NAME) + '/') _, output, _ = sdk_tasks.task_exec(task_id, command) # Unfortunately the `dcos task exec` doesn't respect the return code # from executed command in container so we need to manually assert for # expected output. assert 'status=200' in output
def test_soak_secrets_update(): secret_content_alternative = "hello-world-secret-data-alternative" test_soak_secrets_framework_alive() sdk_cmd.run_cli("package install --cli dcos-enterprise-cli --yes") sdk_cmd.run_cli("package install --cli hello-world --yes") sdk_cmd.run_cli( "security secrets update --value={} secrets/secret1".format( secret_content_alternative)) sdk_cmd.run_cli( "security secrets update --value={} secrets/secret2".format( secret_content_alternative)) sdk_cmd.run_cli( "security secrets update --value={} secrets/secret3".format( secret_content_alternative)) test_soak_secrets_restart_hello0() # get new task ids - only first pod hello_tasks = sdk_tasks.get_task_ids(FRAMEWORK_NAME, "hello-0") world_tasks = sdk_tasks.get_task_ids(FRAMEWORK_NAME, "world-0") # make sure content is changed assert secret_content_alternative == sdk_tasks.task_exec( world_tasks[0], "bash -c 'echo $WORLD_SECRET1_ENV'")[1] assert secret_content_alternative == sdk_tasks.task_exec( world_tasks[0], "cat WORLD_SECRET2_FILE")[1] assert secret_content_alternative == sdk_tasks.task_exec( world_tasks[0], "cat secrets/secret3")[1] # make sure content is changed assert secret_content_alternative == sdk_tasks.task_exec( hello_tasks[0], "bash -c 'echo $HELLO_SECRET1_ENV'")[1] assert secret_content_alternative == sdk_tasks.task_exec( hello_tasks[0], "cat HELLO_SECRET1_FILE")[1] assert secret_content_alternative == sdk_tasks.task_exec( hello_tasks[0], "cat HELLO_SECRET2_FILE")[1] # revert back to some other value sdk_cmd.run_cli("security secrets update --value=SECRET1 secrets/secret1") sdk_cmd.run_cli("security secrets update --value=SECRET2 secrets/secret2") sdk_cmd.run_cli("security secrets update --value=SECRET3 secrets/secret3") test_soak_secrets_restart_hello0()
def kdestroy(task_id: str): """ Performs a kdestroy command to erase an auth session for a principal. :param task_id: The task in whose environment the kinit will run. """ sdk_tasks.task_exec(task_id, "kdestroy")
def test_users_have_appropriate_permissions(kerberized_hdfs_client): # "hdfs" is a superuser sdk_auth.kinit(kerberized_hdfs_client, keytab=config.KEYTAB, principal=config.CLIENT_PRINCIPALS["hdfs"]) log.info("Creating directory for alice") make_user_directory_cmd = config.hdfs_command("mkdir -p /users/alice") sdk_tasks.task_exec(kerberized_hdfs_client, make_user_directory_cmd) change_ownership_cmd = config.hdfs_command( "chown alice:users /users/alice") sdk_tasks.task_exec(kerberized_hdfs_client, change_ownership_cmd) change_permissions_cmd = config.hdfs_command("chmod 700 /users/alice") sdk_tasks.task_exec(kerberized_hdfs_client, change_permissions_cmd) # alice has read/write access to her directory sdk_auth.kdestroy(kerberized_hdfs_client) sdk_auth.kinit(kerberized_hdfs_client, keytab=config.KEYTAB, principal=config.CLIENT_PRINCIPALS["alice"]) write_access_cmd = "/bin/bash -c \"{}\"".format( config.hdfs_write_command( config.TEST_CONTENT_SMALL, "/users/alice/{}".format(config.TEST_FILE_1_NAME))) log.info("Alice can write: {}".format(write_access_cmd)) rc, stdout, _ = sdk_tasks.task_exec(kerberized_hdfs_client, write_access_cmd) assert stdout == '' and rc == 0 read_access_cmd = config.hdfs_read_command("/users/alice/{}".format( config.TEST_FILE_1_NAME)) log.info("Alice can read: {}".format(read_access_cmd)) _, stdout, _ = sdk_tasks.task_exec(kerberized_hdfs_client, read_access_cmd) assert stdout == config.TEST_CONTENT_SMALL ls_cmd = config.hdfs_command("ls /users/alice") _, stdout, _ = sdk_tasks.task_exec(kerberized_hdfs_client, ls_cmd) assert "/users/alice/{}".format(config.TEST_FILE_1_NAME) in stdout # bob doesn't have read/write access to alice's directory sdk_auth.kdestroy(kerberized_hdfs_client) sdk_auth.kinit(kerberized_hdfs_client, keytab=config.KEYTAB, principal=config.CLIENT_PRINCIPALS["bob"]) log.info( "Bob tries to wrtie to alice's directory: {}".format(write_access_cmd)) _, _, stderr = sdk_tasks.task_exec(kerberized_hdfs_client, write_access_cmd) log.info( "Bob can't write to alice's directory: {}".format(write_access_cmd)) assert "put: Permission denied: user=bob" in stderr log.info( "Bob tries to read from alice's directory: {}".format(read_access_cmd)) _, _, stderr = sdk_tasks.task_exec(kerberized_hdfs_client, read_access_cmd) log.info( "Bob can't read from alice's directory: {}".format(read_access_cmd)) assert "cat: Permission denied: user=bob" in stderr
def hdfs_cmd(cmd): sdk_tasks.task_exec(HDFS_CLIENT_ID, "bin/hdfs dfs -{}".format(cmd))
def cmd(pod_name, command): return sdk_tasks.task_exec( '{}-server'.format(pod_name), "bash -c 'JAVA_HOME=$(ls -d jre*/) apache-cassandra-*/bin/nodetool {}'".format(command))
def read_wrapper(): LOG.info("Running: %s", read_cmd) rc, stdout, stderr = sdk_tasks.task_exec(task, read_cmd) LOG.info("rc=%s\nstdout=%s\nstderr=%s\n", rc, stdout, stderr) return rc, stdout, stderr