def test_user_can_write_and_read(kerberos): try: client_app_def = config.get_kerberized_hdfs_client_app() client_app_def["secrets"]["hdfs_keytab"][ "source"] = kerberos.get_keytab_path() client_app_def["env"]["REALM"] = kerberos.get_realm() client_app_def["env"]["KDC_ADDRESS"] = kerberos.get_kdc_address() sdk_marathon.install_app(client_app_def) client_task_id = client_app_def["id"] sdk_auth.kinit(client_task_id, keytab=config.KEYTAB, principal=config.GENERIC_HDFS_USER_PRINCIPAL) write_cmd = "/bin/bash -c '{}'".format( config.hdfs_write_command(config.TEST_FILE_1_NAME, config.TEST_CONTENT_SMALL)) sdk_tasks.task_exec(client_task_id, write_cmd) read_cmd = "/bin/bash -c '{}'".format( config.hdfs_read_command(config.TEST_FILE_1_NAME)) _, stdout, _ = sdk_tasks.task_exec(client_task_id, read_cmd) assert stdout == config.TEST_CONTENT_SMALL finally: sdk_marathon.destroy_app(client_task_id)
def setup_history_server(hdfs_with_kerberos, setup_hdfs_client, configure_universe): try: sdk_auth.kinit(HDFS_CLIENT_ID, keytab="hdfs.keytab", principal=GENERIC_HDFS_USER_PRINCIPAL) hdfs_cmd("mkdir /history") hdfs_cmd("chmod 1777 /history") shakedown.install_package( package_name=utils.HISTORY_PACKAGE_NAME, options_json={ "service": { "user": SPARK_HISTORY_USER, "hdfs-config-url": "http://api.{}.marathon.l4lb.thisdcos.directory/v1/endpoints" .format(HDFS_SERVICE_NAME) }, "security": { "kerberos": { "enabled": True, "krb5conf": utils.HDFS_KRB5_CONF, "principal": GENERIC_HDFS_USER_PRINCIPAL, "keytab": KEYTAB_SECRET_PATH } } }, wait_for_completion=True # wait for it to become healthy ) yield finally: sdk_marathon.destroy_app(utils.HISTORY_SERVICE_NAME)
def test_user_can_auth_and_write_and_read(hdfs_client, kerberos): sdk_auth.kinit( hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs") ) test_filename = config.get_unique_filename("test_ssl_kerberos_auth_write_read") config.hdfs_client_write_data(test_filename) config.hdfs_client_read_data(test_filename)
def test_user_can_auth_and_write_and_read(hdfs_client, kerberos): sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs")) test_filename = config.get_unique_filename("test_kerberos_auth_write_read") config.hdfs_client_write_data(test_filename) config.hdfs_client_read_data(test_filename)
def test_user_can_auth_and_write_and_read(hdfs_client, kerberos): sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs")) test_filename = "test_auth_write_read-{}".format(str(uuid.uuid4())) write_cmd = "/bin/bash -c '{}'".format(config.hdfs_write_command(config.TEST_CONTENT_SMALL, test_filename)) sdk_cmd.task_exec(hdfs_client["id"], write_cmd) read_cmd = "/bin/bash -c '{}'".format(config.hdfs_read_command(test_filename)) _, stdout, _ = sdk_cmd.task_exec(hdfs_client["id"], read_cmd) assert stdout == config.TEST_CONTENT_SMALL
def test_user_can_auth_and_write_and_read(hdfs_client, kerberos): sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs")) test_filename = "test_auth_write_read-{}".format(str(uuid.uuid4())) write_cmd = "/bin/bash -c \"{}\"".format(config.hdfs_write_command(config.TEST_CONTENT_SMALL, test_filename)) sdk_cmd.marathon_task_exec(hdfs_client["id"], write_cmd) read_cmd = "/bin/bash -c \"{}\"".format(config.hdfs_read_command(test_filename)) _, stdout, _ = sdk_cmd.marathon_task_exec(hdfs_client["id"], read_cmd) assert stdout == config.TEST_CONTENT_SMALL
def test_user_can_auth_and_write_and_read(hdfs_client, kerberos): sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs")) test_filename = "test_auth_write_read" # must be unique among tests in this suite write_cmd = "/bin/bash -c '{}'".format(config.hdfs_write_command(config.TEST_CONTENT_SMALL, test_filename)) sdk_cmd.marathon_task_exec(hdfs_client["id"], write_cmd) read_cmd = "/bin/bash -c '{}'".format(config.hdfs_read_command(test_filename)) _, stdout, _ = sdk_cmd.marathon_task_exec(hdfs_client["id"], read_cmd) assert stdout == config.TEST_CONTENT_SMALL
def setup_hdfs_paths(): sdk_auth.kinit(HDFS_CLIENT_ID, keytab="hdfs.keytab", principal=GENERIC_HDFS_USER_PRINCIPAL) hdfs_cmd("rm -r -f -skipTrash {}".format(HDFS_CHECKPOINT_DIR)) hdfs_cmd("mkdir {}".format(HDFS_CHECKPOINT_DIR)) hdfs_cmd("chmod 1777 {}".format(HDFS_CHECKPOINT_DIR)) hdfs_cmd("rm -r -f -skipTrash {}".format(HDFS_TMP_DIR)) hdfs_cmd("mkdir {}".format(HDFS_TMP_DIR)) hdfs_cmd("chmod 1777 {}".format(HDFS_TMP_DIR))
def test_user_can_auth_and_write_and_read(kerberized_hdfs_client): sdk_auth.kinit(kerberized_hdfs_client, keytab=config.KEYTAB, principal=config.CLIENT_PRINCIPALS["hdfs"]) write_cmd = "/bin/bash -c '{}'".format( config.hdfs_write_command(config.TEST_CONTENT_SMALL, config.TEST_FILE_1_NAME)) sdk_tasks.task_exec(kerberized_hdfs_client, write_cmd) read_cmd = "/bin/bash -c '{}'".format( config.hdfs_read_command(config.TEST_FILE_1_NAME)) _, stdout, _ = sdk_tasks.task_exec(kerberized_hdfs_client, read_cmd) assert stdout == config.TEST_CONTENT_SMALL
def test_user_can_auth_and_write_and_read(kerberized_hdfs_client): sdk_auth.kinit(kerberized_hdfs_client, keytab=config.KEYTAB, principal=config.CLIENT_PRINCIPALS["hdfs"]) test_filename = "test_auth_write_read" # must be unique among tests in this suite write_cmd = "/bin/bash -c '{}'".format( config.hdfs_write_command(config.TEST_CONTENT_SMALL, test_filename)) sdk_cmd.task_exec(kerberized_hdfs_client, write_cmd) read_cmd = "/bin/bash -c '{}'".format( config.hdfs_read_command(test_filename)) _, stdout, _ = sdk_cmd.task_exec(kerberized_hdfs_client, read_cmd) assert stdout == config.TEST_CONTENT_SMALL
def test_user_can_auth_and_write_and_read(hdfs_client, kerberos): sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs")) test_filename = "test_auth_write_read" # must be unique among tests in this suite write_cmd = "/bin/bash -c '{}'".format( config.hdfs_write_command(config.TEST_CONTENT_SMALL, test_filename)) sdk_cmd.marathon_task_exec(hdfs_client["id"], write_cmd) read_cmd = "/bin/bash -c '{}'".format( config.hdfs_read_command(test_filename)) _, stdout, _ = sdk_cmd.marathon_task_exec(hdfs_client["id"], read_cmd) assert stdout == config.TEST_CONTENT_SMALL
def setup_history_server(hdfs_with_kerberos, setup_hdfs_client, configure_universe): try: LOGGER.info('Preparing to install History Server') sdk_auth.kinit(HDFS_CLIENT_ID, keytab="hdfs.keytab", principal=GENERIC_HDFS_USER_PRINCIPAL) LOGGER.info('Creating History Server HDFS directory') hdfs_cmd("rm -r -f -skipTrash {}".format(HDFS_HISTORY_DIR)) hdfs_cmd("mkdir {}".format(HDFS_HISTORY_DIR)) hdfs_cmd("chmod 1777 {}".format(HDFS_HISTORY_DIR)) sdk_install.uninstall(HISTORY_PACKAGE_NAME, HISTORY_SERVICE_NAME) sdk_install.install( HISTORY_PACKAGE_NAME, HISTORY_SERVICE_NAME, 0, additional_options={ "service": { "name": HISTORY_SERVICE_NAME, "user": SPARK_HISTORY_USER, "log-dir": "hdfs://hdfs{}".format(HDFS_HISTORY_DIR), "hdfs-config-url": "http://api.{}.marathon.l4lb.thisdcos.directory/v1/endpoints" .format(HDFS_SERVICE_NAME) }, "security": { "kerberos": { "enabled": True, "krb5conf": HDFS_KRB5_CONF, "principal": GENERIC_HDFS_USER_PRINCIPAL, "keytab": KEYTAB_SECRET_PATH } } }, wait_for_deployment=False, # no deploy plan insert_strict_options=False ) # no standard service_account/etc options yield finally: sdk_install.uninstall(HISTORY_PACKAGE_NAME, HISTORY_SERVICE_NAME)
def setup_hdfs_client(hdfs_with_kerberos): try: curr_dir = os.path.dirname(os.path.realpath(__file__)) app_def_path = "{}/resources/hdfsclient.json".format(curr_dir) with open(app_def_path) as f: hdfsclient_app_def = json.load(f) hdfsclient_app_def["id"] = HDFS_CLIENT_ID hdfsclient_app_def["secrets"]["hdfs_keytab"][ "source"] = KEYTAB_SECRET_PATH sdk_marathon.install_app(hdfsclient_app_def) sdk_auth.kinit(HDFS_CLIENT_ID, keytab="hdfs.keytab", principal=GENERIC_HDFS_USER_PRINCIPAL) yield finally: sdk_marathon.destroy_app(HDFS_CLIENT_ID)
def test_users_have_appropriate_permissions(hdfs_client, kerberos): # "hdfs" is a superuser sdk_auth.kinit( hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs") ) alice_dir = "/users/alice" config.run_client_command(" && ".join([ config.hdfs_command(c) for c in [ "mkdir -p {}".format(alice_dir), "chown alice:users {}".format(alice_dir), "chmod 700 {}".format(alice_dir), ] ])) test_filename = "{}/{}".format(alice_dir, config.get_unique_filename("test_kerberos_auth_user_permissions")) # alice has read/write access to her directory sdk_auth.kdestroy(hdfs_client["id"]) sdk_auth.kinit( hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("alice") ) config.hdfs_client_write_data(test_filename) config.hdfs_client_read_data(test_filename) _, stdout, _ = config.hdfs_client_list_files(alice_dir) assert test_filename in stdout # bob doesn't have read/write access to alice's directory sdk_auth.kdestroy(hdfs_client["id"]) sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("bob")) config.hdfs_client_write_data(test_filename, expect_failure_message="put: Permission denied: user=bob") config.hdfs_client_read_data(test_filename, expect_failure_message="cat: Permission denied: user=bob")
def test_users_have_appropriate_permissions(hdfs_client, kerberos): # "hdfs" is a superuser sdk_auth.kinit( hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs") ) alice_dir = "/users/alice" config.run_client_command(" && ".join([ config.hdfs_command(c) for c in [ "mkdir -p {}".format(alice_dir), "chown alice:users {}".format(alice_dir), "chmod 700 {}".format(alice_dir), ] ])) test_filename = "{}/{}".format(alice_dir, config.get_unique_filename("test_ssl_kerberos_auth_user_permissions")) # alice has read/write access to her directory sdk_auth.kdestroy(hdfs_client["id"]) sdk_auth.kinit( hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("alice") ) config.hdfs_client_write_data(test_filename) config.hdfs_client_read_data(test_filename) _, stdout, _ = config.hdfs_client_list_files(alice_dir) assert test_filename in stdout # bob doesn't have read/write access to alice's directory sdk_auth.kdestroy(hdfs_client["id"]) sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("bob")) config.hdfs_client_write_data(test_filename, expect_failure_message="put: Permission denied: user=bob") config.hdfs_client_read_data(test_filename, expect_failure_message="cat: Permission denied: user=bob")
def test_users_have_appropriate_permissions(hdfs_client, kerberos): # "hdfs" is a superuser sdk_auth.kinit( hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs") ) alice_dir = "/users/alice" test_filename = config.check_test_users_have_appropriate_permissions(alice_dir) # alice has read/write access to her directory sdk_auth.kdestroy(hdfs_client["id"]) sdk_auth.kinit( hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("alice") ) config.hdfs_client_write_data(test_filename) config.hdfs_client_read_data(test_filename) _, stdout, _ = config.hdfs_client_list_files(alice_dir) assert test_filename in stdout # bob doesn't have read/write access to alice's directory sdk_auth.kdestroy(hdfs_client["id"]) sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("bob")) config.hdfs_client_write_data( test_filename, expect_failure_message="put: Permission denied: user=bob" ) config.hdfs_client_read_data( test_filename, expect_failure_message="cat: Permission denied: user=bob" )
def test_users_have_appropriate_permissions(kerberized_hdfs_client): # "hdfs" is a superuser sdk_auth.kinit(kerberized_hdfs_client, keytab=config.KEYTAB, principal=config.CLIENT_PRINCIPALS["hdfs"]) log.info("Creating directory for alice") make_user_directory_cmd = config.hdfs_command("mkdir -p /users/alice") sdk_cmd.task_exec(kerberized_hdfs_client, make_user_directory_cmd) change_ownership_cmd = config.hdfs_command( "chown alice:users /users/alice") sdk_cmd.task_exec(kerberized_hdfs_client, change_ownership_cmd) change_permissions_cmd = config.hdfs_command("chmod 700 /users/alice") sdk_cmd.task_exec(kerberized_hdfs_client, change_permissions_cmd) test_filename = "test_user_permissions" # must be unique among tests in this suite # alice has read/write access to her directory sdk_auth.kdestroy(kerberized_hdfs_client) sdk_auth.kinit(kerberized_hdfs_client, keytab=config.KEYTAB, principal=config.CLIENT_PRINCIPALS["alice"]) write_access_cmd = "/bin/bash -c \"{}\"".format( config.hdfs_write_command(config.TEST_CONTENT_SMALL, "/users/alice/{}".format(test_filename))) log.info("Alice can write: {}".format(write_access_cmd)) rc, stdout, _ = sdk_cmd.task_exec(kerberized_hdfs_client, write_access_cmd) assert stdout == '' and rc == 0 read_access_cmd = config.hdfs_read_command( "/users/alice/{}".format(test_filename)) log.info("Alice can read: {}".format(read_access_cmd)) _, stdout, _ = sdk_cmd.task_exec(kerberized_hdfs_client, read_access_cmd) assert stdout == config.TEST_CONTENT_SMALL ls_cmd = config.hdfs_command("ls /users/alice") _, stdout, _ = sdk_cmd.task_exec(kerberized_hdfs_client, ls_cmd) assert "/users/alice/{}".format(test_filename) in stdout # bob doesn't have read/write access to alice's directory sdk_auth.kdestroy(kerberized_hdfs_client) sdk_auth.kinit(kerberized_hdfs_client, keytab=config.KEYTAB, principal=config.CLIENT_PRINCIPALS["bob"]) log.info( "Bob tries to wrtie to alice's directory: {}".format(write_access_cmd)) _, _, stderr = sdk_cmd.task_exec(kerberized_hdfs_client, write_access_cmd) log.info( "Bob can't write to alice's directory: {}".format(write_access_cmd)) assert "put: Permission denied: user=bob" in stderr log.info( "Bob tries to read from alice's directory: {}".format(read_access_cmd)) _, _, stderr = sdk_cmd.task_exec(kerberized_hdfs_client, read_access_cmd) log.info( "Bob can't read from alice's directory: {}".format(read_access_cmd)) assert "cat: Permission denied: user=bob" in stderr
def test_users_have_appropriate_permissions(hdfs_client, kerberos): # "hdfs" is a superuser sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs")) log.info("Creating directory for alice") make_user_directory_cmd = config.hdfs_command("mkdir -p /users/alice") sdk_cmd.task_exec(hdfs_client["id"], make_user_directory_cmd) change_ownership_cmd = config.hdfs_command( "chown alice:users /users/alice") sdk_cmd.task_exec(hdfs_client["id"], change_ownership_cmd) change_permissions_cmd = config.hdfs_command("chmod 700 /users/alice") sdk_cmd.task_exec(hdfs_client["id"], change_permissions_cmd) test_filename = "test_user_permissions-{}".format(str(uuid.uuid4())) # alice has read/write access to her directory sdk_auth.kdestroy(hdfs_client["id"]) sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("alice")) write_access_cmd = "/bin/bash -c \"{}\"".format( config.hdfs_write_command(config.TEST_CONTENT_SMALL, "/users/alice/{}".format(test_filename))) log.info("Alice can write: %s", write_access_cmd) rc, stdout, _ = sdk_cmd.task_exec(hdfs_client["id"], write_access_cmd) assert stdout == '' and rc == 0 read_access_cmd = config.hdfs_read_command( "/users/alice/{}".format(test_filename)) log.info("Alice can read: %s", read_access_cmd) _, stdout, _ = sdk_cmd.task_exec(hdfs_client["id"], read_access_cmd) assert stdout == config.TEST_CONTENT_SMALL ls_cmd = config.hdfs_command("ls /users/alice") _, stdout, _ = sdk_cmd.task_exec(hdfs_client["id"], ls_cmd) assert "/users/alice/{}".format(test_filename) in stdout # bob doesn't have read/write access to alice's directory sdk_auth.kdestroy(hdfs_client["id"]) sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("bob")) log.info("Bob tries to wrtie to alice's directory: %s", write_access_cmd) _, _, stderr = sdk_cmd.task_exec(hdfs_client["id"], write_access_cmd) log.info("Bob can't write to alice's directory: %s", write_access_cmd) assert "put: Permission denied: user=bob" in stderr log.info("Bob tries to read from alice's directory: %s", read_access_cmd) _, _, stderr = sdk_cmd.task_exec(hdfs_client["id"], read_access_cmd) log.info("Bob can't read from alice's directory: %s", read_access_cmd) assert "cat: Permission denied: user=bob" in stderr
def test_users_have_appropriate_permissions(hdfs_client, kerberos): # "hdfs" is a superuser sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs")) alice_dir = "/users/alice" success = True cmd_lists = [ ["mkdir", "-p", alice_dir], ["chown", "alice:users", alice_dir], ["chmod", "700", alice_dir], ] for cmd_list in cmd_lists: cmd = config.hdfs_command(" ".join(cmd_list)) cmd_success = config.run_client_command(cmd) if not cmd_success: log.error("Error executing: %s", cmd) success = success and cmd_success if not success: log.error("Error creating %s", alice_dir) raise Exception("Error creating user directory") # alice has read/write access to her directory sdk_auth.kdestroy(hdfs_client["id"]) sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("alice")) test_filename = "{}/{}".format( alice_dir, config.get_unique_filename("test_kerberos_auth_user_permissions")) config.hdfs_client_write_data(test_filename) config.hdfs_client_read_data(test_filename) _, stdout, _ = config.hdfs_client_list_files(alice_dir) assert test_filename in stdout # bob doesn't have read/write access to alice's directory sdk_auth.kdestroy(hdfs_client["id"]) sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("bob")) config.hdfs_client_write_data( test_filename, expect_failure_message="put: Permission denied: user=bob") config.hdfs_client_read_data( test_filename, expect_failure_message="cat: Permission denied: user=bob")
def test_users_have_appropriate_permissions(hdfs_client, kerberos): # "hdfs" is a superuser sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs")) log.info("Creating directory for alice") make_user_directory_cmd = config.hdfs_command("mkdir -p /users/alice") sdk_cmd.marathon_task_exec(hdfs_client["id"], make_user_directory_cmd) change_ownership_cmd = config.hdfs_command("chown alice:users /users/alice") sdk_cmd.marathon_task_exec(hdfs_client["id"], change_ownership_cmd) change_permissions_cmd = config.hdfs_command("chmod 700 /users/alice") sdk_cmd.marathon_task_exec(hdfs_client["id"], change_permissions_cmd) test_filename = "test_user_permissions-{}".format(str(uuid.uuid4())) # alice has read/write access to her directory sdk_auth.kdestroy(hdfs_client["id"]) sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("alice")) write_access_cmd = "/bin/bash -c \"{}\"".format(config.hdfs_write_command( config.TEST_CONTENT_SMALL, "/users/alice/{}".format(test_filename))) log.info("Alice can write: %s", write_access_cmd) rc, stdout, _ = sdk_cmd.marathon_task_exec(hdfs_client["id"], write_access_cmd) assert stdout == '' and rc == 0 read_access_cmd = config.hdfs_read_command("/users/alice/{}".format(test_filename)) log.info("Alice can read: %s", read_access_cmd) _, stdout, _ = sdk_cmd.marathon_task_exec(hdfs_client["id"], read_access_cmd) assert stdout == config.TEST_CONTENT_SMALL ls_cmd = config.hdfs_command("ls /users/alice") _, stdout, _ = sdk_cmd.marathon_task_exec(hdfs_client["id"], ls_cmd) assert "/users/alice/{}".format(test_filename) in stdout # bob doesn't have read/write access to alice's directory sdk_auth.kdestroy(hdfs_client["id"]) sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("bob")) log.info("Bob tries to wrtie to alice's directory: %s", write_access_cmd) _, _, stderr = sdk_cmd.marathon_task_exec(hdfs_client["id"], write_access_cmd) log.info("Bob can't write to alice's directory: %s", write_access_cmd) assert "put: Permission denied: user=bob" in stderr log.info("Bob tries to read from alice's directory: %s", read_access_cmd) _, _, stderr = sdk_cmd.marathon_task_exec(hdfs_client["id"], read_access_cmd) log.info("Bob can't read from alice's directory: %s", read_access_cmd) assert "cat: Permission denied: user=bob" in stderr
def test_users_have_appropriate_permissions(hdfs_client, kerberos): # "hdfs" is a superuser sdk_auth.kinit( hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs") ) alice_dir = "/users/alice" success = True cmd_lists = [ ["mkdir", "-p", alice_dir], ["chown", "alice:users", alice_dir], ["chmod", "700", alice_dir], ] for cmd_list in cmd_lists: cmd = config.hdfs_command(" ".join(cmd_list)) cmd_success = config.run_client_command(cmd) if not cmd_success: log.error("Error executing: %s", cmd) success = success and cmd_success if not success: log.error("Error creating %s", alice_dir) raise Exception("Error creating user directory") # alice has read/write access to her directory sdk_auth.kdestroy(hdfs_client["id"]) sdk_auth.kinit( hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("alice") ) test_filename = "{}/{}".format(alice_dir, config.get_unique_filename("test_kerberos_auth_user_permissions")) config.hdfs_client_write_data(test_filename) config.hdfs_client_read_data(test_filename) _, stdout, _ = config.hdfs_client_list_files(alice_dir) assert test_filename in stdout # bob doesn't have read/write access to alice's directory sdk_auth.kdestroy(hdfs_client["id"]) sdk_auth.kinit(hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("bob")) config.hdfs_client_write_data(test_filename, expect_failure_message="put: Permission denied: user=bob") config.hdfs_client_read_data(test_filename, expect_failure_message="cat: Permission denied: user=bob")
def test_user_can_auth_and_write_and_read(hdfs_client, kerberos): sdk_auth.kinit( hdfs_client["id"], keytab=config.KEYTAB, principal=kerberos.get_principal("hdfs") ) config.check_user_can_auth_and_write_and_read()