knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From zbla...@apache.org
Subject knox git commit: KNOX-590 - add more ShiroProvider configuration support to KnoxCLI sys-user-auth-test and user-auth-test
Date Wed, 26 Aug 2015 14:03:29 GMT
Repository: knox
Updated Branches:
  refs/heads/master 928b4a27a -> 55f9405c4


KNOX-590 - add more ShiroProvider configuration support to KnoxCLI sys-user-auth-test and
user-auth-test


Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/55f9405c
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/55f9405c
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/55f9405c

Branch: refs/heads/master
Commit: 55f9405c415225b3fe2d3cb5c1753bcf95b760c5
Parents: 928b4a2
Author: Zac Blanco <zblanco@apache.org>
Authored: Wed Aug 26 09:31:02 2015 -0400
Committer: Zac Blanco <zblanco@apache.org>
Committed: Wed Aug 26 09:31:02 2015 -0400

----------------------------------------------------------------------
 CHANGES                                         |   1 +
 .../org/apache/hadoop/gateway/util/KnoxCLI.java | 406 ++++++++++++-------
 .../gateway/KnoxCliLdapFuncTestNegative.java    |  17 +-
 .../gateway/KnoxCliLdapFuncTestPositive.java    |   3 +-
 .../hadoop/gateway/KnoxCliSysBindTest.java      |  10 +-
 5 files changed, 283 insertions(+), 154 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/55f9405c/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 0028ecb..8054f90 100644
--- a/CHANGES
+++ b/CHANGES
@@ -13,6 +13,7 @@ Release Notes - Apache Knox - Version 0.7.0
     * [KNOX-561] - Allow Knox pid directory to be configured via the knox-env.sh file
     * [KNOX-575] - Adds more logging for ShiroProvider LDAP Authentication.
     * [KNOX-564] - Topology deployment fails for no configured providers
+    * [KNOX-590] - CLI sys-user-auth-test and user-auth-test have improved messages and work
for more Shiro configs
 
 ** Bug
     * [KNOX-554] - Fixed support for gateway.path change + added support for X-Forward-*
headers in admin topology API.

http://git-wip-us.apache.org/repos/asf/knox/blob/55f9405c/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java
index b083fb3..246c123 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java
@@ -50,9 +50,12 @@ import org.apache.log4j.PropertyConfigurator;
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.config.ConfigurationException;
+import org.apache.shiro.config.Ini;
 import org.apache.shiro.config.IniSecurityManagerFactory;
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.util.Factory;
+import org.apache.shiro.util.ThreadContext;
 import org.eclipse.persistence.oxm.MediaType;
 import org.jboss.shrinkwrap.api.exporter.ExplodedExporter;
 import org.jboss.shrinkwrap.api.spec.WebArchive;
@@ -902,46 +905,176 @@ public class KnoxCLI extends Configured implements Tool {
       out.println("This command does not have any functionality.");
     }
 
+
+//    First define a few Exceptions
+    protected class NoSuchTopologyException extends Exception {
+      public NoSuchTopologyException() {}
+      public NoSuchTopologyException(String message) { super(message); }
+    }
+    protected class MissingPasswordException extends Exception {
+      public MissingPasswordException() {}
+      public MissingPasswordException(String message) { super(message); }
+    }
+
+    protected class MissingUsernameException extends Exception {
+      public MissingUsernameException() {};
+      public MissingUsernameException(String message) { super(message); }
+    }
+
+    protected class BadSubjectException extends Exception {
+      public BadSubjectException() {}
+      public BadSubjectException(String message) { super(message); }
+    }
+
+    protected class NoSuchProviderException extends Exception {
+      public NoSuchProviderException() {}
+      public NoSuchProviderException(String name, String role, String topology) {
+        super("Could not find provider with role: " + role + ", name: " + name + " inside
of topology: " + topology);
+      }
+    }
+
+    //    returns false if any errors are printed
+    protected boolean hasShiroProviderErrors(Topology topology, boolean groupLookup) {
+//      First let's define the variables that represent the ShiroProvider params
+      String mainLdapRealm = "main.ldapRealm";
+      String contextFactory = mainLdapRealm + ".contextFactory";
+      String groupContextFactory = "main.ldapGroupContextFactory";
+      String authorizationEnabled = mainLdapRealm + ".authorizationEnabled";
+      String userSearchAttributeName = mainLdapRealm + ".userSearchAttributeName";
+      String userObjectClass = mainLdapRealm + ".userObjectClass";
+      String authenticationMechanism = mainLdapRealm + ".authenticationMechanism"; // Should
not be used up to v0.6.0)
+      String searchBase = mainLdapRealm + ".searchBase";
+      String groupSearchBase = mainLdapRealm + ".groupSearchBase";
+      String userSearchBase = mainLdapRealm + ".userSearchBase";
+      String groupObjectClass = mainLdapRealm + ".groupObjectClass";
+      String memberAttribute = mainLdapRealm + ".memberAttribute";
+      String memberAttributeValueTemplate = mainLdapRealm + ".memberAttributeValueTemplate";
+      String systemUsername = contextFactory + ".systemUsername";
+      String systemPassword = contextFactory + ".systemPassword";
+      String url = contextFactory + ".url";
+      String userDnTemplate = mainLdapRealm + ".userDnTemplate";
+
+
+      Provider shiro = topology.getProvider("authentication", "ShiroProvider");
+      if(shiro != null) {
+        Map<String, String> params = shiro.getParams();
+        int errs = 0;
+        if(groupLookup) {
+          int errors = 0;
+          errors += hasParam(params, groupContextFactory, true) ? 0 : 1;
+          errors += hasParam(params, groupObjectClass, true) ? 0 : 1;
+          errors += hasParam(params, memberAttributeValueTemplate, true) ? 0 : 1;
+          errors += hasParam(params, memberAttribute, true) ? 0 : 1;
+          errors += hasParam(params, authorizationEnabled, true) ? 0 : 1;
+          errors += hasParam(params, systemUsername, true) ? 0 : 1;
+          errors += hasParam(params, systemPassword, true) ? 0 : 1;
+          errors += hasParam(params, userSearchBase, true) ? 0 : 1;
+          errors += hasParam(params, groupSearchBase, true) ? 0 : 1;
+          errs += errors;
+
+        } else {
+
+//        Realm + Url is always required.
+          errs += hasParam(params, mainLdapRealm, true) ? 0 : 1;
+          errs += hasParam(params, url, true) ? 0 : 1;
+
+          if(hasParam(params, authorizationEnabled, false)) {
+            int errors = 0;
+            errors += hasParam(params, systemUsername, true) ? 0 : 1;
+            errors += hasParam(params, systemPassword, true) ? 0 : 1;
+            errors += hasParam(params, searchBase, true) ? 0 : 1;
+            errs += errors;
+          }
+
+//        If any one of these is present they must all be present
+          if( hasParam(params, userSearchAttributeName, false) ||
+              hasParam(params, userObjectClass, false) ||
+              hasParam(params, searchBase, false)) {
+
+            int errors = 0;
+            errors += hasParam(params, userSearchAttributeName, true) ? 0 : 1;
+            errors += hasParam(params, userObjectClass, true) ? 0 : 1;
+            errors += hasParam(params, searchBase, true) ? 0 : 1;
+            errors += hasParam(params, systemUsername, true) ? 0 : 1;
+            errors += hasParam(params, systemPassword, true) ? 0 : 1;
+
+            if(errors > 0) {
+              out.println(userSearchAttributeName + " or " + userObjectClass + " or " + searchBase
+ " was found in the topology");
+              out.println("If any one of the above params is present, all must be present.");
+            }
+            errs += errors;
+          } else {
+            errs += hasParam(params, userDnTemplate, true) ?  0 : 1;
+
+          }
+        }
+        return (errs > 0);
+      } else {
+        out.println("Could not obtain ShiroProvider");
+        return true;
+      }
+    }
+
+    // Checks to see if the param name is present. If not, notify the user
+    protected boolean hasParam(Map<String, String> params, String key, boolean notifyUser){
+      if(params.get(key) == null){
+        if(notifyUser) { out.println("Warn: " + key + " is not present in topology"); }
+        return false;
+      } else { return true; }
+    }
+
     /**
      *
-     * @param config - the path to the shiro.ini file within a topology deployment.
+     * @param ini - the path to the shiro.ini file within a topology deployment.
      * @param token - token for username and password
      * @return - true/false whether a user was successfully able to authenticate or not.
      */
-    protected boolean authenticateUser(String config, UsernamePasswordToken token){
+    protected boolean authenticateUser(Ini ini, UsernamePasswordToken token){
       boolean result = false;
       try {
-        Subject subject = getSubject(config);
+        Subject subject = getSubject(ini);
         try{
           subject.login(token);
           if(subject.isAuthenticated()){
             result = true;
           }
         } catch (AuthenticationException e){
-          out.println(e.getMessage());
+          out.println(e.toString());
           out.println(e.getCause().getMessage());
           if (debug) {
             e.printStackTrace(out);
           } else {
             out.println(debugMessage);
           }
-        } catch (NullPointerException e) {
-          out.println("Unable to obtain ShiroSubject");
-          if (debug){
-            e.printStackTrace();
-          } else {
-            out.println(debugMessage);
-          }
         } finally {
           subject.logout();
         }
+      } catch (BadSubjectException e) {
+        out.println(e.toString());
+        if (debug){
+          e.printStackTrace();
+        } else {
+          out.println(debugMessage);
+        }
+      } catch (ConfigurationException e) {
+        out.println(e.toString());
       } catch ( Exception e ) {
         out.println(e.getCause());
-        out.println(e.getMessage());
+        out.println(e.toString());
       }
       return result;
     }
 
+    protected boolean authenticateUser(String config, UsernamePasswordToken token) throws
ConfigurationException {
+      Ini ini = new Ini();
+      try {
+        ini.loadFromPath(config);
+        return authenticateUser(ini, token);
+      } catch (ConfigurationException e) {
+        throw e;
+      }
+    }
+
     /**
      *
      * @param userDn - fully qualified userDn used for LDAP authentication
@@ -949,15 +1082,28 @@ public class KnoxCLI extends Configured implements Tool {
      */
     protected String getPrincipal(String userDn){
       String result = "";
+
+//      Need to determine whether we are using AD or LDAP?
+//      LDAP userDn usually starts with "uid="
+//      AD userDn usually starts with cn/CN
+//      Find the userDN template
+
       try {
-        int uidStart = userDn.indexOf("uid=") + 4;
-        int uidEnd = userDn.indexOf(",", uidStart);
-        if(uidEnd > uidStart) {
-          result = userDn.substring(uidStart, uidEnd);
+        Topology t = getTopology(cluster);
+        Provider shiro = t.getProvider("authentication", "ShiroProvider");
+
+        String p1 = shiro.getParams().get("main.ldapRealm.userDnTemplate");
+
+//        We know everything between first "=" and "," will be part of the principal.
+        int eq = userDn.indexOf("=");
+        int com = userDn.indexOf(",");
+        if(eq != -1 && com > eq && com != -1) {
+          result = userDn.substring(eq + 1, com);
+        } else {
+          result = "";
         }
-      } catch (NullPointerException e){
-        out.println("Could not fetch principal from userDn: " + userDn);
-        out.println("The systemUsername should be in the same format as the main.ldapRealm.userDnTemplate");
+      } catch (NoSuchTopologyException e) {
+        out.println(e.toString());
         result = userDn;
       } finally {
         return result;
@@ -972,21 +1118,29 @@ public class KnoxCLI extends Configured implements Tool {
      */
     protected boolean testSysBind(Topology t, String config) {
       boolean result = false;
-      String username = getSystemUsername(t);
-      char[] password = getSystemPassword(t);
+      String username;
+      char[] password;
 
-      if(username == null) {
-        out.println("You are missing a parameter in your topology file.");
-        out.println("Verify that the param of name \"main.ldapRealm.contextFactory.systemUsername\"
is present.");
-      }
-
-      if(password == null) {
-        out.println("You are missing a parameter in your topology file.");
-        out.println("Verify that the param of name \"main.ldapRealm.contextFactory.systemPassword\"
is present.");
-      }
-
-      if(username != null && password != null){
-        result = authenticateUser(config, new UsernamePasswordToken(username, password));
+      try {
+//        Pull out contextFactory.url param for light shiro config
+        Provider shiro = t.getProvider("authentication", "ShiroProvider");
+        Map<String, String> params = shiro.getParams();
+        String url = params.get("main.ldapRealm.contextFactory.url");
+
+//        Build the Ini with minimum requirements
+        Ini ini = new Ini();
+        ini.addSection("main");
+        ini.setSectionProperty("main", "ldapRealm", "org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm");
+        ini.setSectionProperty("main", "ldapContextFactory", "org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory");
+        ini.setSectionProperty("main", "ldapRealm.contextFactory.url", url);
+
+        username = getSystemUsername(t);
+        password = getSystemPassword(t);
+        result = authenticateUser(ini, new UsernamePasswordToken(username, password));
+      } catch (MissingUsernameException | NoSuchProviderException | MissingPasswordException
e) {
+        out.println(e.toString());
+      } catch (NullPointerException e) {
+        out.println(e.toString());
       }
       return result;
     }
@@ -996,16 +1150,16 @@ public class KnoxCLI extends Configured implements Tool {
      * @param t - topology configuration to use
      * @return - the principal of the systemUsername specified in topology. null if non-existent
      */
-    private String getSystemUsername(Topology t) {
+    private String getSystemUsername(Topology t) throws MissingUsernameException, NoSuchProviderException
{
       final String SYSTEM_USERNAME = "main.ldapRealm.contextFactory.systemUsername";
       String user = null;
-      Provider shiro = t.getProvider("authentication", "ShiroProvider");
-      if(shiro != null){
-        Map<String, String> params = shiro.getParams();
+      Provider shiroProvider = t.getProvider("authentication", "ShiroProvider");
+      if(shiroProvider != null){
+        Map<String, String> params = shiroProvider.getParams();
         String userDn = params.get(SYSTEM_USERNAME);
-        if(userDn != null) {
-          user = getPrincipal(userDn);
-        }
+        user = userDn;
+      } else {
+        throw new NoSuchProviderException("ShiroProvider", "authentication", t.getName());
       }
       return user;
     }
@@ -1015,30 +1169,32 @@ public class KnoxCLI extends Configured implements Tool {
      * @param t - topology configuration to use
      * @return - the systemPassword specified in topology. null if non-existent
      */
-    private char[] getSystemPassword(Topology t){
+    private char[] getSystemPassword(Topology t) throws NoSuchProviderException, MissingPasswordException{
       final String SYSTEM_PASSWORD = "main.ldapRealm.contextFactory.systemPassword";
       String pass = null;
       Provider shiro = t.getProvider("authentication", "ShiroProvider");
       if(shiro != null){
         Map<String, String> params = shiro.getParams();
         pass = params.get(SYSTEM_PASSWORD);
+      } else {
+        throw new NoSuchProviderException("ShiroProvider", "authentication", t.getName());
       }
 
       if(pass != null) {
         return pass.toCharArray();
       } else {
-        return null;
+        throw new MissingPasswordException("ShiroProvider did not contain param: " + SYSTEM_PASSWORD);
       }
     }
 
-
     /**
      *
      * @param config - the shiro.ini config file created in topology deployment.
      * @return returns the Subject given by the shiro config's settings.
      */
-    protected Subject getSubject(String config) {
+    protected Subject getSubject(Ini config) throws BadSubjectException {
       try {
+        ThreadContext.unbindSubject();
         Factory factory = new IniSecurityManagerFactory(config);
         org.apache.shiro.mgt.SecurityManager securityManager = (org.apache.shiro.mgt.SecurityManager)
factory.getInstance();
         SecurityUtils.setSecurityManager(securityManager);
@@ -1049,9 +1205,19 @@ public class KnoxCLI extends Configured implements Tool {
           out.println("Error Creating Subject from config at: " + config);
         }
       } catch (Exception e){
-        out.println(e.getMessage());
+        out.println(e.toString());
+      }
+      throw new BadSubjectException("Subject could not be created with Shiro Config at "
+ config);
+    }
+
+    protected Subject getSubject(String config) throws ConfigurationException {
+      Ini ini = new Ini();
+      ini.loadFromPath(config);
+      try {
+        return getSubject(ini);
+      } catch (BadSubjectException e) {
+        throw new ConfigurationException("Could not get Subject with Ini at " + config);
       }
-      return null;
     }
 
     /**
@@ -1070,7 +1236,7 @@ public class KnoxCLI extends Configured implements Tool {
             this.username = reader.readLine();
             reader.close();
           } catch (IOException e){
-            out.println(e.getMessage());
+            out.println(e.toString());
             this.username = "";
           }
         }
@@ -1092,7 +1258,7 @@ public class KnoxCLI extends Configured implements Tool {
             }
             reader.close();
           } catch (IOException e){
-            out.println(e.getMessage());
+            out.println(e.toString());
             this.password = new char[0];
           }
         }
@@ -1104,7 +1270,7 @@ public class KnoxCLI extends Configured implements Tool {
      * @param topologyName - the name of the topology to retrieve
      * @return - Topology object with specified name. null if topology doesn't exist in TopologyService
      */
-    protected Topology getTopology(String topologyName) {
+    protected Topology getTopology(String topologyName) throws NoSuchTopologyException {
       TopologyService ts = getTopologyService();
       ts.reloadTopologies();
       for (Topology t : ts.getTopologies()) {
@@ -1112,7 +1278,8 @@ public class KnoxCLI extends Configured implements Tool {
           return t;
         }
       }
-      return null;
+      throw new  NoSuchTopologyException("Topology " + topologyName + " does not" +
+          " exist in the topologies directory.");
     }
 
     /**
@@ -1130,7 +1297,7 @@ public class KnoxCLI extends Configured implements Tool {
       try{
         FileUtils.forceDeleteOnExit(war);
       } catch (IOException e) {
-        out.println(e.getMessage());
+        out.println(e.toString());
         war.deleteOnExit();
       }
       return config;
@@ -1155,15 +1322,14 @@ public class KnoxCLI extends Configured implements Tool {
      * field.
      */
     protected boolean acquireTopology(){
-      topology = getTopology(cluster);
-      if(topology == null) {
-        out.println("ERR: Topology " + cluster + " does not exist");
+      try {
+        topology = getTopology(cluster);
+      } catch (NoSuchTopologyException e) {
+        out.println(e.toString());
         return false;
-      } else {
-        return true;
       }
+      return true;
     }
-
   }
 
   private class LDAPAuthCommand extends LDAPCommand {
@@ -1176,7 +1342,7 @@ public class KnoxCLI extends Configured implements Tool {
         "If a username and password argument are not supplied, the terminal will prompt you
for one.";
 
     private static final String  SUBJECT_USER_GROUPS = "subject.userGroups";
-    private HashSet<String> groupSet = new HashSet<String>();
+    private HashSet<String> groupSet = new HashSet<>();
 
     @Override
     public String getUsage() {
@@ -1196,107 +1362,61 @@ public class KnoxCLI extends Configured implements Tool {
         return;
       }
 
-      if(username == null || password == null){
-        return;
-      }
-
       String config = getConfig(topology);
 
       if(new File(config).exists()) {
-        if(testSysBind(topology, config)) {
           if(authenticateUser(config, new UsernamePasswordToken(username, password))) {
             out.println("LDAP authentication successful!");
             if(groups) {
-              groupSet = getGroups(topology, new UsernamePasswordToken(username, password));
-              if(groupSet == null || groupSet.isEmpty()) {
-                out.println(username + " does not belong to any groups");
-                if(groups) {
-                  out.println("You were looking for this user's groups but this user does
not belong to any.");
-                  out.println("Your topology file may be incorrectly configured for group
lookup.");
-                  if(!hasGroupLookupErrors(topology)) {
-                    out.println("Some of your topology's param values may be incorrect.");
-                    out.println("Please refer to the Knox user guide to find out how to correctly
configure a" +
-                        "topology for group lookup;");
+              if(testSysBind(topology, config)) {
+                groupSet = getGroups(topology, new UsernamePasswordToken(username, password));
+                if(groupSet == null || groupSet.isEmpty()) {
+                  out.println(username + " does not belong to any groups");
+                  if(groups) {
+                    hasShiroProviderErrors(topology, true);
+                    out.println("You were looking for this user's groups but this user does
not belong to any.");
+                    out.println("Your topology file may be incorrectly configured for group
lookup.");
+                  }
+                } else {
+                  for (Object o : groupSet.toArray()) {
+                    out.println(username + " is a member of: " + o.toString());
                   }
-                }
-              } else if(!groupSet.isEmpty()) {
-                for (Object o : groupSet.toArray()) {
-                  out.println(username + " is a member of: " + o.toString());
                 }
               }
             }
           } else {
             out.println("ERR: Unable to authenticate user: " + username);
           }
-        } else {
-          out.println("Your topology was unable to bind to the LDAP server with system credentials.");
-          out.println("Please consider updating topology parameters");
-        }
       } else {
         out.println("ERR: No shiro config file found.");
       }
     }
 
-//    returns false if any errors are printed
-    private boolean hasGroupLookupErrors(Topology topology) {
-      Provider shiro = topology.getProvider("authentication", "ShiroProvider");
-      if(shiro != null) {
-        Map<String, String> params = shiro.getParams();
-        int errs = 0;
-        errs += hasParam(params, "main.ldapRealm") ? 0 : 1;
-        errs += hasParam(params, "main.ldapGroupContextFactory") ? 0 : 1;
-        errs += hasParam(params, "main.ldapRealm.searchBase") ? 0 : 1;
-        errs += hasParam(params, "main.ldapRealm.groupObjectClass") ? 0 : 1;
-        errs += hasParam(params, "main.ldapRealm.memberAttributeValueTemplate") ? 0 : 1;
-        errs += hasParam(params, "main.ldapRealm.memberAttribute") ? 0 : 1;
-        errs += hasParam(params, "main.ldapRealm.authorizationEnabled") ? 0 : 1;
-        errs += hasParam(params, "main.ldapRealm.contextFactory.systemUsername") ? 0 : 1;
-        errs += hasParam(params, "main.ldapRealm.contextFactory.systemPassword") ? 0 : 1;
-        errs += hasParam(params, "main.ldapRealm.userDnTemplate") ? 0 : 1;
-        errs += hasParam(params, "main.ldapRealm.contextFactory.url") ? 0 : 1;
-        errs += hasParam(params, "main.ldapRealm.contextFactory.authenticationMechanism")
? 0 : 1;
-        return errs > 0 ? true : false;
-      } else {
-        out.println("Could not obtain ShiroProvider");
-        return true;
-      }
-    }
-
-    // Checks to see if the param name is present. If not, notify the user
-    private boolean hasParam(Map<String, String> params, String key){
-      if(params.get(key) == null){
-        out.println("Error: " + key + " is not present in topology");
-        return false;
-      } else { return true; }
-    }
-
     private HashSet<String> getGroups(Topology t, UsernamePasswordToken token){
       HashSet<String> groups = null;
-      Subject subject  = getSubject(getConfig(t));
       try {
+        Subject subject  = getSubject(getConfig(t));
         if(!subject.isAuthenticated()) {
           subject.login(token);
         }
         subject.hasRole(""); //Populate subject groups
         groups = (HashSet) subject.getSession().getAttribute(SUBJECT_USER_GROUPS);
+        subject.logout();
       } catch (AuthenticationException e) {
-        out.println(e.getMessage());
-        if(debug){
+        out.println("Error retrieving groups");
+        out.println(e.toString());
+        if(debug) {
           e.printStackTrace();
         } else {
           out.println(debugMessage);
         }
-      } catch (NullPointerException n) {
-        out.println(n.getMessage());
-        if(debug) {
-          n.printStackTrace();
-        } else {
-          out.println(debugMessage);
+      } catch (ConfigurationException e) {
+        out.println(e.toString());
+        if(debug){
+          e.printStackTrace();
         }
-      } finally {
-        subject.logout();
-        return groups;
       }
+      return groups;
     }
 
   }
@@ -1315,16 +1435,31 @@ public class KnoxCLI extends Configured implements Tool {
     @Override
     public void execute() {
 
-      if(!acquireTopology()){
+      if(!acquireTopology()) {
         return;
       }
-      if ( testSysBind(topology, getConfig(topology)) ) {
+
+      if(hasShiroProviderErrors(topology, false)) {
+        out.println("Topology warnings present. SystemUser may not bind.");
+      }
+
+      if(testSysBind(topology, getConfig(topology))) {
         out.println("System LDAP Bind successful.");
-       } else {
-        out.println("Unable to successfully bind to LDAP server with topology credentials");
+      } else {
+        out.println("Unable to successfully bind to LDAP server with topology credentials.
Are your parameters correct?");
       }
     }
+  }
 
+  private GatewayConfig getGatewayConfig() {
+    GatewayConfig result;
+    Configuration conf = getConf();
+    if(conf != null && conf instanceof GatewayConfig) {
+      result = (GatewayConfig) conf;
+    } else {
+      result = new GatewayConfigImpl();
+    }
+    return result;
   }
 
   public class ServiceTestCommand extends Command {
@@ -1482,17 +1617,6 @@ public class KnoxCLI extends Configured implements Tool {
 
   }
 
-  private GatewayConfig getGatewayConfig() {
-    GatewayConfig result;
-    Configuration conf = getConf();
-    if(conf != null && conf instanceof GatewayConfig) {
-      result = (GatewayConfig) conf;
-    } else {
-      result = new GatewayConfigImpl();
-    }
-    return result;
-  }
-
   private static Properties loadBuildProperties() {
     Properties properties = new Properties();
     InputStream inputStream = KnoxCLI.class.getClassLoader().getResourceAsStream( "build.properties"
);

http://git-wip-us.apache.org/repos/asf/knox/blob/55f9405c/gateway-test/src/test/java/org/apache/hadoop/gateway/KnoxCliLdapFuncTestNegative.java
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/KnoxCliLdapFuncTestNegative.java
b/gateway-test/src/test/java/org/apache/hadoop/gateway/KnoxCliLdapFuncTestNegative.java
index 60d1651..709d3d3 100644
--- a/gateway-test/src/test/java/org/apache/hadoop/gateway/KnoxCliLdapFuncTestNegative.java
+++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/KnoxCliLdapFuncTestNegative.java
@@ -182,6 +182,12 @@ public class KnoxCliLdapFuncTestNegative {
         .addTag( "name" ).addText("main.ldapRealm.contextFactory.url")
         .addTag("value").addText("ldap://localhost:" + ldapTransport.getPort()).gotoParent()
         .addTag("param")
+        .addTag("name").addText("main.ldapRealm.contextFactory.systemUsername")
+        .addTag("value").addText("uid=guest,ou=people,dc=hadoop,dc=apache,dc=org").gotoParent()
+        .addTag("param")
+        .addTag("name").addText("main.ldapRealm.contextFactory.systemPassword")
+        .addTag( "value" ).addText("guest-password").gotoParent()
+        .addTag("param")
         .addTag( "name" ).addText("main.ldapRealm.contextFactory.authenticationMechanism")
         .addTag("value").addText("simple").gotoParent()
         .addTag("param")
@@ -274,16 +280,17 @@ public class KnoxCliLdapFuncTestNegative {
     String username = "tom";
     String password = "tom-password";
     KnoxCLI cli = new KnoxCLI();
-    cli.setConf( config );
+    cli.setConf(config);
 
     String args1[] = {"user-auth-test", "--master", "knox", "--cluster", "bad-cluster",
         "--u", username, "--p", password, "--g" };
     cli.run( args1 );
 
     assertThat(outContent.toString(), containsString("LDAP authentication successful"));
-    assertFalse(outContent.toString().contains("analyst"));
     assertThat(outContent.toString(), containsString("Your topology file may be incorrectly
configured for group lookup"));
-    assertThat(outContent.toString(), containsString("Error:"));
+    assertThat(outContent.toString(), containsString("Warn: "));
+    assertFalse(outContent.toString().contains("analyst"));
+
 
     outContent.reset();
     username = "bad-name";
@@ -304,13 +311,13 @@ public class KnoxCliLdapFuncTestNegative {
     cli = new KnoxCLI();
     cli.setConf( config );
 
-    String args3[] = {"user-user-auth-test", "--master", "knox", "--cluster", "bad-cluster",
+    String args3[] = {"user-auth-test", "--master", "knox", "--cluster", "bad-cluster",
         "--u", username, "--p", password, "--g" };
     cli.run( args3 );
 
     assertThat(outContent.toString(), containsString("LDAP authentication successful"));
     assertThat(outContent.toString(), containsString("Your topology file may be incorrectly
configured for group lookup"));
-    assertThat(outContent.toString(), containsString("Error:"));
+    assertThat(outContent.toString(), containsString("Warn:"));
     assertFalse(outContent.toString().contains("analyst"));
     assertFalse(outContent.toString().contains("scientist"));
 

http://git-wip-us.apache.org/repos/asf/knox/blob/55f9405c/gateway-test/src/test/java/org/apache/hadoop/gateway/KnoxCliLdapFuncTestPositive.java
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/KnoxCliLdapFuncTestPositive.java
b/gateway-test/src/test/java/org/apache/hadoop/gateway/KnoxCliLdapFuncTestPositive.java
index afd2e8e..6ca727c 100644
--- a/gateway-test/src/test/java/org/apache/hadoop/gateway/KnoxCliLdapFuncTestPositive.java
+++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/KnoxCliLdapFuncTestPositive.java
@@ -309,8 +309,7 @@ public class KnoxCliLdapFuncTestPositive {
     String args4[] = {"user-auth-test", "--master", "knox", "--cluster", "cluster-dne",
         "--u", username, "--p", password };
     cli.run(args4);
-    assertThat(outContent.toString(), containsString("ERR: Topology"));
-    assertThat(outContent.toString(), containsString("does not exist"));
+    assertThat(outContent.toString(), containsString("Topology cluster-dne does not exist"));
 
 
     //    Test 5: Authenticate a user who belongs to no groups, but specify groups with --g

http://git-wip-us.apache.org/repos/asf/knox/blob/55f9405c/gateway-test/src/test/java/org/apache/hadoop/gateway/KnoxCliSysBindTest.java
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/KnoxCliSysBindTest.java
b/gateway-test/src/test/java/org/apache/hadoop/gateway/KnoxCliSysBindTest.java
index 1739c32..80ccd34 100644
--- a/gateway-test/src/test/java/org/apache/hadoop/gateway/KnoxCliSysBindTest.java
+++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/KnoxCliSysBindTest.java
@@ -304,10 +304,9 @@ public class KnoxCliSysBindTest {
     cli = new KnoxCLI();
     cli.setConf(config);
     cli.run(args4);
-    assertThat(outContent.toString(),
-        containsString("Verify that the param of name \"main.ldapRealm.contextFactory.systemUsername\"
is present."));
-    assertThat(outContent.toString(),
-        containsString("Verify that the param of name \"main.ldapRealm.contextFactory.systemPassword\"
is present."));
+    assertThat(outContent.toString(), containsString("Warn: main.ldapRealm.contextFactory.systemUsername
is not present"));
+    assertThat(outContent.toString(), containsString("Warn: main.ldapRealm.contextFactory.systemPassword
is not present"));
+
 
     //    Test 5: Assert that we get a username/password not present error is printed
     outContent.reset();
@@ -315,8 +314,7 @@ public class KnoxCliSysBindTest {
     cli = new KnoxCLI();
     cli.setConf(config);
     cli.run(args5);
-    assertThat(outContent.toString(),
-        containsString("Topology not-a-cluster does not exist"));
+    assertThat(outContent.toString(), containsString("Topology not-a-cluster does not exist"));
 
 
   }


Mime
View raw message