knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject knox git commit: KNOX-237 - Hadoop Group Mapping as a Knox Provider
Date Mon, 12 Dec 2016 18:11:39 GMT
Repository: knox
Updated Branches:
  refs/heads/master 99519d445 -> 33307d575


KNOX-237 - Hadoop Group Mapping as a Knox Provider

Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/33307d57
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/33307d57
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/33307d57

Branch: refs/heads/master
Commit: 33307d5753b946952b5ef2cd5fc09f0a636f33a0
Parents: 99519d4
Author: Larry McCay <lmccay@hortonworks.com>
Authored: Mon Dec 12 13:11:31 2016 -0500
Committer: Larry McCay <lmccay@hortonworks.com>
Committed: Mon Dec 12 13:11:31 2016 -0500

----------------------------------------------------------------------
 .../pom.xml                                     | 104 ++++++++++
 ...adoopGroupProviderDeploymentContributor.java |  64 ++++++
 .../filter/HadoopGroupProviderFilter.java       | 120 +++++++++++
 .../filter/HadoopGroupProviderMessages.java     |  43 ++++
 ...gateway.deploy.ProviderDeploymentContributor |  19 ++
 ...pGroupProviderDeploymentContributorTest.java |  54 +++++
 .../filter/HadoopGroupProviderFilterTest.java   | 202 +++++++++++++++++++
 .../hadoop/groups/filter/HadoopGroupsTest.java  |  85 ++++++++
 gateway-release/pom.xml                         |   4 +
 pom.xml                                         |   6 +
 10 files changed, 701 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/33307d57/gateway-provider-identity-assertion-hadoop-groups/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-provider-identity-assertion-hadoop-groups/pom.xml b/gateway-provider-identity-assertion-hadoop-groups/pom.xml
new file mode 100644
index 0000000..a05c3db
--- /dev/null
+++ b/gateway-provider-identity-assertion-hadoop-groups/pom.xml
@@ -0,0 +1,104 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.apache.knox</groupId>
+        <artifactId>gateway</artifactId>
+        <version>0.11.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>gateway-provider-identity-assertion-hadoop-groups</artifactId>
+
+    <name>gateway-provider-identity-assertion-hadoop-groups</name>
+    <description>An extension to the gateway that provides group membership lookups
similar to Hadoop for the authenticated (asserted) identity.</description>
+
+    <licenses>
+        <license>
+            <name>The Apache Software License, Version 2.0</name>
+            <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+            <distribution>repo</distribution>
+        </license>
+    </licenses>
+
+    <dependencies>
+
+        <dependency>
+            <groupId>${gateway-group}</groupId>
+            <artifactId>gateway-provider-identity-assertion-common</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>${gateway-group}</groupId>
+            <artifactId>gateway-spi</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.hadoop</groupId>
+            <artifactId>hadoop-common</artifactId>
+        </dependency>     
+
+        <dependency>
+            <groupId>${gateway-group}</groupId>
+            <artifactId>gateway-test-utils</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.eclipse.jetty</groupId>
+            <artifactId>jetty-servlet</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.hamcrest</groupId>
+            <artifactId>hamcrest-core</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.hamcrest</groupId>
+            <artifactId>hamcrest-library</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.xmlmatchers</groupId>
+            <artifactId>xml-matchers</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.easymock</groupId>
+            <artifactId>easymock</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+    </dependencies>
+</project>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/33307d57/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributor.java
b/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributor.java
new file mode 100644
index 0000000..e20f17a
--- /dev/null
+++ b/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributor.java
@@ -0,0 +1,64 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.identityasserter.hadoop.groups.filter;
+
+import org.apache.hadoop.gateway.identityasserter.common.filter.AbstractIdentityAsserterDeploymentContributor;
+
+/**
+ * A provider deployment contributor for looking up authenticated user groups as
+ * seen by Hadoop implementation.
+ * 
+ * @since 0.11.0
+ */
+
+public class HadoopGroupProviderDeploymentContributor
+    extends AbstractIdentityAsserterDeploymentContributor {
+
+  /**
+   * Name of our <b>identity-assertion</b> provider.
+   */
+  public static final String HADOOP_GROUP_PROVIDER = "HadoopGroupProvider";
+
+  /* create an instance */
+  public HadoopGroupProviderDeploymentContributor() {
+    super();
+  }
+
+  /*
+   * (non-Javadoc)
+   * 
+   * @see
+   * org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor#getName()
+   */
+  @Override
+  public String getName() {
+    return HADOOP_GROUP_PROVIDER;
+  }
+
+  /*
+   * (non-Javadoc)
+   * 
+   * @see org.apache.hadoop.gateway.identityasserter.common.filter.
+   * AbstractIdentityAsserterDeploymentContributor#getFilterClassname()
+   */
+  @Override
+  protected String getFilterClassname() {
+    return HadoopGroupProviderFilter.class.getName();
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/33307d57/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilter.java
b/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilter.java
new file mode 100644
index 0000000..9eccecd
--- /dev/null
+++ b/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilter.java
@@ -0,0 +1,120 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.identityasserter.hadoop.groups.filter;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.List;
+
+import javax.security.auth.Subject;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
+import org.apache.hadoop.gateway.identityasserter.common.filter.CommonIdentityAssertionFilter;
+import org.apache.hadoop.security.GroupMappingServiceProvider;
+import org.apache.hadoop.security.Groups;
+
+/**
+ * A filter that integrates the Hadoop {@link GroupMappingServiceProvider} for
+ * looking up group membership of the authenticated (asserted) identity.
+ * 
+ * @since 0.11.0
+ */
+public class HadoopGroupProviderFilter extends CommonIdentityAssertionFilter {
+
+  /**
+   * Logging
+   */
+  public static HadoopGroupProviderMessages LOG = MessagesFactory
+      .get(HadoopGroupProviderMessages.class);
+
+  /**
+   * Configuration object needed by for hadoop classes
+   */
+  private Configuration hadoopConfig;
+
+  /**
+   * Hadoop Groups implementation.
+   */
+  private Groups hadoopGroups;
+
+  /* create an instance */
+  public HadoopGroupProviderFilter() {
+    super();
+  }
+
+  @Override
+  public void init(final FilterConfig filterConfig) throws ServletException {
+
+    try {
+      hadoopConfig = new Configuration(false);
+
+      if (filterConfig.getInitParameterNames() != null) {
+
+        for (final Enumeration<String> keys = filterConfig
+            .getInitParameterNames(); keys.hasMoreElements();) {
+
+          final String key = keys.nextElement();
+          hadoopConfig.set(key, filterConfig.getInitParameter(key));
+
+        }
+
+      }
+      hadoopGroups = new Groups(hadoopConfig);
+
+    } catch (final Exception e) {
+      throw new ServletException(e);
+    }
+
+  }
+
+  /**
+   * Query the Hadoop implementation of {@link Groups} to retrieve groups for
+   * provided user.
+   */
+  public String[] mapGroupPrincipals(final String mappedPrincipalName,
+      final Subject subject) {
+    /* return the groups as seen by Hadoop */
+    String[] groups = null;
+    try {
+      final List<String> groupList = hadoopGroups
+          .getGroups(mappedPrincipalName);
+      LOG.groupsFound(mappedPrincipalName, groupList.toString());
+      groups = groupList.toArray(new String[0]);
+
+    } catch (final IOException e) {
+      if (e.toString().contains("No groups found for user")) {
+        /* no groups found move on */
+        LOG.noGroupsFound(mappedPrincipalName);
+      } else {
+        /* Log the error and return empty group */
+        LOG.errorGettingUserGroups(mappedPrincipalName, e);
+      }
+      groups = new String[0];
+    }
+    return groups;
+  }
+
+  public String mapUserPrincipal(final String principalName) {
+    /* return the passed principal */
+    return principalName;
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/33307d57/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderMessages.java
b/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderMessages.java
new file mode 100644
index 0000000..d67b811
--- /dev/null
+++ b/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderMessages.java
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.identityasserter.hadoop.groups.filter;
+
+import org.apache.hadoop.gateway.i18n.messages.Message;
+import org.apache.hadoop.gateway.i18n.messages.MessageLevel;
+import org.apache.hadoop.gateway.i18n.messages.Messages;
+import org.apache.hadoop.gateway.i18n.messages.StackTrace;
+
+/**
+ * Messages for provider - HadoopGroupProvider
+ * 
+ * @since 0.11
+ */
+
+@Messages(logger="org.apache.hadoop.gateway")
+public interface HadoopGroupProviderMessages {
+
+  @Message( level = MessageLevel.ERROR, text = "Error getting groups for principal {0}" )
+  void errorGettingUserGroups(final String principal , @StackTrace( level = MessageLevel.DEBUG
) Exception e );
+  
+  @Message( level = MessageLevel.INFO, text = "No groups for principal {0} found" )
+  void noGroupsFound(final String principal);
+  
+  @Message( level = MessageLevel.DEBUG, text = "Found groups for principal {0} : {1}" )
+  void groupsFound(final String principal, final String groups );
+  
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/33307d57/gateway-provider-identity-assertion-hadoop-groups/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
b/gateway-provider-identity-assertion-hadoop-groups/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
new file mode 100644
index 0000000..5445ddc
--- /dev/null
+++ b/gateway-provider-identity-assertion-hadoop-groups/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
@@ -0,0 +1,19 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+
+org.apache.hadoop.gateway.identityasserter.hadoop.groups.filter.HadoopGroupProviderDeploymentContributor
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/33307d57/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributorTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributorTest.java
b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributorTest.java
new file mode 100644
index 0000000..b146b7c
--- /dev/null
+++ b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributorTest.java
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.identityasserter.hadoop.groups.filter;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.Assert.fail;
+
+import java.util.Iterator;
+import java.util.ServiceLoader;
+
+import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor;
+import org.junit.Test;
+
+/**
+ * Test for {@link HadoopGroupProviderDeploymentContributor}
+ * @since 0.11
+ */
+public class HadoopGroupProviderDeploymentContributorTest {
+
+  @Test
+  public void testServiceLoader() throws Exception {
+    
+    ServiceLoader<ProviderDeploymentContributor> loader = ServiceLoader
+        .load(ProviderDeploymentContributor.class);
+    
+    Iterator<ProviderDeploymentContributor> iterator = loader.iterator();
+    assertThat("Service iterator empty.", iterator.hasNext());
+    while (iterator.hasNext()) {
+      Object object = iterator.next();
+      if (object instanceof HadoopGroupProviderDeploymentContributor) {
+        return;
+      }
+    }
+    fail("Failed to find "
+        + HadoopGroupProviderDeploymentContributor.class.getName()
+        + " via service loader.");
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/33307d57/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java
b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java
new file mode 100644
index 0000000..f4cf77b
--- /dev/null
+++ b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java
@@ -0,0 +1,202 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.identityasserter.hadoop.groups.filter;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+import java.security.Principal;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Vector;
+
+import javax.security.auth.Subject;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+
+import org.apache.hadoop.gateway.security.PrimaryPrincipal;
+import org.apache.hadoop.security.LdapGroupsMapping;
+import org.apache.hadoop.security.ShellBasedUnixGroupsMapping;
+import org.easymock.EasyMock;
+import org.junit.Test;
+
+/**
+ * Test for {@link HadoopGroupProviderFilter}
+ * 
+ * @since 0.11.0
+ */
+public class HadoopGroupProviderFilterTest {
+
+  /**
+   * System username
+   */
+  private static final String failUsername = "highly_unlikely_username_to_have";
+
+  /**
+   * System username
+   */
+  private static final String username = System.getProperty("user.name");
+
+  /**
+   * Configuration object needed by for hadoop classes
+   */
+
+  /**
+   * Hadoop Groups implementation.
+   */
+
+  /* create an instance */
+  public HadoopGroupProviderFilterTest() {
+    super();
+  }
+
+  /**
+   * Test that valid groups are retrieved for a legitimate user.
+   * 
+   * @throws ServletException
+   */
+  @Test
+  public void testGroups() throws ServletException {
+
+    final FilterConfig config = EasyMock.createNiceMock(FilterConfig.class);
+    EasyMock.replay(config);
+
+    final HadoopGroupProviderFilter filter = new HadoopGroupProviderFilter();
+
+    final Subject subject = new Subject();
+    subject.getPrincipals().add(new PrimaryPrincipal(username));
+
+    filter.init(config);
+    final String principal = filter.mapUserPrincipal(
+        ((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0])
+            .getName());
+    final String[] groups = filter.mapGroupPrincipals(principal, subject);
+
+    assertThat(principal, is(username));
+    assertThat(
+        "No groups assosciated with the user, most likely this is a failure, it is only OK
when 'bash -c groups' command returns 0 groups. ",
+        groups.length > 0);
+
+  }
+
+  /**
+   * Test that no groups are retrieved for a dummy user.
+   * 
+   * @throws ServletException
+   */
+  @Test
+  public void testUnknownUser() throws ServletException {
+
+    final FilterConfig config = EasyMock.createNiceMock(FilterConfig.class);
+    EasyMock.replay(config);
+
+    final HadoopGroupProviderFilter filter = new HadoopGroupProviderFilter();
+
+    final Subject subject = new Subject();
+    subject.getPrincipals().add(new PrimaryPrincipal(failUsername));
+
+    filter.init(config);
+    final String principal = filter.mapUserPrincipal(
+        ((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0])
+            .getName());
+    final String[] groups = filter.mapGroupPrincipals(principal, subject);
+
+    assertThat(principal, is(failUsername));
+    assertThat(
+        "Somehow groups were found for this user, how is it possible ! check 'bash -c groups'
command ",
+        groups.length == 0);
+
+  }
+
+  /**
+   * Test for a bad config (nonexistent). This test proves, we are not falling
+   * back on {@link ShellBasedUnixGroupsMapping} because we explicitly use
+   * {@link LdapGroupsMapping} and in case of bad config we get empty groups
+   * (Hadoop way).
+   * 
+   * @throws ServletException
+   */
+  @SuppressWarnings({ "unchecked", "rawtypes" })
+  @Test
+  public void badConfigTest() throws ServletException {
+
+    final List<String> keysList = Arrays.asList("hadoop.security.group.mapping",
+        "hadoop.security.group.mapping.ldap.bind.user",
+        "hadoop.security.group.mapping.ldap.bind.password",
+        "hadoop.security.group.mapping.ldap.url",
+        "hadoop.security.group.mapping.ldap.search.filter.group",
+        "hadoop.security.group.mapping.ldap.search.attr.member",
+        "hadoop.security.group.mapping.ldap.search.filter.user");
+
+    final FilterConfig config = EasyMock.createNiceMock(FilterConfig.class);
+
+    EasyMock.expect(config.getInitParameter("hadoop.security.group.mapping"))
+        .andReturn("org.apache.hadoop.security.LdapGroupsMapping").anyTimes();
+    EasyMock
+        .expect(config
+            .getInitParameter("hadoop.security.group.mapping.ldap.bind.user"))
+        .andReturn("uid=dummy,ou=people,dc=hadoop,dc=apache,dc=org").anyTimes();
+    EasyMock
+        .expect(config.getInitParameter(
+            "hadoop.security.group.mapping.ldap.bind.password"))
+        .andReturn("unbind-me-please").anyTimes();
+    EasyMock
+        .expect(
+            config.getInitParameter("hadoop.security.group.mapping.ldap.url"))
+        .andReturn("ldap://nomansland:33389").anyTimes();
+    EasyMock
+        .expect(config.getInitParameter(
+            "hadoop.security.group.mapping.ldap.search.filter.group"))
+        .andReturn("(objectclass=groupOfNames)").anyTimes();
+    EasyMock
+        .expect(config.getInitParameter(
+            "hadoop.security.group.mapping.ldap.search.attr.member"))
+        .andReturn("member").anyTimes();
+    EasyMock
+        .expect(config.getInitParameter(
+            "hadoop.security.group.mapping.ldap.search.filter.user"))
+        .andReturn(
+            "(&amp;(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))")
+        .anyTimes();
+    EasyMock.expect(config.getInitParameterNames())
+        .andReturn(new Vector(keysList).elements()).anyTimes();
+
+    EasyMock.replay(config);
+
+    final HadoopGroupProviderFilter filter = new HadoopGroupProviderFilter();
+
+    final Subject subject = new Subject();
+    subject.getPrincipals().add(new PrimaryPrincipal(username));
+
+    filter.init(config);
+    final String principal = filter.mapUserPrincipal(
+        ((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0])
+            .getName());
+    final String[] groups = filter.mapGroupPrincipals(principal, subject);
+
+    assertThat(principal, is(username));
+
+    /*
+     * Unfortunately, Hadoop does not let us know what went wrong all we get is
+     * empty groups
+     */
+    assertThat(groups.length, is(0));
+
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/33307d57/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupsTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupsTest.java
b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupsTest.java
new file mode 100644
index 0000000..fee2438
--- /dev/null
+++ b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/hadoop/gateway/identityasserter/hadoop/groups/filter/HadoopGroupsTest.java
@@ -0,0 +1,85 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.identityasserter.hadoop.groups.filter;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+
+import java.util.List;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.Groups;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * Test Hadoop {@link Groups} class. Basically to make sure that the
+ * interface we depend on does not change.
+ * 
+ * @since 0.11.0
+ */
+public class HadoopGroupsTest {
+
+  /**
+   * Use the default group mapping
+   */
+  public static final String GROUP_MAPPING = "org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback";
+
+  /**
+   * Username
+   */
+  private String username;
+
+  /**
+   * Configuration object needed by for hadoop classes
+   */
+  private Configuration hadoopConfig;
+
+  /**
+   * Hadoop Groups implementation.
+   */
+  private Groups hadoopGroups;
+
+  /* create instance */
+  public HadoopGroupsTest() {
+    super();
+  }
+
+  @Before
+  public void init() {
+    username = System.getProperty("user.name");
+
+    hadoopConfig = new Configuration(false);
+
+    hadoopConfig.set("hadoop.security.group.mapping", GROUP_MAPPING);
+
+    hadoopGroups = new Groups(hadoopConfig);
+
+  }
+
+  /**
+   * Test Groups on the machine running the unit test.
+   */
+  @Test
+  public void testLocalGroups() throws Exception {
+
+    final List<String> groupList = hadoopGroups.getGroups(username);
+
+    assertThat("No groups found for user " + username, !groupList.isEmpty());
+
+  }
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/33307d57/gateway-release/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-release/pom.xml b/gateway-release/pom.xml
index e51c1fe..0012e9b 100644
--- a/gateway-release/pom.xml
+++ b/gateway-release/pom.xml
@@ -264,6 +264,10 @@
         </dependency>
         <dependency>
             <groupId>${gateway-group}</groupId>
+            <artifactId>gateway-provider-identity-assertion-hadoop-groups</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>${gateway-group}</groupId>
             <artifactId>gateway-provider-identity-assertion-regex</artifactId>
         </dependency>
         <dependency>

http://git-wip-us.apache.org/repos/asf/knox/blob/33307d57/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 47b79c0..b27858f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -63,6 +63,7 @@
         <module>gateway-provider-security-authc-anon</module>
         <module>gateway-provider-identity-assertion-common</module>
         <module>gateway-provider-identity-assertion-concat</module>
+        <module>gateway-provider-identity-assertion-hadoop-groups</module>
         <module>gateway-provider-identity-assertion-regex</module>
         <module>gateway-provider-identity-assertion-switchcase</module>
         <module>gateway-provider-security-picketlink</module>
@@ -506,6 +507,11 @@
             </dependency>
             <dependency>
                 <groupId>${gateway-group}</groupId>
+                <artifactId>gateway-provider-identity-assertion-hadoop-groups</artifactId>
+                <version>${gateway-version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${gateway-group}</groupId>
                 <artifactId>gateway-provider-identity-assertion-regex</artifactId>
                 <version>${gateway-version}</version>
             </dependency>


Mime
View raw message