TestKMSWithZK.java

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.hadoop.crypto.key.kms.server;

import static org.junit.jupiter.api.Assertions.assertEquals;

import org.apache.curator.test.TestingServer;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authentication.util.ZKSignerSecretProvider;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL;
import org.junit.jupiter.api.Test;

import java.io.File;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.PrivilegedExceptionAction;

public class TestKMSWithZK {

  protected Configuration createBaseKMSConf(File keyStoreDir) throws Exception {
    Configuration conf = new Configuration(false);
    conf.set(KMSConfiguration.KEY_PROVIDER_URI,
        "jceks://file@" + new Path(keyStoreDir.getAbsolutePath(),
            "kms.keystore").toUri());
    conf.set("hadoop.kms.authentication.type", "simple");
    conf.setBoolean(KMSConfiguration.KEY_AUTHORIZATION_ENABLE, false);

    conf.set(KMSACLs.Type.GET_KEYS.getAclConfigKey(), "foo");
    return conf;
  }

  @Test
  public void testMultipleKMSInstancesWithZKSigner() throws Exception {
    final File testDir = TestKMS.getTestDir();
    Configuration conf = createBaseKMSConf(testDir);

    TestingServer zkServer = new TestingServer();
    zkServer.start();

    MiniKMS kms1 = null;
    MiniKMS kms2 = null;

    conf.set(KMSAuthenticationFilter.CONFIG_PREFIX +
        AuthenticationFilter.SIGNER_SECRET_PROVIDER, "zookeeper");
    conf.set(KMSAuthenticationFilter.CONFIG_PREFIX +
            ZKSignerSecretProvider.ZOOKEEPER_CONNECTION_STRING,
        zkServer.getConnectString());
    conf.set(KMSAuthenticationFilter.CONFIG_PREFIX +
            ZKSignerSecretProvider.ZOOKEEPER_PATH, "/secret");
    TestKMS.writeConf(testDir, conf);

    try {
      kms1 = new MiniKMS.Builder()
          .setKmsConfDir(testDir).setLog4jConfFile("log4j.properties").build();
      kms1.start();

      kms2 = new MiniKMS.Builder()
          .setKmsConfDir(testDir).setLog4jConfFile("log4j.properties").build();
      kms2.start();

      final URL url1 = new URL(kms1.getKMSUrl().toExternalForm() +
          KMSRESTConstants.SERVICE_VERSION +  "/" +
          KMSRESTConstants.KEYS_NAMES_RESOURCE);
      final URL url2 = new URL(kms2.getKMSUrl().toExternalForm() +
          KMSRESTConstants.SERVICE_VERSION + "/" +
          KMSRESTConstants.KEYS_NAMES_RESOURCE);

      final DelegationTokenAuthenticatedURL.Token token =
          new DelegationTokenAuthenticatedURL.Token();
      final DelegationTokenAuthenticatedURL aUrl =
          new DelegationTokenAuthenticatedURL();

      UserGroupInformation ugiFoo = UserGroupInformation.createUserForTesting(
          "foo", new String[]{"gfoo"});
      UserGroupInformation ugiBar = UserGroupInformation.createUserForTesting(
          "bar", new String[]{"gBar"});

      ugiFoo.doAs(new PrivilegedExceptionAction<Object>() {
        @Override
        public Object run() throws Exception {
          HttpURLConnection conn = aUrl.openConnection(url1, token);
          assertEquals(HttpURLConnection.HTTP_OK,
              conn.getResponseCode());
          return null;
        }
      });

      ugiBar.doAs(new PrivilegedExceptionAction<Object>() {
        @Override
        public Object run() throws Exception {
          HttpURLConnection conn = aUrl.openConnection(url2, token);
          assertEquals(HttpURLConnection.HTTP_OK,
              conn.getResponseCode());
          return null;
        }
      });

      ugiBar.doAs(new PrivilegedExceptionAction<Object>() {
        @Override
        public Object run() throws Exception {
          final DelegationTokenAuthenticatedURL.Token emptyToken =
              new DelegationTokenAuthenticatedURL.Token();
          HttpURLConnection conn = aUrl.openConnection(url2, emptyToken);
          assertEquals(HttpURLConnection.HTTP_FORBIDDEN,
              conn.getResponseCode());
          return null;
        }
      });

    } finally {
      if (kms2 != null) {
        kms2.stop();
      }
      if (kms1 != null) {
        kms1.stop();
      }
      zkServer.stop();
    }

  }

}