HDFS-6509 addendum, extra file
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1614491 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
407bb3d3e4
commit
3a90228c30
@ -0,0 +1,348 @@
|
||||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.apache.hadoop.hdfs;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
import org.apache.hadoop.crypto.key.JavaKeyStoreProvider;
|
||||
import org.apache.hadoop.crypto.key.KeyProviderFactory;
|
||||
import org.apache.hadoop.fs.FileContext;
|
||||
import org.apache.hadoop.fs.FileContextTestWrapper;
|
||||
import org.apache.hadoop.fs.FileStatus;
|
||||
import org.apache.hadoop.fs.FileSystemTestHelper;
|
||||
import org.apache.hadoop.fs.FileSystemTestWrapper;
|
||||
import org.apache.hadoop.fs.Path;
|
||||
import org.apache.hadoop.fs.permission.FsPermission;
|
||||
import org.apache.hadoop.hdfs.client.HdfsAdmin;
|
||||
import org.apache.hadoop.hdfs.server.namenode.EncryptionZoneManager;
|
||||
import org.apache.hadoop.security.AccessControlException;
|
||||
import org.apache.hadoop.security.UserGroupInformation;
|
||||
import org.apache.log4j.Level;
|
||||
import org.apache.log4j.Logger;
|
||||
import org.junit.After;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
|
||||
import static org.apache.hadoop.hdfs.DFSTestUtil.verifyFilesEqual;
|
||||
import static org.apache.hadoop.hdfs.DFSTestUtil.verifyFilesNotEqual;
|
||||
import static org.apache.hadoop.test.GenericTestUtils.assertExceptionContains;
|
||||
import static org.apache.hadoop.test.GenericTestUtils.assertMatches;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.fail;
|
||||
|
||||
public class TestReservedRawPaths {
|
||||
|
||||
private Configuration conf;
|
||||
private FileSystemTestHelper fsHelper;
|
||||
|
||||
private MiniDFSCluster cluster;
|
||||
private HdfsAdmin dfsAdmin;
|
||||
private DistributedFileSystem fs;
|
||||
|
||||
protected FileSystemTestWrapper fsWrapper;
|
||||
protected FileContextTestWrapper fcWrapper;
|
||||
|
||||
@Before
|
||||
public void setup() throws IOException {
|
||||
conf = new HdfsConfiguration();
|
||||
fsHelper = new FileSystemTestHelper();
|
||||
// Set up java key store
|
||||
String testRoot = fsHelper.getTestRootDir();
|
||||
File testRootDir = new File(testRoot).getAbsoluteFile();
|
||||
conf.set(KeyProviderFactory.KEY_PROVIDER_PATH,
|
||||
JavaKeyStoreProvider.SCHEME_NAME + "://file" + testRootDir + "/test.jks"
|
||||
);
|
||||
cluster = new MiniDFSCluster.Builder(conf).numDataNodes(1).build();
|
||||
Logger.getLogger(EncryptionZoneManager.class).setLevel(Level.TRACE);
|
||||
fs = cluster.getFileSystem();
|
||||
fsWrapper = new FileSystemTestWrapper(cluster.getFileSystem());
|
||||
fcWrapper = new FileContextTestWrapper(
|
||||
FileContext.getFileContext(cluster.getURI(), conf));
|
||||
dfsAdmin = new HdfsAdmin(cluster.getURI(), conf);
|
||||
// Need to set the client's KeyProvider to the NN's for JKS,
|
||||
// else the updates do not get flushed properly
|
||||
fs.getClient().provider = cluster.getNameNode().getNamesystem()
|
||||
.getProvider();
|
||||
}
|
||||
|
||||
@After
|
||||
public void teardown() {
|
||||
if (cluster != null) {
|
||||
cluster.shutdown();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Basic read/write tests of raw files.
|
||||
* Create a non-encrypted file
|
||||
* Create an encryption zone
|
||||
* Verify that non-encrypted file contents and decrypted file in EZ are equal
|
||||
* Compare the raw encrypted bytes of the file with the decrypted version to
|
||||
* ensure they're different
|
||||
* Compare the raw and non-raw versions of the non-encrypted file to ensure
|
||||
* they're the same.
|
||||
*/
|
||||
@Test(timeout = 120000)
|
||||
public void testReadWriteRaw() throws Exception {
|
||||
// Create a base file for comparison
|
||||
final Path baseFile = new Path("/base");
|
||||
final int len = 8192;
|
||||
DFSTestUtil.createFile(fs, baseFile, len, (short) 1, 0xFEED);
|
||||
// Create the first enc file
|
||||
final Path zone = new Path("/zone");
|
||||
fs.mkdirs(zone);
|
||||
dfsAdmin.createEncryptionZone(zone, null);
|
||||
final Path encFile1 = new Path(zone, "myfile");
|
||||
DFSTestUtil.createFile(fs, encFile1, len, (short) 1, 0xFEED);
|
||||
// Read them back in and compare byte-by-byte
|
||||
verifyFilesEqual(fs, baseFile, encFile1, len);
|
||||
// Raw file should be different from encrypted file
|
||||
final Path encFile1Raw = new Path(zone, "/.reserved/raw/zone/myfile");
|
||||
verifyFilesNotEqual(fs, encFile1Raw, encFile1, len);
|
||||
// Raw file should be same as /base which is not in an EZ
|
||||
final Path baseFileRaw = new Path(zone, "/.reserved/raw/base");
|
||||
verifyFilesEqual(fs, baseFile, baseFileRaw, len);
|
||||
}
|
||||
|
||||
private void assertPathEquals(Path p1, Path p2) throws IOException {
|
||||
final FileStatus p1Stat = fs.getFileStatus(p1);
|
||||
final FileStatus p2Stat = fs.getFileStatus(p2);
|
||||
|
||||
/*
|
||||
* Use accessTime and modificationTime as substitutes for INode to check
|
||||
* for resolution to the same underlying file.
|
||||
*/
|
||||
assertEquals("Access times not equal", p1Stat.getAccessTime(),
|
||||
p2Stat.getAccessTime());
|
||||
assertEquals("Modification times not equal", p1Stat.getModificationTime(),
|
||||
p2Stat.getModificationTime());
|
||||
assertEquals("pathname1 not equal", p1,
|
||||
Path.getPathWithoutSchemeAndAuthority(p1Stat.getPath()));
|
||||
assertEquals("pathname1 not equal", p2,
|
||||
Path.getPathWithoutSchemeAndAuthority(p2Stat.getPath()));
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests that getFileStatus on raw and non raw resolve to the same
|
||||
* file.
|
||||
*/
|
||||
@Test(timeout = 120000)
|
||||
public void testGetFileStatus() throws Exception {
|
||||
final Path zone = new Path("zone");
|
||||
final Path slashZone = new Path("/", zone);
|
||||
fs.mkdirs(slashZone);
|
||||
dfsAdmin.createEncryptionZone(slashZone, null);
|
||||
|
||||
final Path base = new Path("base");
|
||||
final Path reservedRaw = new Path("/.reserved/raw");
|
||||
final Path baseRaw = new Path(reservedRaw, base);
|
||||
final int len = 8192;
|
||||
DFSTestUtil.createFile(fs, baseRaw, len, (short) 1, 0xFEED);
|
||||
assertPathEquals(new Path("/", base), baseRaw);
|
||||
|
||||
/* Repeat the test for a file in an ez. */
|
||||
final Path ezEncFile = new Path(slashZone, base);
|
||||
final Path ezRawEncFile =
|
||||
new Path(new Path(reservedRaw, zone), base);
|
||||
DFSTestUtil.createFile(fs, ezEncFile, len, (short) 1, 0xFEED);
|
||||
assertPathEquals(ezEncFile, ezRawEncFile);
|
||||
}
|
||||
|
||||
@Test(timeout = 120000)
|
||||
public void testReservedRoot() throws Exception {
|
||||
final Path root = new Path("/");
|
||||
final Path rawRoot = new Path("/.reserved/raw");
|
||||
final Path rawRootSlash = new Path("/.reserved/raw/");
|
||||
assertPathEquals(root, rawRoot);
|
||||
assertPathEquals(root, rawRootSlash);
|
||||
}
|
||||
|
||||
/* Verify mkdir works ok in .reserved/raw directory. */
|
||||
@Test(timeout = 120000)
|
||||
public void testReservedRawMkdir() throws Exception {
|
||||
final Path zone = new Path("zone");
|
||||
final Path slashZone = new Path("/", zone);
|
||||
fs.mkdirs(slashZone);
|
||||
dfsAdmin.createEncryptionZone(slashZone, null);
|
||||
final Path rawRoot = new Path("/.reserved/raw");
|
||||
final Path dir1 = new Path("dir1");
|
||||
final Path rawDir1 = new Path(rawRoot, dir1);
|
||||
fs.mkdirs(rawDir1);
|
||||
assertPathEquals(rawDir1, new Path("/", dir1));
|
||||
fs.delete(rawDir1, true);
|
||||
final Path rawZone = new Path(rawRoot, zone);
|
||||
final Path rawDir1EZ = new Path(rawZone, dir1);
|
||||
fs.mkdirs(rawDir1EZ);
|
||||
assertPathEquals(rawDir1EZ, new Path(slashZone, dir1));
|
||||
fs.delete(rawDir1EZ, true);
|
||||
}
|
||||
|
||||
@Test(timeout = 120000)
|
||||
public void testRelativePathnames() throws Exception {
|
||||
final Path baseFileRaw = new Path("/.reserved/raw/base");
|
||||
final int len = 8192;
|
||||
DFSTestUtil.createFile(fs, baseFileRaw, len, (short) 1, 0xFEED);
|
||||
|
||||
final Path root = new Path("/");
|
||||
final Path rawRoot = new Path("/.reserved/raw");
|
||||
assertPathEquals(root, new Path(rawRoot, "../raw"));
|
||||
assertPathEquals(root, new Path(rawRoot, "../../.reserved/raw"));
|
||||
assertPathEquals(baseFileRaw, new Path(rawRoot, "../raw/base"));
|
||||
assertPathEquals(baseFileRaw, new Path(rawRoot,
|
||||
"../../.reserved/raw/base"));
|
||||
assertPathEquals(baseFileRaw, new Path(rawRoot,
|
||||
"../../.reserved/raw/base/../base"));
|
||||
assertPathEquals(baseFileRaw, new Path(
|
||||
"/.reserved/../.reserved/raw/../raw/base"));
|
||||
}
|
||||
|
||||
@Test(timeout = 120000)
|
||||
public void testAdminAccessOnly() throws Exception {
|
||||
final Path zone = new Path("zone");
|
||||
final Path slashZone = new Path("/", zone);
|
||||
fs.mkdirs(slashZone);
|
||||
dfsAdmin.createEncryptionZone(slashZone, null);
|
||||
final Path base = new Path("base");
|
||||
final Path reservedRaw = new Path("/.reserved/raw");
|
||||
final int len = 8192;
|
||||
|
||||
/* Test failure of create file in reserved/raw as non admin */
|
||||
final UserGroupInformation user = UserGroupInformation.
|
||||
createUserForTesting("user", new String[] { "mygroup" });
|
||||
user.doAs(new PrivilegedExceptionAction<Object>() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
final DistributedFileSystem fs = cluster.getFileSystem();
|
||||
try {
|
||||
final Path ezRawEncFile =
|
||||
new Path(new Path(reservedRaw, zone), base);
|
||||
DFSTestUtil.createFile(fs, ezRawEncFile, len, (short) 1, 0xFEED);
|
||||
fail("access to /.reserved/raw is superuser-only operation");
|
||||
} catch (AccessControlException e) {
|
||||
assertExceptionContains("Superuser privilege is required", e);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
});
|
||||
|
||||
/* Test failure of getFileStatus in reserved/raw as non admin */
|
||||
final Path ezRawEncFile = new Path(new Path(reservedRaw, zone), base);
|
||||
DFSTestUtil.createFile(fs, ezRawEncFile, len, (short) 1, 0xFEED);
|
||||
user.doAs(new PrivilegedExceptionAction<Object>() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
final DistributedFileSystem fs = cluster.getFileSystem();
|
||||
try {
|
||||
fs.getFileStatus(ezRawEncFile);
|
||||
fail("access to /.reserved/raw is superuser-only operation");
|
||||
} catch (AccessControlException e) {
|
||||
assertExceptionContains("Superuser privilege is required", e);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
});
|
||||
|
||||
/* Test failure of listStatus in reserved/raw as non admin */
|
||||
user.doAs(new PrivilegedExceptionAction<Object>() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
final DistributedFileSystem fs = cluster.getFileSystem();
|
||||
try {
|
||||
fs.listStatus(ezRawEncFile);
|
||||
fail("access to /.reserved/raw is superuser-only operation");
|
||||
} catch (AccessControlException e) {
|
||||
assertExceptionContains("Superuser privilege is required", e);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
});
|
||||
|
||||
fs.setPermission(new Path("/"), new FsPermission((short) 0777));
|
||||
/* Test failure of mkdir in reserved/raw as non admin */
|
||||
user.doAs(new PrivilegedExceptionAction<Object>() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
final DistributedFileSystem fs = cluster.getFileSystem();
|
||||
final Path d1 = new Path(reservedRaw, "dir1");
|
||||
try {
|
||||
fs.mkdirs(d1);
|
||||
fail("access to /.reserved/raw is superuser-only operation");
|
||||
} catch (AccessControlException e) {
|
||||
assertExceptionContains("Superuser privilege is required", e);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
@Test(timeout = 120000)
|
||||
public void testListDotReserved() throws Exception {
|
||||
// Create a base file for comparison
|
||||
final Path baseFileRaw = new Path("/.reserved/raw/base");
|
||||
final int len = 8192;
|
||||
DFSTestUtil.createFile(fs, baseFileRaw, len, (short) 1, 0xFEED);
|
||||
|
||||
/*
|
||||
* Ensure that you can't list /.reserved. Ever.
|
||||
*/
|
||||
try {
|
||||
fs.listStatus(new Path("/.reserved"));
|
||||
fail("expected FNFE");
|
||||
} catch (FileNotFoundException e) {
|
||||
assertExceptionContains("/.reserved does not exist", e);
|
||||
}
|
||||
|
||||
try {
|
||||
fs.listStatus(new Path("/.reserved/.inodes"));
|
||||
fail("expected FNFE");
|
||||
} catch (FileNotFoundException e) {
|
||||
assertExceptionContains(
|
||||
"/.reserved/.inodes does not exist", e);
|
||||
}
|
||||
|
||||
final FileStatus[] fileStatuses = fs.listStatus(new Path("/.reserved/raw"));
|
||||
assertEquals("expected 1 entry", fileStatuses.length, 1);
|
||||
assertMatches(fileStatuses[0].getPath().toString(), "/.reserved/raw/base");
|
||||
}
|
||||
|
||||
@Test(timeout = 120000)
|
||||
public void testListRecursive() throws Exception {
|
||||
Path rootPath = new Path("/");
|
||||
Path p = rootPath;
|
||||
for (int i = 0; i < 3; i++) {
|
||||
p = new Path(p, "dir" + i);
|
||||
fs.mkdirs(p);
|
||||
}
|
||||
|
||||
Path curPath = new Path("/.reserved/raw");
|
||||
int cnt = 0;
|
||||
FileStatus[] fileStatuses = fs.listStatus(curPath);
|
||||
while (fileStatuses != null && fileStatuses.length > 0) {
|
||||
FileStatus f = fileStatuses[0];
|
||||
assertMatches(f.getPath().toString(), "/.reserved/raw");
|
||||
curPath = Path.getPathWithoutSchemeAndAuthority(f.getPath());
|
||||
cnt++;
|
||||
fileStatuses = fs.listStatus(curPath);
|
||||
}
|
||||
assertEquals(3, cnt);
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user