diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 9d73cfd4bc..5ed558f9f9 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -49,6 +49,9 @@ Trunk (unreleased changes)
HADOOP-8108. Move method getHostPortString() from NameNode to NetUtils.
(Brandon Li via jitendra)
+ HADOOP-8078. Add capability to turn on security in unit tests. (Jaimin Jetly
+ via jitendra)
+
BUG FIXES
HADOOP-8018. Hudson auto test for HDFS has started throwing javadoc
diff --git a/hadoop-common-project/hadoop-common/pom.xml b/hadoop-common-project/hadoop-common/pom.xml
index bfd9da8938..12d98c6e90 100644
--- a/hadoop-common-project/hadoop-common/pom.xml
+++ b/hadoop-common-project/hadoop-common/pom.xml
@@ -31,11 +31,12 @@
/usr/local
${snappy.prefix}/lib
false
-
+ src/test/resources/kdc
common
true
+
org.apache.hadoop
@@ -92,7 +93,6 @@
jetty-util
compile
-
asm
asm
@@ -113,7 +113,6 @@
jersey-server
compile
-
tomcat
jasper-compiler
@@ -268,6 +267,16 @@
+
+ org.apache.maven.plugins
+ maven-surefire-plugin
+
+
+ ${startKdc}
+ ${kdc.resource.dir}
+
+
+
org.apache.avro
avro-maven-plugin
@@ -617,5 +626,87 @@
+
+
+
+ startKdc
+
+
+ startKdc
+ true
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-enforcer-plugin
+
+
+ enforce-os
+
+ enforce
+
+
+
+
+
+ mac
+ unix
+
+
+ true
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-antrun-plugin
+
+
+ compile
+ compile
+
+ run
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ killKdc
+ test
+
+ run
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUGIWithSecurityOn.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUGIWithSecurityOn.java
new file mode 100644
index 0000000000..3dc69783df
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUGIWithSecurityOn.java
@@ -0,0 +1,77 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.hadoop.security;
+
+import java.io.IOException;
+
+import junit.framework.Assert;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeys;
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
+import org.junit.Assume;
+import org.junit.Before;
+import org.junit.Test;
+
+public class TestUGIWithSecurityOn {
+
+ public static boolean isKdcRunning() {
+ String startKdc = System.getProperty("startKdc");
+ if(startKdc == null || !startKdc.equals("true")) {
+ return false;
+ }
+ return true;
+ }
+
+ @Before
+ public void testKdcRunning() {
+ //Tests are skipped if KDC is not running
+ Assume.assumeTrue(isKdcRunning());
+ }
+ @Test
+ public void testLogin() throws IOException {
+ String nn1keyTabFilepath = System.getProperty("kdc.resource.dir")
+ + "/keytabs/nn1.keytab";
+ String user1keyTabFilepath = System.getProperty("kdc.resource.dir")
+ + "/keytabs/user1.keytab";
+ Configuration conf = new Configuration();
+ conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
+ "kerberos");
+ UserGroupInformation.setConfiguration(conf);
+
+ UserGroupInformation ugiNn = UserGroupInformation
+ .loginUserFromKeytabAndReturnUGI("nn1/localhost@EXAMPLE.COM",
+ nn1keyTabFilepath);
+ UserGroupInformation ugiDn = UserGroupInformation
+ .loginUserFromKeytabAndReturnUGI("user1@EXAMPLE.COM",
+ user1keyTabFilepath);
+
+ Assert.assertEquals(AuthenticationMethod.KERBEROS,
+ ugiNn.getAuthenticationMethod());
+ Assert.assertEquals(AuthenticationMethod.KERBEROS,
+ ugiDn.getAuthenticationMethod());
+
+ try {
+ UserGroupInformation
+ .loginUserFromKeytabAndReturnUGI("bogus@EXAMPLE.COM",
+ nn1keyTabFilepath);
+ Assert.fail("Login should have failed");
+ } catch (Exception ex) {
+ ex.printStackTrace();
+ }
+ }
+}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
index 036395ea7f..39ff6808fe 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
@@ -384,10 +384,10 @@ public class TestAccessControlList {
assertTrue(acl.isAllAllowed());
UserGroupInformation drwho =
- UserGroupInformation.createUserForTesting("drwho@APACHE.ORG",
+ UserGroupInformation.createUserForTesting("drwho@EXAMPLE.COM",
new String[] { "aliens" });
UserGroupInformation drwho2 =
- UserGroupInformation.createUserForTesting("drwho2@APACHE.ORG",
+ UserGroupInformation.createUserForTesting("drwho2@EXAMPLE.COM",
new String[] { "tardis" });
acl.addUser("drwho");
@@ -413,16 +413,16 @@ public class TestAccessControlList {
AccessControlList acl;
UserGroupInformation drwho =
- UserGroupInformation.createUserForTesting("drwho@APACHE.ORG",
+ UserGroupInformation.createUserForTesting("drwho@EXAMPLE.COM",
new String[] { "aliens", "humanoids", "timelord" });
UserGroupInformation susan =
- UserGroupInformation.createUserForTesting("susan@APACHE.ORG",
+ UserGroupInformation.createUserForTesting("susan@EXAMPLE.COM",
new String[] { "aliens", "humanoids", "timelord" });
UserGroupInformation barbara =
- UserGroupInformation.createUserForTesting("barbara@APACHE.ORG",
+ UserGroupInformation.createUserForTesting("barbara@EXAMPLE.COM",
new String[] { "humans", "teachers" });
UserGroupInformation ian =
- UserGroupInformation.createUserForTesting("ian@APACHE.ORG",
+ UserGroupInformation.createUserForTesting("ian@EXAMPLE.COM",
new String[] { "humans", "teachers" });
acl = new AccessControlList("drwho humanoids");
diff --git a/hadoop-common-project/hadoop-common/src/test/resources/kdc/keytabs/dn1.keytab b/hadoop-common-project/hadoop-common/src/test/resources/kdc/keytabs/dn1.keytab
new file mode 100644
index 0000000000..d503bb299e
Binary files /dev/null and b/hadoop-common-project/hadoop-common/src/test/resources/kdc/keytabs/dn1.keytab differ
diff --git a/hadoop-common-project/hadoop-common/src/test/resources/kdc/keytabs/nn1.keytab b/hadoop-common-project/hadoop-common/src/test/resources/kdc/keytabs/nn1.keytab
new file mode 100644
index 0000000000..40f418f1b6
Binary files /dev/null and b/hadoop-common-project/hadoop-common/src/test/resources/kdc/keytabs/nn1.keytab differ
diff --git a/hadoop-common-project/hadoop-common/src/test/resources/kdc/keytabs/user1.keytab b/hadoop-common-project/hadoop-common/src/test/resources/kdc/keytabs/user1.keytab
new file mode 100644
index 0000000000..b8994eca21
Binary files /dev/null and b/hadoop-common-project/hadoop-common/src/test/resources/kdc/keytabs/user1.keytab differ
diff --git a/hadoop-common-project/hadoop-common/src/test/resources/kdc/killKdc.sh b/hadoop-common-project/hadoop-common/src/test/resources/kdc/killKdc.sh
new file mode 100644
index 0000000000..f5561d4b78
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/resources/kdc/killKdc.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+ps -ef | grep apacheds | grep -v grep | cut -f4 -d ' ' |xargs kill -9
+
diff --git a/hadoop-common-project/hadoop-common/src/test/resources/kdc/ldif/users.ldif b/hadoop-common-project/hadoop-common/src/test/resources/kdc/ldif/users.ldif
new file mode 100644
index 0000000000..a3d2704949
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/resources/kdc/ldif/users.ldif
@@ -0,0 +1,78 @@
+dn: dc=example,dc=com
+objectClass: dcObject
+objectClass: organization
+objectClass: top
+dc: example
+o: example.com
+
+dn: ou=Users,dc=example,dc=com
+objectClass: organizationalUnit
+objectClass: top
+ou: Users
+
+dn: uid=user1,ou=Users,dc=example,dc=com
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: krb5principal
+objectClass: krb5kdcentry
+cn: user1 Service
+sn: Service
+uid: user1
+userPassword: secret
+krb5PrincipalName: user1@EXAMPLE.COM
+krb5KeyVersionNumber: 0
+
+dn: uid=krbtgt,ou=Users,dc=example,dc=com
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: krb5principal
+objectClass: krb5kdcentry
+cn: KDC Service
+sn: Service
+uid: krbtgt
+userPassword: secret
+krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
+krb5KeyVersionNumber: 0
+
+dn: uid=ldap,ou=Users,dc=example,dc=com
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: krb5principal
+objectClass: krb5kdcentry
+cn: LDAP
+sn: Service
+uid: ldap
+userPassword: randall
+krb5PrincipalName: ldap/localhost@EXAMPLE.COM
+krb5KeyVersionNumber: 0
+
+dn: uid=nn1,ou=Users,dc=example,dc=com
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: krb5principal
+objectClass: krb5kdcentry
+cn: NameNode Service
+sn: Service
+uid: nn1
+userPassword: secret
+krb5PrincipalName: nn1/localhost@EXAMPLE.COM
+krb5KeyVersionNumber: 0
+
+dn: uid=dn1,ou=Users,dc=example,dc=com
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: krb5principal
+objectClass: krb5kdcentry
+cn: DataNode Service
+sn: Service
+uid: dn1
+userPassword: secret
+krb5PrincipalName: dn1/localhost@EXAMPLE.COM
+krb5KeyVersionNumber: 0
+
+
diff --git a/hadoop-common-project/hadoop-common/src/test/resources/kdc/server.xml b/hadoop-common-project/hadoop-common/src/test/resources/kdc/server.xml
new file mode 100644
index 0000000000..bb8c52a997
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/test/resources/kdc/server.xml
@@ -0,0 +1,258 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ #directoryService
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ #directoryService
+
+
+
+
+
+
+
+
+
+
+
+
+
+ example.com
+ apache.org
+
+
+
+
+
+
+
+
+
+
+
+
+
+ #ldapServer
+
+
+
+
+
diff --git a/hadoop-common-project/hadoop-common/src/test/resources/krb5.conf b/hadoop-common-project/hadoop-common/src/test/resources/krb5.conf
index 121ac6d9b9..3182436d48 100644
--- a/hadoop-common-project/hadoop-common/src/test/resources/krb5.conf
+++ b/hadoop-common-project/hadoop-common/src/test/resources/krb5.conf
@@ -14,15 +14,23 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-#
+#
+
[libdefaults]
- default_realm = APACHE.ORG
- udp_preference_limit = 1
- extra_addresses = 127.0.0.1
+ default_realm = EXAMPLE.COM
+ allow_weak_crypto = true
+ default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
+ default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
+
[realms]
- APACHE.ORG = {
- admin_server = localhost:88
- kdc = localhost:88
- }
+ EXAMPLE.COM = {
+ kdc = localhost:60088
+ }
+
[domain_realm]
- localhost = APACHE.ORG
+ .example.com = EXAMPLE.COM
+ example.com = EXAMPLE.COM
+[login]
+ krb4_convert = true
+ krb4_get_tickets = false
+