/core/src/test/scala/org/apache/spark/SecurityManagerSuite.scala

https://github.com/lukovnikov/spark · Scala · 178 lines · 131 code · 29 blank · 18 comment · 0 complexity · b82164e2096d32947e0cc92a4fd489bb MD5 · raw file 

    

  1. /*
    2. 

  2.  * Licensed to the Apache Software Foundation (ASF) under one or more
    3. 

  3.  * contributor license agreements.  See the NOTICE file distributed with
    4. 

  4.  * this work for additional information regarding copyright ownership.
    5. 

  5.  * The ASF licenses this file to You under the Apache License, Version 2.0
    6. 

  6.  * (the "License"); you may not use this file except in compliance with
    7. 

  7.  * the License.  You may obtain a copy of the License at
    8. 

  8.  *
    9. 

  9.  *    http://www.apache.org/licenses/LICENSE-2.0
    10. 

  10.  *
    11. 

  11.  * Unless required by applicable law or agreed to in writing, software
    12. 

  12.  * distributed under the License is distributed on an "AS IS" BASIS,
    13. 

  13.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14. 

  14.  * See the License for the specific language governing permissions and
    15. 

  15.  * limitations under the License.
    16. 

  16.  */
    17. 

  17. 

  18. package org.apache.spark
    19. 

  19. 

  20. import java.io.File
    21. 

  21. 

  22. import org.scalatest.FunSuite
    23. 

  23. 

  24. class SecurityManagerSuite extends FunSuite {
    25. 

  25. 

  26.   test("set security with conf") {
    27. 

  27.     val conf = new SparkConf
    28. 

  28.     conf.set("spark.authenticate", "true")
    29. 

  29.     conf.set("spark.authenticate.secret", "good")
    30. 

  30.     conf.set("spark.ui.acls.enable", "true")
    31. 

  31.     conf.set("spark.ui.view.acls", "user1,user2")
    32. 

  32.     val securityManager = new SecurityManager(conf);
    33. 

  33.     assert(securityManager.isAuthenticationEnabled() === true)
    34. 

  34.     assert(securityManager.aclsEnabled() === true)
    35. 

  35.     assert(securityManager.checkUIViewPermissions("user1") === true)
    36. 

  36.     assert(securityManager.checkUIViewPermissions("user2") === true)
    37. 

  37.     assert(securityManager.checkUIViewPermissions("user3") === false)
    38. 

  38.   }
    39. 

  39. 

  40.   test("set security with api") {
    41. 

  41.     val conf = new SparkConf
    42. 

  42.     conf.set("spark.ui.view.acls", "user1,user2")
    43. 

  43.     val securityManager = new SecurityManager(conf);
    44. 

  44.     securityManager.setAcls(true)
    45. 

  45.     assert(securityManager.aclsEnabled() === true)
    46. 

  46.     securityManager.setAcls(false)
    47. 

  47.     assert(securityManager.aclsEnabled() === false)
    48. 

  48. 

  49.     // acls are off so doesn't matter what view acls set to
    50. 

  50.     assert(securityManager.checkUIViewPermissions("user4") === true)
    51. 

  51. 

  52.     securityManager.setAcls(true)
    53. 

  53.     assert(securityManager.aclsEnabled() === true)
    54. 

  54.     securityManager.setViewAcls(Set[String]("user5"), "user6,user7")
    55. 

  55.     assert(securityManager.checkUIViewPermissions("user1") === false)
    56. 

  56.     assert(securityManager.checkUIViewPermissions("user5") === true)
    57. 

  57.     assert(securityManager.checkUIViewPermissions("user6") === true)
    58. 

  58.     assert(securityManager.checkUIViewPermissions("user7") === true)
    59. 

  59.     assert(securityManager.checkUIViewPermissions("user8") === false)
    60. 

  60.     assert(securityManager.checkUIViewPermissions(null) === true)
    61. 

  61.   }
    62. 

  62. 

  63.   test("set security modify acls") {
    64. 

  64.     val conf = new SparkConf
    65. 

  65.     conf.set("spark.modify.acls", "user1,user2")
    66. 

  66. 

  67.     val securityManager = new SecurityManager(conf);
    68. 

  68.     securityManager.setAcls(true)
    69. 

  69.     assert(securityManager.aclsEnabled() === true)
    70. 

  70.     securityManager.setAcls(false)
    71. 

  71.     assert(securityManager.aclsEnabled() === false)
    72. 

  72. 

  73.     // acls are off so doesn't matter what view acls set to
    74. 

  74.     assert(securityManager.checkModifyPermissions("user4") === true)
    75. 

  75. 

  76.     securityManager.setAcls(true)
    77. 

  77.     assert(securityManager.aclsEnabled() === true)
    78. 

  78.     securityManager.setModifyAcls(Set("user5"), "user6,user7")
    79. 

  79.     assert(securityManager.checkModifyPermissions("user1") === false)
    80. 

  80.     assert(securityManager.checkModifyPermissions("user5") === true)
    81. 

  81.     assert(securityManager.checkModifyPermissions("user6") === true)
    82. 

  82.     assert(securityManager.checkModifyPermissions("user7") === true)
    83. 

  83.     assert(securityManager.checkModifyPermissions("user8") === false)
    84. 

  84.     assert(securityManager.checkModifyPermissions(null) === true)
    85. 

  85.   }
    86. 

  86. 

  87.   test("set security admin acls") {
    88. 

  88.     val conf = new SparkConf
    89. 

  89.     conf.set("spark.admin.acls", "user1,user2")
    90. 

  90.     conf.set("spark.ui.view.acls", "user3")
    91. 

  91.     conf.set("spark.modify.acls", "user4")
    92. 

  92. 

  93.     val securityManager = new SecurityManager(conf);
    94. 

  94.     securityManager.setAcls(true)
    95. 

  95.     assert(securityManager.aclsEnabled() === true)
    96. 

  96. 

  97.     assert(securityManager.checkModifyPermissions("user1") === true)
    98. 

  98.     assert(securityManager.checkModifyPermissions("user2") === true)
    99. 

  99.     assert(securityManager.checkModifyPermissions("user4") === true)
    100. 

  100.     assert(securityManager.checkModifyPermissions("user3") === false)
    101. 

  101.     assert(securityManager.checkModifyPermissions("user5") === false)
    102. 

  102.     assert(securityManager.checkModifyPermissions(null) === true)
    103. 

  103.     assert(securityManager.checkUIViewPermissions("user1") === true)
    104. 

  104.     assert(securityManager.checkUIViewPermissions("user2") === true)
    105. 

  105.     assert(securityManager.checkUIViewPermissions("user3") === true)
    106. 

  106.     assert(securityManager.checkUIViewPermissions("user4") === false)
    107. 

  107.     assert(securityManager.checkUIViewPermissions("user5") === false)
    108. 

  108.     assert(securityManager.checkUIViewPermissions(null) === true)
    109. 

  109. 

  110.     securityManager.setAdminAcls("user6")
    111. 

  111.     securityManager.setViewAcls(Set[String]("user8"), "user9")
    112. 

  112.     securityManager.setModifyAcls(Set("user11"), "user9")
    113. 

  113.     assert(securityManager.checkModifyPermissions("user6") === true)
    114. 

  114.     assert(securityManager.checkModifyPermissions("user11") === true)
    115. 

  115.     assert(securityManager.checkModifyPermissions("user9") === true)
    116. 

  116.     assert(securityManager.checkModifyPermissions("user1") === false)
    117. 

  117.     assert(securityManager.checkModifyPermissions("user4") === false)
    118. 

  118.     assert(securityManager.checkModifyPermissions(null) === true)
    119. 

  119.     assert(securityManager.checkUIViewPermissions("user6") === true)
    120. 

  120.     assert(securityManager.checkUIViewPermissions("user8") === true)
    121. 

  121.     assert(securityManager.checkUIViewPermissions("user9") === true)
    122. 

  122.     assert(securityManager.checkUIViewPermissions("user1") === false)
    123. 

  123.     assert(securityManager.checkUIViewPermissions("user3") === false)
    124. 

  124.     assert(securityManager.checkUIViewPermissions(null) === true)
    125. 

  125. 

  126.   }
    127. 

  127. 

  128.   test("ssl on setup") {
    129. 

  129.     val conf = SSLSampleConfigs.sparkSSLConfig()
    130. 

  130. 

  131.     val securityManager = new SecurityManager(conf)
    132. 

  132. 

  133.     assert(securityManager.fileServerSSLOptions.enabled === true)
    134. 

  134.     assert(securityManager.akkaSSLOptions.enabled === true)
    135. 

  135. 

  136.     assert(securityManager.sslSocketFactory.isDefined === true)
    137. 

  137.     assert(securityManager.hostnameVerifier.isDefined === true)
    138. 

  138. 

  139.     assert(securityManager.fileServerSSLOptions.trustStore.isDefined === true)
    140. 

  140.     assert(securityManager.fileServerSSLOptions.trustStore.get.getName === "truststore")
    141. 

  141.     assert(securityManager.fileServerSSLOptions.keyStore.isDefined === true)
    142. 

  142.     assert(securityManager.fileServerSSLOptions.keyStore.get.getName === "keystore")
    143. 

  143.     assert(securityManager.fileServerSSLOptions.trustStorePassword === Some("password"))
    144. 

  144.     assert(securityManager.fileServerSSLOptions.keyStorePassword === Some("password"))
    145. 

  145.     assert(securityManager.fileServerSSLOptions.keyPassword === Some("password"))
    146. 

  146.     assert(securityManager.fileServerSSLOptions.protocol === Some("TLSv1"))
    147. 

  147.     assert(securityManager.fileServerSSLOptions.enabledAlgorithms ===
    148. 

  148.         Set("TLS_RSA_WITH_AES_128_CBC_SHA", "SSL_RSA_WITH_DES_CBC_SHA"))
    149. 

  149. 

  150.     assert(securityManager.akkaSSLOptions.trustStore.isDefined === true)
    151. 

  151.     assert(securityManager.akkaSSLOptions.trustStore.get.getName === "truststore")
    152. 

  152.     assert(securityManager.akkaSSLOptions.keyStore.isDefined === true)
    153. 

  153.     assert(securityManager.akkaSSLOptions.keyStore.get.getName === "keystore")
    154. 

  154.     assert(securityManager.akkaSSLOptions.trustStorePassword === Some("password"))
    155. 

  155.     assert(securityManager.akkaSSLOptions.keyStorePassword === Some("password"))
    156. 

  156.     assert(securityManager.akkaSSLOptions.keyPassword === Some("password"))
    157. 

  157.     assert(securityManager.akkaSSLOptions.protocol === Some("TLSv1"))
    158. 

  158.     assert(securityManager.akkaSSLOptions.enabledAlgorithms ===
    159. 

  159.         Set("TLS_RSA_WITH_AES_128_CBC_SHA", "SSL_RSA_WITH_DES_CBC_SHA"))
    160. 

  160.   }
    161. 

  161. 

  162.   test("ssl off setup") {
    163. 

  163.     val file = File.createTempFile("SSLOptionsSuite", "conf")
    164. 

  164.     file.deleteOnExit()
    165. 

  165. 

  166.     System.setProperty("spark.ssl.configFile", file.getAbsolutePath)
    167. 

  167.     val conf = new SparkConf()
    168. 

  168. 

  169.     val securityManager = new SecurityManager(conf)
    170. 

  170. 

  171.     assert(securityManager.fileServerSSLOptions.enabled === false)
    172. 

  172.     assert(securityManager.akkaSSLOptions.enabled === false)
    173. 

  173.     assert(securityManager.sslSocketFactory.isDefined === false)
    174. 

  174.     assert(securityManager.hostnameVerifier.isDefined === false)
    175. 

  175.   }
    176. 

  176. 

  177. }
    178.