aboutsummaryrefslogtreecommitdiff
path: root/core/src/test/scala/org/apache/spark/SecurityManagerSuite.scala
diff options
context:
space:
mode:
Diffstat (limited to 'core/src/test/scala/org/apache/spark/SecurityManagerSuite.scala')
-rw-r--r--core/src/test/scala/org/apache/spark/SecurityManagerSuite.scala198
1 files changed, 198 insertions, 0 deletions
diff --git a/core/src/test/scala/org/apache/spark/SecurityManagerSuite.scala b/core/src/test/scala/org/apache/spark/SecurityManagerSuite.scala
index 8bdb237c28..9801b2638c 100644
--- a/core/src/test/scala/org/apache/spark/SecurityManagerSuite.scala
+++ b/core/src/test/scala/org/apache/spark/SecurityManagerSuite.scala
@@ -19,8 +19,18 @@ package org.apache.spark
import java.io.File
+import org.apache.spark.security.GroupMappingServiceProvider
import org.apache.spark.util.{ResetSystemProperties, SparkConfWithEnv, Utils}
+class DummyGroupMappingServiceProvider extends GroupMappingServiceProvider {
+
+ val userGroups: Set[String] = Set[String]("group1", "group2", "group3")
+
+ override def getGroups(username: String): Set[String] = {
+ userGroups
+ }
+}
+
class SecurityManagerSuite extends SparkFunSuite with ResetSystemProperties {
test("set security with conf") {
@@ -37,6 +47,45 @@ class SecurityManagerSuite extends SparkFunSuite with ResetSystemProperties {
assert(securityManager.checkUIViewPermissions("user3") === false)
}
+ test("set security with conf for groups") {
+ val conf = new SparkConf
+ conf.set("spark.authenticate", "true")
+ conf.set("spark.authenticate.secret", "good")
+ conf.set("spark.ui.acls.enable", "true")
+ conf.set("spark.ui.view.acls.groups", "group1,group2")
+ // default ShellBasedGroupsMappingProvider is used to resolve user groups
+ val securityManager = new SecurityManager(conf);
+ // assuming executing user does not belong to group1,group2
+ assert(securityManager.checkUIViewPermissions("user1") === false)
+ assert(securityManager.checkUIViewPermissions("user2") === false)
+
+ val conf2 = new SparkConf
+ conf2.set("spark.authenticate", "true")
+ conf2.set("spark.authenticate.secret", "good")
+ conf2.set("spark.ui.acls.enable", "true")
+ conf2.set("spark.ui.view.acls.groups", "group1,group2")
+ // explicitly specify a custom GroupsMappingServiceProvider
+ conf2.set("spark.user.groups.mapping", "org.apache.spark.DummyGroupMappingServiceProvider")
+
+ val securityManager2 = new SecurityManager(conf2);
+ // group4,group5 do not match
+ assert(securityManager2.checkUIViewPermissions("user1") === true)
+ assert(securityManager2.checkUIViewPermissions("user2") === true)
+
+ val conf3 = new SparkConf
+ conf3.set("spark.authenticate", "true")
+ conf3.set("spark.authenticate.secret", "good")
+ conf3.set("spark.ui.acls.enable", "true")
+ conf3.set("spark.ui.view.acls.groups", "group4,group5")
+ // explicitly specify a bogus GroupsMappingServiceProvider
+ conf3.set("spark.user.groups.mapping", "BogusServiceProvider")
+
+ val securityManager3 = new SecurityManager(conf3);
+ // BogusServiceProvider cannot be loaded and an error is logged returning an empty group set
+ assert(securityManager3.checkUIViewPermissions("user1") === false)
+ assert(securityManager3.checkUIViewPermissions("user2") === false)
+ }
+
test("set security with api") {
val conf = new SparkConf
conf.set("spark.ui.view.acls", "user1,user2")
@@ -60,6 +109,40 @@ class SecurityManagerSuite extends SparkFunSuite with ResetSystemProperties {
assert(securityManager.checkUIViewPermissions(null) === true)
}
+ test("set security with api for groups") {
+ val conf = new SparkConf
+ conf.set("spark.user.groups.mapping", "org.apache.spark.DummyGroupMappingServiceProvider")
+
+ val securityManager = new SecurityManager(conf);
+ securityManager.setAcls(true)
+ securityManager.setViewAclsGroups("group1,group2")
+
+ // group1,group2 match
+ assert(securityManager.checkUIViewPermissions("user1") === true)
+ assert(securityManager.checkUIViewPermissions("user2") === true)
+
+ // change groups so they do not match
+ securityManager.setViewAclsGroups("group4,group5")
+ assert(securityManager.checkUIViewPermissions("user1") === false)
+ assert(securityManager.checkUIViewPermissions("user2") === false)
+
+ val conf2 = new SparkConf
+ conf.set("spark.user.groups.mapping", "BogusServiceProvider")
+
+ val securityManager2 = new SecurityManager(conf2)
+ securityManager2.setAcls(true)
+ securityManager2.setViewAclsGroups("group1,group2")
+
+ // group1,group2 do not match because of BogusServiceProvider
+ assert(securityManager.checkUIViewPermissions("user1") === false)
+ assert(securityManager.checkUIViewPermissions("user2") === false)
+
+ // setting viewAclsGroups to empty should still not match because of BogusServiceProvider
+ securityManager2.setViewAclsGroups("")
+ assert(securityManager.checkUIViewPermissions("user1") === false)
+ assert(securityManager.checkUIViewPermissions("user2") === false)
+ }
+
test("set security modify acls") {
val conf = new SparkConf
conf.set("spark.modify.acls", "user1,user2")
@@ -84,6 +167,29 @@ class SecurityManagerSuite extends SparkFunSuite with ResetSystemProperties {
assert(securityManager.checkModifyPermissions(null) === true)
}
+ test("set security modify acls for groups") {
+ val conf = new SparkConf
+ conf.set("spark.user.groups.mapping", "org.apache.spark.DummyGroupMappingServiceProvider")
+
+ val securityManager = new SecurityManager(conf);
+ securityManager.setAcls(true)
+ securityManager.setModifyAclsGroups("group1,group2")
+
+ // group1,group2 match
+ assert(securityManager.checkModifyPermissions("user1") === true)
+ assert(securityManager.checkModifyPermissions("user2") === true)
+
+ // change groups so they do not match
+ securityManager.setModifyAclsGroups("group4,group5")
+ assert(securityManager.checkModifyPermissions("user1") === false)
+ assert(securityManager.checkModifyPermissions("user2") === false)
+
+ // change so they match again
+ securityManager.setModifyAclsGroups("group2,group3")
+ assert(securityManager.checkModifyPermissions("user1") === true)
+ assert(securityManager.checkModifyPermissions("user2") === true)
+ }
+
test("set security admin acls") {
val conf = new SparkConf
conf.set("spark.admin.acls", "user1,user2")
@@ -122,7 +228,48 @@ class SecurityManagerSuite extends SparkFunSuite with ResetSystemProperties {
assert(securityManager.checkUIViewPermissions("user1") === false)
assert(securityManager.checkUIViewPermissions("user3") === false)
assert(securityManager.checkUIViewPermissions(null) === true)
+ }
+
+ test("set security admin acls for groups") {
+ val conf = new SparkConf
+ conf.set("spark.admin.acls.groups", "group1")
+ conf.set("spark.ui.view.acls.groups", "group2")
+ conf.set("spark.modify.acls.groups", "group3")
+ conf.set("spark.user.groups.mapping", "org.apache.spark.DummyGroupMappingServiceProvider")
+
+ val securityManager = new SecurityManager(conf);
+ securityManager.setAcls(true)
+ assert(securityManager.aclsEnabled() === true)
+
+ // group1,group2,group3 match
+ assert(securityManager.checkModifyPermissions("user1") === true)
+ assert(securityManager.checkUIViewPermissions("user1") === true)
+ // change admin groups so they do not match. view and modify groups are set to admin groups
+ securityManager.setAdminAclsGroups("group4,group5")
+ // invoke the set ui and modify to propagate the changes
+ securityManager.setViewAclsGroups("")
+ securityManager.setModifyAclsGroups("")
+
+ assert(securityManager.checkModifyPermissions("user1") === false)
+ assert(securityManager.checkUIViewPermissions("user1") === false)
+
+ // change modify groups so they match
+ securityManager.setModifyAclsGroups("group3")
+ assert(securityManager.checkModifyPermissions("user1") === true)
+ assert(securityManager.checkUIViewPermissions("user1") === false)
+
+ // change view groups so they match
+ securityManager.setViewAclsGroups("group2")
+ securityManager.setModifyAclsGroups("group4")
+ assert(securityManager.checkModifyPermissions("user1") === false)
+ assert(securityManager.checkUIViewPermissions("user1") === true)
+
+ // change modify and view groups so they do not match
+ securityManager.setViewAclsGroups("group7")
+ securityManager.setModifyAclsGroups("group8")
+ assert(securityManager.checkModifyPermissions("user1") === false)
+ assert(securityManager.checkUIViewPermissions("user1") === false)
}
test("set security with * in acls") {
@@ -166,6 +313,57 @@ class SecurityManagerSuite extends SparkFunSuite with ResetSystemProperties {
assert(securityManager.checkModifyPermissions("user8") === true)
}
+ test("set security with * in acls for groups") {
+ val conf = new SparkConf
+ conf.set("spark.ui.acls.enable", "true")
+ conf.set("spark.admin.acls.groups", "group4,group5")
+ conf.set("spark.ui.view.acls.groups", "*")
+ conf.set("spark.modify.acls.groups", "group6")
+
+ val securityManager = new SecurityManager(conf)
+ assert(securityManager.aclsEnabled() === true)
+
+ // check for viewAclsGroups with *
+ assert(securityManager.checkUIViewPermissions("user1") === true)
+ assert(securityManager.checkUIViewPermissions("user2") === true)
+ assert(securityManager.checkModifyPermissions("user1") === false)
+ assert(securityManager.checkModifyPermissions("user2") === false)
+
+ // check for modifyAcls with *
+ securityManager.setModifyAclsGroups("*")
+ securityManager.setViewAclsGroups("group6")
+ assert(securityManager.checkUIViewPermissions("user1") === false)
+ assert(securityManager.checkUIViewPermissions("user2") === false)
+ assert(securityManager.checkModifyPermissions("user1") === true)
+ assert(securityManager.checkModifyPermissions("user2") === true)
+
+ // check for adminAcls with *
+ securityManager.setAdminAclsGroups("group9,*")
+ securityManager.setModifyAclsGroups("group4,group5")
+ securityManager.setViewAclsGroups("group6,group7")
+ assert(securityManager.checkUIViewPermissions("user5") === true)
+ assert(securityManager.checkUIViewPermissions("user6") === true)
+ assert(securityManager.checkModifyPermissions("user7") === true)
+ assert(securityManager.checkModifyPermissions("user8") === true)
+ }
+
+ test("security for groups default behavior") {
+ // no groups or userToGroupsMapper provided
+ // this will default to the ShellBasedGroupsMappingProvider
+ val conf = new SparkConf
+
+ val securityManager = new SecurityManager(conf)
+ securityManager.setAcls(true)
+
+ assert(securityManager.checkUIViewPermissions("user1") === false)
+ assert(securityManager.checkModifyPermissions("user1") === false)
+
+ // set groups only
+ securityManager.setAdminAclsGroups("group1,group2")
+ assert(securityManager.checkUIViewPermissions("user1") === false)
+ assert(securityManager.checkModifyPermissions("user1") === false)
+ }
+
test("ssl on setup") {
val conf = SSLSampleConfigs.sparkSSLConfig()
val expectedAlgorithms = Set(
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-08 10:47:11 +0000