You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by ja...@apache.org on 2014/06/11 06:38:15 UTC
git commit: SENTRY-289: Kerberos based connection from HS2 and
Metastore to Sentry service fails
Repository: incubator-sentry
Updated Branches:
refs/heads/master 066b1c404 -> d37830c9a
SENTRY-289: Kerberos based connection from HS2 and Metastore to Sentry service fails
(Prasad Mujumdar via Jarek Jarcec Cecho)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/d37830c9
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/d37830c9
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/d37830c9
Branch: refs/heads/master
Commit: d37830c9a9b5c8bd571b87e676eb38627b38a139
Parents: 066b1c4
Author: Jarek Jarcec Cecho <ja...@apache.org>
Authored: Tue Jun 10 21:37:25 2014 -0700
Committer: Jarek Jarcec Cecho <ja...@apache.org>
Committed: Tue Jun 10 21:37:25 2014 -0700
----------------------------------------------------------------------
.../binding/hive/HiveAuthzBindingHook.java | 2 +
.../thrift/SentryPolicyServiceClient.java | 64 ++++++++++++++++++--
.../service/thrift/KerberosConfiguration.java | 4 --
.../sentry/service/thrift/ServiceConstants.java | 1 +
.../thrift/SentryServiceIntegrationBase.java | 6 +-
5 files changed, 65 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d37830c9/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index 6c507b8..042fb00 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -65,6 +65,7 @@ import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.core.model.db.Table;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -120,6 +121,7 @@ implements HiveDriverFilterHook {
+ " specifies a malformed URL '" + hiveAuthzConf + "'", e);
}
}
+ newAuthzConf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true");
return newAuthzConf;
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d37830c9/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
index c41f8b9..afbedb3 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
@@ -18,18 +18,22 @@
package org.apache.sentry.provider.db.service.thrift;
-import com.google.common.base.Preconditions;
-import com.google.common.collect.Sets;
import java.io.IOException;
import java.net.InetSocketAddress;
+import java.security.PrivilegedExceptionAction;
import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
import java.util.Set;
+import javax.security.auth.callback.CallbackHandler;
+
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
import org.apache.hadoop.security.SecurityUtil;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.sentry.SentryUserException;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Authorizable;
@@ -50,7 +54,8 @@ import org.apache.thrift.transport.TTransportException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import java.util.List;
+import com.google.common.base.Preconditions;
+import com.google.common.collect.Sets;
public class SentryPolicyServiceClient {
@@ -65,6 +70,51 @@ public class SentryPolicyServiceClient {
.getLogger(SentryPolicyServiceClient.class);
private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occured ";
+ /**
+ * This transport wraps the Sasl transports to set up the right UGI context for open().
+ */
+ public static class UgiSaslClientTransport extends TSaslClientTransport {
+ protected UserGroupInformation ugi = null;
+
+ public UgiSaslClientTransport(String mechanism, String authorizationId,
+ String protocol, String serverName, Map<String, String> props,
+ CallbackHandler cbh, TTransport transport, boolean wrapUgi)
+ throws IOException {
+ super(mechanism, authorizationId, protocol, serverName, props, cbh,
+ transport);
+ if (wrapUgi) {
+ ugi = UserGroupInformation.getCurrentUser();
+ }
+ }
+
+ // open the SASL transport with using the current UserGroupInformation
+ // This is needed to get the current login context stored
+ @Override
+ public void open() throws TTransportException {
+ if (ugi == null) {
+ baseOpen();
+ } else {
+ try {
+ ugi.doAs(new PrivilegedExceptionAction<Void>() {
+ public Void run() throws TTransportException {
+ baseOpen();
+ return null;
+ }
+ });
+ } catch (IOException e) {
+ throw new TTransportException("Failed to open SASL transport", e);
+ } catch (InterruptedException e) {
+ throw new TTransportException(
+ "Interrupted while opening underlying transport", e);
+ }
+ }
+ }
+
+ private void baseOpen() throws TTransportException {
+ super.open();
+ }
+ }
+
public SentryPolicyServiceClient(Configuration conf) throws IOException {
this.conf = conf;
Preconditions.checkNotNull(this.conf, "Configuration object cannot be null");
@@ -88,9 +138,11 @@ public class SentryPolicyServiceClient {
serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal);
Preconditions.checkArgument(serverPrincipalParts.length == 3,
"Kerberos principal should have 3 parts: " + serverPrincipal);
- transport = new TSaslClientTransport(
- AuthMethod.KERBEROS.getMechanismName(), null, serverPrincipalParts[0],
- serverPrincipalParts[1], ClientConfig.SASL_PROPERTIES, null, transport);
+ boolean wrapUgi = "true".equalsIgnoreCase(conf
+ .get(ServerConfig.SECURITY_USE_UGI_TRANSPORT));
+ transport = new UgiSaslClientTransport(AuthMethod.KERBEROS.getMechanismName(),
+ null, serverPrincipalParts[0], serverPrincipalParts[1],
+ ClientConfig.SASL_PROPERTIES, null, transport, wrapUgi);
} else {
serverPrincipalParts = null;
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d37830c9/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
index 203858e..41e4fe4 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
@@ -24,10 +24,6 @@ import java.util.Map;
import javax.security.auth.login.AppConfigurationEntry;
public class KerberosConfiguration extends javax.security.auth.login.Configuration {
- static {
- System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
- }
-
private String principal;
private String keytab;
private boolean isInitiator;
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d37830c9/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
index 4a2b900..ba6a712 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
@@ -53,6 +53,7 @@ public class ServiceConstants {
public static final String SECURITY_MODE = "sentry.service.security.mode";
public static final String SECURITY_MODE_KERBEROS = "kerberos";
public static final String SECURITY_MODE_NONE = "none";
+ public static final String SECURITY_USE_UGI_TRANSPORT = "true";
public static final String ADMIN_GROUPS = "sentry.service.admin.group";
public static final String PRINCIPAL = "sentry.service.server.principal";
public static final String KEY_TAB = "sentry.service.server.keytab";
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d37830c9/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
index 61bdfed..20265a4 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
@@ -60,7 +60,9 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc
protected static final String SERVER_PRINCIPAL = "sentry/" + SERVER_HOST;
protected static final String SERVER_KERBEROS_NAME = "sentry/" + SERVER_HOST + "@" + REALM;
protected static final String CLIENT_PRINCIPAL = "hive/" + SERVER_HOST;
- protected static final String CLIENT_KERBEROS_NAME = "hive/" + SERVER_HOST + "@" + REALM;
+ protected static final String CLIENT_KERBEROS_SHORT_NAME = "hive";
+ protected static final String CLIENT_KERBEROS_NAME = CLIENT_KERBEROS_SHORT_NAME
+ + "/" + SERVER_HOST + "@" + REALM;
protected static final String ADMIN_USER = "admin_user";
protected static final String ADMIN_GROUP = "admin_group";
@@ -109,7 +111,7 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc
kdc.createPrincipal(clientKeytab, CLIENT_PRINCIPAL);
conf.set(ServerConfig.PRINCIPAL, getServerKerberosName());
conf.set(ServerConfig.KEY_TAB, serverKeytab.getPath());
- conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_NAME);
+ conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_SHORT_NAME);
} else {
LOGGER.info("Stopped KDC");
conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE);