You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Gregory Chanan <gc...@cloudera.com> on 2016/02/05 01:43:44 UTC

Review Request 43233: SENTRY-1052: Sentry shell should use kerberos requestor and give better error messages for kerberos failures

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43233/
-----------------------------------------------------------

Review request for sentry, Colin Ma and Sravya Tirukkovalur.


Repository: sentry


Description
-------

Currently, the sentry shell uses the java "user.name" which gives some unexpected behavior if the user is logged in via kerberos (i.e. you get error messages about your OS user when connecting to a secure sentry service).  From my testing, just using the UserGroupInformation.getLoginUser() does the right thing -- if using kerberos, it gives you the kerberos user, otherwise the OS user.

In addition, the error messages around kerberos are sometimes missing. For example, for a GSS initiate failure, which happens if there is kerberos ticket, you get no error message returned because the top-level exception has no error message (it's an UndeclaredThrowableException or somethign). We should follow the exception causes until we find something reasonable to print.


Diffs
-----

  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java b0d97cd361730a4eef234b1339b2303a9dc8af18 
  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java 80c8442f0f2da38ced0795ecf1e06406f8571a93 

Diff: https://reviews.apache.org/r/43233/diff/


Testing
-------

Ran the shell unit tests.


Thanks,

Gregory Chanan

Re: Review Request 43233: SENTRY-1052: Sentry shell should use kerberos requestor and give better error messages for kerberos failures

Posted by Hao Hao <ha...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43233/#review118105
-----------------------------------------------------------


Ship it!




Ship It!

- Hao Hao


On Feb. 5, 2016, 8:37 a.m., Gregory Chanan wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43233/
> -----------------------------------------------------------
> 
> (Updated Feb. 5, 2016, 8:37 a.m.)
> 
> 
> Review request for sentry, Colin Ma and Sravya Tirukkovalur.
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> Currently, the sentry shell uses the java "user.name" which gives some unexpected behavior if the user is logged in via kerberos (i.e. you get error messages about your OS user when connecting to a secure sentry service).  From my testing, just using the UserGroupInformation.getLoginUser() does the right thing -- if using kerberos, it gives you the kerberos user, otherwise the OS user.
> 
> In addition, the error messages around kerberos are sometimes missing. For example, for a GSS initiate failure, which happens if there is kerberos ticket, you get no error message returned because the top-level exception has no error message (it's an UndeclaredThrowableException or somethign). We should follow the exception causes until we find something reasonable to print.
> 
> 
> Diffs
> -----
> 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java b0d97cd361730a4eef234b1339b2303a9dc8af18 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java 80c8442f0f2da38ced0795ecf1e06406f8571a93 
> 
> Diff: https://reviews.apache.org/r/43233/diff/
> 
> 
> Testing
> -------
> 
> Ran the shell unit tests.
> 
> 
> Thanks,
> 
> Gregory Chanan
> 
>

Re: Review Request 43233: SENTRY-1052: Sentry shell should use kerberos requestor and give better error messages for kerberos failures

Posted by Sravya Tirukkovalur <sr...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43233/#review118109
-----------------------------------------------------------


Ship it!




Ship It!

- Sravya Tirukkovalur


On Feb. 5, 2016, 8:37 a.m., Gregory Chanan wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43233/
> -----------------------------------------------------------
> 
> (Updated Feb. 5, 2016, 8:37 a.m.)
> 
> 
> Review request for sentry, Colin Ma and Sravya Tirukkovalur.
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> Currently, the sentry shell uses the java "user.name" which gives some unexpected behavior if the user is logged in via kerberos (i.e. you get error messages about your OS user when connecting to a secure sentry service).  From my testing, just using the UserGroupInformation.getLoginUser() does the right thing -- if using kerberos, it gives you the kerberos user, otherwise the OS user.
> 
> In addition, the error messages around kerberos are sometimes missing. For example, for a GSS initiate failure, which happens if there is kerberos ticket, you get no error message returned because the top-level exception has no error message (it's an UndeclaredThrowableException or somethign). We should follow the exception causes until we find something reasonable to print.
> 
> 
> Diffs
> -----
> 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java b0d97cd361730a4eef234b1339b2303a9dc8af18 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java 80c8442f0f2da38ced0795ecf1e06406f8571a93 
> 
> Diff: https://reviews.apache.org/r/43233/diff/
> 
> 
> Testing
> -------
> 
> Ran the shell unit tests.
> 
> 
> Thanks,
> 
> Gregory Chanan
> 
>

Re: Review Request 43233: SENTRY-1052: Sentry shell should use kerberos requestor and give better error messages for kerberos failures

Posted by Gregory Chanan <gc...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43233/
-----------------------------------------------------------

(Updated Feb. 5, 2016, 8:37 a.m.)


Review request for sentry, Colin Ma and Sravya Tirukkovalur.


Changes
-------

Also removes success message given normal shell semantics of no messages on success.


Repository: sentry


Description
-------

Currently, the sentry shell uses the java "user.name" which gives some unexpected behavior if the user is logged in via kerberos (i.e. you get error messages about your OS user when connecting to a secure sentry service).  From my testing, just using the UserGroupInformation.getLoginUser() does the right thing -- if using kerberos, it gives you the kerberos user, otherwise the OS user.

In addition, the error messages around kerberos are sometimes missing. For example, for a GSS initiate failure, which happens if there is kerberos ticket, you get no error message returned because the top-level exception has no error message (it's an UndeclaredThrowableException or somethign). We should follow the exception causes until we find something reasonable to print.


Diffs (updated)
-----

  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java b0d97cd361730a4eef234b1339b2303a9dc8af18 
  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java 80c8442f0f2da38ced0795ecf1e06406f8571a93 

Diff: https://reviews.apache.org/r/43233/diff/


Testing
-------

Ran the shell unit tests.


Thanks,

Gregory Chanan