You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Gregory Chanan <gc...@cloudera.com> on 2016/02/05 01:43:44 UTC
Review Request 43233: SENTRY-1052: Sentry shell should use kerberos
requestor and give better error messages for kerberos failures
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43233/
-----------------------------------------------------------
Review request for sentry, Colin Ma and Sravya Tirukkovalur.
Repository: sentry
Description
-------
Currently, the sentry shell uses the java "user.name" which gives some unexpected behavior if the user is logged in via kerberos (i.e. you get error messages about your OS user when connecting to a secure sentry service). From my testing, just using the UserGroupInformation.getLoginUser() does the right thing -- if using kerberos, it gives you the kerberos user, otherwise the OS user.
In addition, the error messages around kerberos are sometimes missing. For example, for a GSS initiate failure, which happens if there is kerberos ticket, you get no error message returned because the top-level exception has no error message (it's an UndeclaredThrowableException or somethign). We should follow the exception causes until we find something reasonable to print.
Diffs
-----
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java b0d97cd361730a4eef234b1339b2303a9dc8af18
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java 80c8442f0f2da38ced0795ecf1e06406f8571a93
Diff: https://reviews.apache.org/r/43233/diff/
Testing
-------
Ran the shell unit tests.
Thanks,
Gregory Chanan
Re: Review Request 43233: SENTRY-1052: Sentry shell should use
kerberos
requestor and give better error messages for kerberos failures
Posted by Hao Hao <ha...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43233/#review118105
-----------------------------------------------------------
Ship it!
Ship It!
- Hao Hao
On Feb. 5, 2016, 8:37 a.m., Gregory Chanan wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43233/
> -----------------------------------------------------------
>
> (Updated Feb. 5, 2016, 8:37 a.m.)
>
>
> Review request for sentry, Colin Ma and Sravya Tirukkovalur.
>
>
> Repository: sentry
>
>
> Description
> -------
>
> Currently, the sentry shell uses the java "user.name" which gives some unexpected behavior if the user is logged in via kerberos (i.e. you get error messages about your OS user when connecting to a secure sentry service). From my testing, just using the UserGroupInformation.getLoginUser() does the right thing -- if using kerberos, it gives you the kerberos user, otherwise the OS user.
>
> In addition, the error messages around kerberos are sometimes missing. For example, for a GSS initiate failure, which happens if there is kerberos ticket, you get no error message returned because the top-level exception has no error message (it's an UndeclaredThrowableException or somethign). We should follow the exception causes until we find something reasonable to print.
>
>
> Diffs
> -----
>
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java b0d97cd361730a4eef234b1339b2303a9dc8af18
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java 80c8442f0f2da38ced0795ecf1e06406f8571a93
>
> Diff: https://reviews.apache.org/r/43233/diff/
>
>
> Testing
> -------
>
> Ran the shell unit tests.
>
>
> Thanks,
>
> Gregory Chanan
>
>
Re: Review Request 43233: SENTRY-1052: Sentry shell should use
kerberos
requestor and give better error messages for kerberos failures
Posted by Sravya Tirukkovalur <sr...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43233/#review118109
-----------------------------------------------------------
Ship it!
Ship It!
- Sravya Tirukkovalur
On Feb. 5, 2016, 8:37 a.m., Gregory Chanan wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43233/
> -----------------------------------------------------------
>
> (Updated Feb. 5, 2016, 8:37 a.m.)
>
>
> Review request for sentry, Colin Ma and Sravya Tirukkovalur.
>
>
> Repository: sentry
>
>
> Description
> -------
>
> Currently, the sentry shell uses the java "user.name" which gives some unexpected behavior if the user is logged in via kerberos (i.e. you get error messages about your OS user when connecting to a secure sentry service). From my testing, just using the UserGroupInformation.getLoginUser() does the right thing -- if using kerberos, it gives you the kerberos user, otherwise the OS user.
>
> In addition, the error messages around kerberos are sometimes missing. For example, for a GSS initiate failure, which happens if there is kerberos ticket, you get no error message returned because the top-level exception has no error message (it's an UndeclaredThrowableException or somethign). We should follow the exception causes until we find something reasonable to print.
>
>
> Diffs
> -----
>
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java b0d97cd361730a4eef234b1339b2303a9dc8af18
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java 80c8442f0f2da38ced0795ecf1e06406f8571a93
>
> Diff: https://reviews.apache.org/r/43233/diff/
>
>
> Testing
> -------
>
> Ran the shell unit tests.
>
>
> Thanks,
>
> Gregory Chanan
>
>
Re: Review Request 43233: SENTRY-1052: Sentry shell should use
kerberos
requestor and give better error messages for kerberos failures
Posted by Gregory Chanan <gc...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43233/
-----------------------------------------------------------
(Updated Feb. 5, 2016, 8:37 a.m.)
Review request for sentry, Colin Ma and Sravya Tirukkovalur.
Changes
-------
Also removes success message given normal shell semantics of no messages on success.
Repository: sentry
Description
-------
Currently, the sentry shell uses the java "user.name" which gives some unexpected behavior if the user is logged in via kerberos (i.e. you get error messages about your OS user when connecting to a secure sentry service). From my testing, just using the UserGroupInformation.getLoginUser() does the right thing -- if using kerberos, it gives you the kerberos user, otherwise the OS user.
In addition, the error messages around kerberos are sometimes missing. For example, for a GSS initiate failure, which happens if there is kerberos ticket, you get no error message returned because the top-level exception has no error message (it's an UndeclaredThrowableException or somethign). We should follow the exception causes until we find something reasonable to print.
Diffs (updated)
-----
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java b0d97cd361730a4eef234b1339b2303a9dc8af18
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java 80c8442f0f2da38ced0795ecf1e06406f8571a93
Diff: https://reviews.apache.org/r/43233/diff/
Testing
-------
Ran the shell unit tests.
Thanks,
Gregory Chanan