You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Vamsee Yarlagadda (JIRA)" <ji...@apache.org> on 2017/02/01 22:17:51 UTC

[jira] [Updated] (SENTRY-1619) Fix the secure HMS connection code in HMSFollower

     [ https://issues.apache.org/jira/browse/SENTRY-1619?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Vamsee Yarlagadda updated SENTRY-1619:
--------------------------------------
    Description: 
[This code in HMSFollower|https://github.com/apache/sentry/blob/sentry-ha-redesign/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java#L120-L183] has bugs in implementing logic that's preventing secure HMS connection from taking place. 
{code}
String principal, keytab;

    //TODO: Is this the right(standard) way to create a HMS client? HiveMetastoreClientFactoryImpl?
    //TODO: Check if HMS is using kerberos instead of relying on Sentry conf
    //TODO: Handle TGT renewals
    kerberos = ServiceConstants.ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase(
        conf.get(ServiceConstants.ServerConfig.SECURITY_MODE, ServiceConstants.ServerConfig.SECURITY_MODE_KERBEROS).trim());
    if (kerberos) {
      LOGGER.info("Making a kerberos connection to HMS");
      //TODO: Is this needed? Use Hadoop libraries to translate the _HOST placeholder with actual hostname
      //Validate principal
      principal = Preconditions.checkNotNull(ServiceConstants.ServerConfig.PRINCIPAL,
          ServiceConstants.ServerConfig.PRINCIPAL + " is required");
      LOGGER.info("Using kerberos principal: " + principal);
      final String[] principalParts = SaslRpcServer.splitKerberosName(principal);
      Preconditions.checkArgument(principalParts.length == 3,
          "Kerberos principal should have 3 parts: " + principal);

      keytab = Preconditions.checkNotNull(conf.get(ServiceConstants.ServerConfig.KEY_TAB),
          ServiceConstants.ServerConfig.KEY_TAB + " is required");
      File keytabFile = new File(keytab);
      Preconditions.checkState(keytabFile.isFile() && keytabFile.canRead(),
          "Keytab " + keytab + " does not exist or is not readable.");
      boolean establishedKerberosContext = false;
      int attempt = 1;
      while(establishedKerberosContext) {
        try {
          kerberosContext = new SentryKerberosContext(principal, keytab, true);
          establishedKerberosContext = true;
          LOGGER.info("Established kerberos context, will now connect to HMS");
        } catch (LoginException e) {
          //Kerberos login failed
          if( attempt > maxRetriesForLogin ) {
            throw e;
          }
          attempt++;
        }
      }
      boolean establishedConnection = false;
      attempt = 1;
      while(establishedConnection) {
        try {
          client = Subject.doAs(kerberosContext.getSubject(), new PrivilegedExceptionAction<HiveMetaStoreClient>() {
            @Override
            public HiveMetaStoreClient run() throws Exception {
              return new HiveMetaStoreClient(hiveConf);
            }
          });
          LOGGER.info("Secure connection established with HMS");
        } catch (PrivilegedActionException e) {
          if( attempt > maxRetriesForConnection ) {
            //We should just retry as it is possible that HMS is not ready yet to receive requests
            //TODO: How do we differentiate between kerberos problem versus HMS not being up?
            LOGGER.error("Cannot connect to HMS", e);
          }
          attempt++;
        }
      }
    } else {
      //This is only for testing purposes. Sentry strongly recommends strong authentication
      client = new HiveMetaStoreClient(hiveConf);
      LOGGER.info("Non secure connection established with HMS");
    }
    return client;
  }
{code}

> Fix the secure HMS connection code in HMSFollower
> -------------------------------------------------
>
>                 Key: SENTRY-1619
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1619
>             Project: Sentry
>          Issue Type: Sub-task
>          Components: Hdfs Plugin
>            Reporter: Vamsee Yarlagadda
>             Fix For: sentry-ha-redesign
>
>
> [This code in HMSFollower|https://github.com/apache/sentry/blob/sentry-ha-redesign/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java#L120-L183] has bugs in implementing logic that's preventing secure HMS connection from taking place. 
> {code}
> String principal, keytab;
>     //TODO: Is this the right(standard) way to create a HMS client? HiveMetastoreClientFactoryImpl?
>     //TODO: Check if HMS is using kerberos instead of relying on Sentry conf
>     //TODO: Handle TGT renewals
>     kerberos = ServiceConstants.ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase(
>         conf.get(ServiceConstants.ServerConfig.SECURITY_MODE, ServiceConstants.ServerConfig.SECURITY_MODE_KERBEROS).trim());
>     if (kerberos) {
>       LOGGER.info("Making a kerberos connection to HMS");
>       //TODO: Is this needed? Use Hadoop libraries to translate the _HOST placeholder with actual hostname
>       //Validate principal
>       principal = Preconditions.checkNotNull(ServiceConstants.ServerConfig.PRINCIPAL,
>           ServiceConstants.ServerConfig.PRINCIPAL + " is required");
>       LOGGER.info("Using kerberos principal: " + principal);
>       final String[] principalParts = SaslRpcServer.splitKerberosName(principal);
>       Preconditions.checkArgument(principalParts.length == 3,
>           "Kerberos principal should have 3 parts: " + principal);
>       keytab = Preconditions.checkNotNull(conf.get(ServiceConstants.ServerConfig.KEY_TAB),
>           ServiceConstants.ServerConfig.KEY_TAB + " is required");
>       File keytabFile = new File(keytab);
>       Preconditions.checkState(keytabFile.isFile() && keytabFile.canRead(),
>           "Keytab " + keytab + " does not exist or is not readable.");
>       boolean establishedKerberosContext = false;
>       int attempt = 1;
>       while(establishedKerberosContext) {
>         try {
>           kerberosContext = new SentryKerberosContext(principal, keytab, true);
>           establishedKerberosContext = true;
>           LOGGER.info("Established kerberos context, will now connect to HMS");
>         } catch (LoginException e) {
>           //Kerberos login failed
>           if( attempt > maxRetriesForLogin ) {
>             throw e;
>           }
>           attempt++;
>         }
>       }
>       boolean establishedConnection = false;
>       attempt = 1;
>       while(establishedConnection) {
>         try {
>           client = Subject.doAs(kerberosContext.getSubject(), new PrivilegedExceptionAction<HiveMetaStoreClient>() {
>             @Override
>             public HiveMetaStoreClient run() throws Exception {
>               return new HiveMetaStoreClient(hiveConf);
>             }
>           });
>           LOGGER.info("Secure connection established with HMS");
>         } catch (PrivilegedActionException e) {
>           if( attempt > maxRetriesForConnection ) {
>             //We should just retry as it is possible that HMS is not ready yet to receive requests
>             //TODO: How do we differentiate between kerberos problem versus HMS not being up?
>             LOGGER.error("Cannot connect to HMS", e);
>           }
>           attempt++;
>         }
>       }
>     } else {
>       //This is only for testing purposes. Sentry strongly recommends strong authentication
>       client = new HiveMetaStoreClient(hiveConf);
>       LOGGER.info("Non secure connection established with HMS");
>     }
>     return client;
>   }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)