You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by gc...@apache.org on 2016/01/30 01:41:07 UTC

incubator-sentry git commit: SENTRY-1037: Set "hadoop.security.authentication" to "kerberos" in the Generic Client (Gregory Chanan, reviewed by Sravya Tirukkovalur)

Repository: incubator-sentry
Updated Branches:
  refs/heads/master 20f3960ce -> a01a75011


SENTRY-1037: Set "hadoop.security.authentication" to "kerberos" in the Generic Client (Gregory Chanan, reviewed by Sravya Tirukkovalur)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/a01a7501
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/a01a7501
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/a01a7501

Branch: refs/heads/master
Commit: a01a7501114ca0934255a0fb5e2635214f8ce887
Parents: 20f3960
Author: Gregory Chanan <gc...@cloudera.com>
Authored: Thu Jan 28 16:35:05 2016 -0800
Committer: Gregory Chanan <gc...@cloudera.com>
Committed: Fri Jan 29 16:40:05 2016 -0800

----------------------------------------------------------------------
 .../thrift/SentryGenericServiceClientDefaultImpl.java | 14 +++++++++++---
 .../provider/db/generic/tools/SentryShellSolr.java    |  4 +++-
 2 files changed, 14 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a01a7501/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
index 761b0a4..ce57513 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
@@ -28,6 +28,7 @@ import java.util.Set;
 import javax.security.auth.callback.CallbackHandler;
 
 import org.apache.hadoop.conf.Configuration;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.security.SaslRpcServer;
 import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
@@ -75,11 +76,14 @@ public class SentryGenericServiceClientDefaultImpl implements SentryGenericServi
 
     public UgiSaslClientTransport(String mechanism, String authorizationId,
         String protocol, String serverName, Map<String, String> props,
-        CallbackHandler cbh, TTransport transport, boolean wrapUgi)
+        CallbackHandler cbh, TTransport transport, boolean wrapUgi, Configuration conf)
         throws IOException {
       super(mechanism, authorizationId, protocol, serverName, props, cbh,
           transport);
       if (wrapUgi) {
+       // If we don't set the configuration, the UGI will be created based on
+       // what's on the classpath, which may lack the kerberos changes we require
+        UserGroupInformation.setConfiguration(conf);
         ugi = UserGroupInformation.getLoginUser();
       }
     }
@@ -116,7 +120,8 @@ public class SentryGenericServiceClientDefaultImpl implements SentryGenericServi
   }
 
   public SentryGenericServiceClientDefaultImpl(Configuration conf) throws IOException {
-    this.conf = conf;
+    // copy the configuration because we may make modifications to it.
+    this.conf = new Configuration(conf);
     Preconditions.checkNotNull(this.conf, "Configuration object cannot be null");
     this.serverAddress = NetUtils.createSocketAddr(Preconditions.checkNotNull(
                            conf.get(ClientConfig.SERVER_RPC_ADDRESS), "Config key "
@@ -130,6 +135,9 @@ public class SentryGenericServiceClientDefaultImpl implements SentryGenericServi
         serverAddress.getPort(), connectionTimeout);
     if (kerberos) {
       String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required");
+      // since the client uses hadoop-auth, we need to set kerberos in
+      // hadoop-auth if we plan to use kerberos
+      conf.set(HADOOP_SECURITY_AUTHENTICATION, ServerConfig.SECURITY_MODE_KERBEROS);
 
       // Resolve server host in the same way as we are doing on server side
       serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress());
@@ -142,7 +150,7 @@ public class SentryGenericServiceClientDefaultImpl implements SentryGenericServi
           .get(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"));
       transport = new UgiSaslClientTransport(AuthMethod.KERBEROS.getMechanismName(),
           null, serverPrincipalParts[0], serverPrincipalParts[1],
-          ClientConfig.SASL_PROPERTIES, null, transport, wrapUgi);
+          ClientConfig.SASL_PROPERTIES, null, transport, wrapUgi, conf);
     } else {
       serverPrincipalParts = null;
     }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a01a7501/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java
index ec786a5..15f4a26 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java
@@ -45,6 +45,7 @@ public class SentryShellSolr extends SentryShellCommon {
     String requestorName = System.getProperty("user.name", "");
     String component = "SOLR";
     Configuration conf = getSentryConf();
+
     String service = conf.get(SOLR_SERVICE_NAME, "service1");
     SentryGenericServiceClient client = SentryGenericServiceClientFactory.create(conf);
 
@@ -94,7 +95,8 @@ public class SentryShellSolr extends SentryShellCommon {
       }
     } catch (Exception e) {
       LOGGER.error(e.getMessage(), e);
-      System.out.println("The operation failed, please refer to log file for the root cause.");
+      System.out.println("The operation failed." +
+          e.getMessage() == null ? "" : "Message: " + e.getMessage());
     }
   }