You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Prasad Mujumdar <pr...@cloudera.com> on 2014/09/11 22:52:41 UTC
Review Request 25555: SENTRY-431: Sentry db provider client should
attempt to refresh kerberos ticket before connection
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/25555/
-----------------------------------------------------------
Review request for sentry and Brock Noland.
Bugs: SENTRY-431
https://issues.apache.org/jira/browse/SENTRY-431
Repository: sentry
Description
-------
Hive currently has a logic to renew the kerberos ticket inline during metastore connection. The sentry DB store client is loaded via semantic hook which happens before the metastore connection. That means if there's a long inactive perior in HS2, the ticket will be expired and sentry connection will fail.
This patch ensures that the ticket is renewed before every new Sentry service connection. The Hadoop UGI api used here will relogin only if less that 20% time left on the ticket to expire.
Diffs
-----
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java 6895927
Diff: https://reviews.apache.org/r/25555/diff/
Testing
-------
Manucally tested on a secure cluster
Thanks,
Prasad Mujumdar
Re: Review Request 25555: SENTRY-431: Sentry db provider client should
attempt to refresh kerberos ticket before connection
Posted by Brock Noland <br...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/25555/#review53114
-----------------------------------------------------------
Ship it!
Ship It!
- Brock Noland
On Sept. 11, 2014, 8:52 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/25555/
> -----------------------------------------------------------
>
> (Updated Sept. 11, 2014, 8:52 p.m.)
>
>
> Review request for sentry and Brock Noland.
>
>
> Bugs: SENTRY-431
> https://issues.apache.org/jira/browse/SENTRY-431
>
>
> Repository: sentry
>
>
> Description
> -------
>
> Hive currently has a logic to renew the kerberos ticket inline during metastore connection. The sentry DB store client is loaded via semantic hook which happens before the metastore connection. That means if there's a long inactive perior in HS2, the ticket will be expired and sentry connection will fail.
> This patch ensures that the ticket is renewed before every new Sentry service connection. The Hadoop UGI api used here will relogin only if less that 20% time left on the ticket to expire.
>
>
> Diffs
> -----
>
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java 6895927
>
> Diff: https://reviews.apache.org/r/25555/diff/
>
>
> Testing
> -------
>
> Manucally tested on a secure cluster
>
>
> Thanks,
>
> Prasad Mujumdar
>
>