You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sd...@apache.org on 2015/08/14 09:28:38 UTC
[04/50] [abbrv] incubator-sentry git commit: SENTRY-776: Sentry
client should support cache based kerberos ticket for secure zookeeper
connection (Prasad Mujumdar via Sravya Tirukkovalur)
SENTRY-776: Sentry client should support cache based kerberos ticket for secure zookeeper connection (Prasad Mujumdar via Sravya Tirukkovalur)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/9943a33f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/9943a33f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/9943a33f
Branch: refs/heads/hive_plugin_v2
Commit: 9943a33f71f1257f95bb4ee956f94e2d3c85cb84
Parents: c56f1d2
Author: Sravya Tirukkovalur <sr...@clouera.com>
Authored: Mon Jun 29 11:22:04 2015 -0700
Committer: Sravya Tirukkovalur <sr...@clouera.com>
Committed: Mon Jun 29 11:22:04 2015 -0700
----------------------------------------------------------------------
.../db/service/persistent/HAContext.java | 22 ++++++++++++++++----
.../service/thrift/JaasConfiguration.java | 18 +++++++++++++++-
.../sentry/service/thrift/ServiceConstants.java | 2 ++
.../thrift/SentryServiceIntegrationBase.java | 6 ++++--
4 files changed, 41 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9943a33f/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/HAContext.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/HAContext.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/HAContext.java
index 71935b1..ada6308 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/HAContext.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/HAContext.java
@@ -21,7 +21,11 @@ package org.apache.sentry.provider.db.service.persistent;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
+import java.util.HashMap;
import java.util.List;
+import java.util.Map;
+
+import javax.security.auth.login.AppConfigurationEntry;
import org.apache.curator.RetryPolicy;
import org.apache.curator.framework.CuratorFramework;
@@ -57,6 +61,7 @@ public class HAContext {
private static boolean aclChecked = false;
public final static String SENTRY_SERVICE_REGISTER_NAMESPACE = "sentry-service";
+ public static final String SENTRY_ZK_JAAS_NAME = "SentryClient";
private final String zookeeperQuorum;
private final int retriesMaxCount;
private final int sleepMsBetweenRetries;
@@ -84,7 +89,8 @@ public class HAContext {
if (zkSecure) {
LOGGER.info("Connecting to ZooKeeper with SASL/Kerberos and using 'sasl' ACLs");
setJaasConfiguration(conf);
- System.setProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client");
+ System.setProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY,
+ SENTRY_ZK_JAAS_NAME);
saslACL = Lists.newArrayList();
saslACL.add(new ACL(Perms.ALL, new Id("sasl", getServicePrincipal(conf,
ServerConfig.PRINCIPAL))));
@@ -227,16 +233,24 @@ public class HAContext {
// This gets ignored during most tests, see ZKXTestCaseWithSecurity#setupZKServer()
private void setJaasConfiguration(Configuration conf) throws IOException {
+ if ("false".equalsIgnoreCase(conf.get(
+ ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_TICKET_CACHE,
+ ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_TICKET_CACHE_DEFAULT))) {
String keytabFile = conf.get(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_KEYTAB);
Preconditions.checkArgument(keytabFile.length() != 0, "Keytab File is not right.");
String principal = conf.get(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_PRINCIPAL);
- principal = SecurityUtil.getServerPrincipal(principal, conf.get(ServerConfig.RPC_ADDRESS));
+ principal = SecurityUtil.getServerPrincipal(principal,
+ conf.get(ServerConfig.RPC_ADDRESS, ServerConfig.RPC_ADDRESS_DEFAULT));
Preconditions.checkArgument(principal.length() != 0, "Kerberos principal is not right.");
// This is equivalent to writing a jaas.conf file and setting the system property, "java.security.auth.login.config", to
// point to it (but this way we don't have to write a file, and it works better for the tests)
- JaasConfiguration.addEntry("Client", principal, keytabFile);
- javax.security.auth.login.Configuration.setConfiguration(JaasConfiguration.getInstance());
+ JaasConfiguration.addEntryForKeytab(SENTRY_ZK_JAAS_NAME, principal, keytabFile);
+ } else {
+ // Create jaas conf for ticket cache
+ JaasConfiguration.addEntryForTicketCache(SENTRY_ZK_JAAS_NAME);
+ }
+ javax.security.auth.login.Configuration.setConfiguration(JaasConfiguration.getInstance());
}
public class SASLOwnerACLProvider implements ACLProvider {
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9943a33f/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/JaasConfiguration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/JaasConfiguration.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/JaasConfiguration.java
index d5f55fe..64ecae2 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/JaasConfiguration.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/JaasConfiguration.java
@@ -72,7 +72,7 @@ public class JaasConfiguration extends Configuration {
* @param principal The principal of the user
* @param keytab The location of the keytab
*/
- public static void addEntry(String name, String principal, String keytab) {
+ public static void addEntryForKeytab(String name, String principal, String keytab) {
Map<String, String> options = new HashMap<String, String>();
options.put("keyTab", keytab);
options.put("principal", principal);
@@ -85,6 +85,22 @@ public class JaasConfiguration extends Configuration {
}
/**
+ * Add an entry to the jaas configuration with the passed in name. The other
+ * necessary options will be set for you.
+ *
+ * @param name The name of the entry (e.g. "Client")
+ */
+ public static void addEntryForTicketCache(String sectionName) {
+ Map<String, String> options = new HashMap<String, String>();
+ options.put("useKeyTab", "false");
+ options.put("storeKey", "false");
+ options.put("useTicketCache", "true");
+ AppConfigurationEntry entry = new AppConfigurationEntry(krb5LoginModuleName,
+ AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options);
+ entries.put(sectionName, entry);
+ }
+
+ /**
* Removes the specified entry.
*
* @param name The name of the entry to remove
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9943a33f/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
index 54dbac5..0d775f1 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
@@ -126,6 +126,8 @@ public class ServiceConstants {
// principal and keytab for client to be able to connect to secure ZK. Needed for Sentry HA with secure ZK
public static final String SERVER_HA_ZOOKEEPER_CLIENT_PRINCIPAL = "sentry.zookeeper.client.principal";
public static final String SERVER_HA_ZOOKEEPER_CLIENT_KEYTAB = "sentry.zookeeper.client.keytab";
+ public static final String SERVER_HA_ZOOKEEPER_CLIENT_TICKET_CACHE = "sentry.zookeeper.client.ticketcache";
+ public static final String SERVER_HA_ZOOKEEPER_CLIENT_TICKET_CACHE_DEFAULT = "false";
public static final ImmutableMap<String, String> SENTRY_STORE_DEFAULTS =
ImmutableMap.<String, String>builder()
.put("datanucleus.connectionPoolingType", "BoneCP")
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9943a33f/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
index 1b9691e..c132e13 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
@@ -34,6 +34,7 @@ import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.net.NetUtils;
import org.apache.sentry.SentryUserException;
+import org.apache.sentry.provider.db.service.persistent.HAContext;
import org.apache.sentry.provider.db.service.thrift.SentryMiniKdcTestcase;
import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
import org.apache.sentry.provider.db.service.thrift.TSentryRole;
@@ -323,9 +324,10 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase
System.setProperty("zookeeper.kerberos.removeHostFromPrincipal", "true");
System.setProperty("zookeeper.kerberos.removeRealmFromPrincipal", "true");
- JaasConfiguration.addEntry("Server", ZK_SERVER_PRINCIPAL, ZKKeytabFile.getAbsolutePath());
+ JaasConfiguration.addEntryForKeytab("Server", ZK_SERVER_PRINCIPAL, ZKKeytabFile.getAbsolutePath());
// Here's where we add the "Client" to the jaas configuration, even though we'd like not to
- JaasConfiguration.addEntry("Client", SERVER_KERBEROS_NAME, serverKeytab.getAbsolutePath());
+ JaasConfiguration.addEntryForKeytab(HAContext.SENTRY_ZK_JAAS_NAME,
+ SERVER_KERBEROS_NAME, serverKeytab.getAbsolutePath());
javax.security.auth.login.Configuration.setConfiguration(JaasConfiguration.getInstance());
System.setProperty(ZooKeeperSaslServer.LOGIN_CONTEXT_NAME_KEY, "Server");