You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Vamsee Yarlagadda (JIRA)" <ji...@apache.org> on 2017/02/03 04:22:51 UTC
[jira] [Updated] (SENTRY-1621) HMSFollower to retry connecting to
HMS upon connection loss
[ https://issues.apache.org/jira/browse/SENTRY-1621?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vamsee Yarlagadda updated SENTRY-1621:
--------------------------------------
Component/s: (was: Hdfs Plugin)
Hive Binding
> HMSFollower to retry connecting to HMS upon connection loss
> -----------------------------------------------------------
>
> Key: SENTRY-1621
> URL: https://issues.apache.org/jira/browse/SENTRY-1621
> Project: Sentry
> Issue Type: Sub-task
> Components: Hive Binding
> Reporter: Vamsee Yarlagadda
> Assignee: Vamsee Yarlagadda
> Fix For: sentry-ha-redesign
>
>
> [This code in HMSFollower|https://github.com/apache/sentry/blob/sentry-ha-redesign/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java#L120-L183] has bugs in implementing logic that's preventing secure HMS connection from taking place.
> {code}
> String principal, keytab;
> //TODO: Is this the right(standard) way to create a HMS client? HiveMetastoreClientFactoryImpl?
> //TODO: Check if HMS is using kerberos instead of relying on Sentry conf
> //TODO: Handle TGT renewals
> kerberos = ServiceConstants.ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase(
> conf.get(ServiceConstants.ServerConfig.SECURITY_MODE, ServiceConstants.ServerConfig.SECURITY_MODE_KERBEROS).trim());
> if (kerberos) {
> LOGGER.info("Making a kerberos connection to HMS");
> //TODO: Is this needed? Use Hadoop libraries to translate the _HOST placeholder with actual hostname
> //Validate principal
> principal = Preconditions.checkNotNull(ServiceConstants.ServerConfig.PRINCIPAL,
> ServiceConstants.ServerConfig.PRINCIPAL + " is required");
> LOGGER.info("Using kerberos principal: " + principal);
> final String[] principalParts = SaslRpcServer.splitKerberosName(principal);
> Preconditions.checkArgument(principalParts.length == 3,
> "Kerberos principal should have 3 parts: " + principal);
> keytab = Preconditions.checkNotNull(conf.get(ServiceConstants.ServerConfig.KEY_TAB),
> ServiceConstants.ServerConfig.KEY_TAB + " is required");
> File keytabFile = new File(keytab);
> Preconditions.checkState(keytabFile.isFile() && keytabFile.canRead(),
> "Keytab " + keytab + " does not exist or is not readable.");
> boolean establishedKerberosContext = false;
> int attempt = 1;
> while(establishedKerberosContext) {
> try {
> kerberosContext = new SentryKerberosContext(principal, keytab, true);
> establishedKerberosContext = true;
> LOGGER.info("Established kerberos context, will now connect to HMS");
> } catch (LoginException e) {
> //Kerberos login failed
> if( attempt > maxRetriesForLogin ) {
> throw e;
> }
> attempt++;
> }
> }
> boolean establishedConnection = false;
> attempt = 1;
> while(establishedConnection) {
> try {
> client = Subject.doAs(kerberosContext.getSubject(), new PrivilegedExceptionAction<HiveMetaStoreClient>() {
> @Override
> public HiveMetaStoreClient run() throws Exception {
> return new HiveMetaStoreClient(hiveConf);
> }
> });
> LOGGER.info("Secure connection established with HMS");
> } catch (PrivilegedActionException e) {
> if( attempt > maxRetriesForConnection ) {
> //We should just retry as it is possible that HMS is not ready yet to receive requests
> //TODO: How do we differentiate between kerberos problem versus HMS not being up?
> LOGGER.error("Cannot connect to HMS", e);
> }
> attempt++;
> }
> }
> } else {
> //This is only for testing purposes. Sentry strongly recommends strong authentication
> client = new HiveMetaStoreClient(hiveConf);
> LOGGER.info("Non secure connection established with HMS");
> }
> return client;
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)