You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by va...@apache.org on 2017/06/14 00:57:08 UTC
[30/52] [abbrv] sentry git commit: SENTRY-1766 Generic model clients
using kerberos can no longer connect to Sentry server
SENTRY-1766 Generic model clients using kerberos can no longer connect to Sentry server
CDH-53688
Change-Id: I71f033cb86edeae375835d8dbbd48a514f2622ca
Reviewed-on: http://gerrit.sjc.cloudera.com:8080/22705
Reviewed-by: Vamsee Yarlagadda <va...@cloudera.com>
Reviewed-by: Na Li <li...@cloudera.com>
Tested-by: Jenkins User
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/106e736c
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/106e736c
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/106e736c
Branch: refs/for/cdh5-1.5.1_ha
Commit: 106e736c9837111b51a652a58624fa14782f0064
Parents: 2038160
Author: Kalyan Kumar Kalvagadda <kk...@cloudera.com>
Authored: Thu May 18 22:35:26 2017 -0500
Committer: Kalyan Kumar Kalvagadda <kk...@cloudera.com>
Committed: Thu May 18 22:00:47 2017 -0700
----------------------------------------------------------------------
.../transport/SentryTransportFactory.java | 5 +-
.../UserGroupInformationInitializer.java | 52 ++++++++++++++++++++
.../SentryGenericServiceClientDefaultImpl.java | 8 +--
3 files changed, 55 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/106e736c/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java
index 9b9f9e8..f609d33 100644
--- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java
@@ -74,9 +74,8 @@ public class SentryTransportFactory {
super(mechanism, null, protocol, serverName, SASL_PROPERTIES, null,
transport);
if (wrapUgi) {
- // If we don't set the configuration, the UGI will be created based on
- // what's on the classpath, which may lack the kerberos changes we require
- UserGroupInformation.setConfiguration(conf);
+ //Re-initializing UserGroupInformation, if needed
+ UserGroupInformationInitializer.initialize(conf);
ugi = UserGroupInformation.getLoginUser();
}
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/106e736c/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java
new file mode 100644
index 0000000..19ba12c
--- /dev/null
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.core.common.transport;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
+
+/**
+ * Wrapper to initialize UserGroupInformation
+ */
+
+public class UserGroupInformationInitializer {
+
+ // initialize() method could be called my multiple threads.
+ // to attain visibility guarantee on isInitialized, it is declared volatile.
+ private static volatile boolean isInitialized = false;
+
+ // initialization block may be executed multiple times. This is fine as setConfiguration is
+ // thread-safe
+ public static void initialize(Configuration conf) {
+ if(!isInitialized) {
+ Configuration newConf = new Configuration(conf);
+ // When kerberos is enabled, UserGroupInformation should have been initialized with
+ // HADOOP_SECURITY_AUTHENTICATION property. There are instances where this is not done.
+ // Example: Solr and Kafka while using sentry generic clients were not updating this
+ // property. Instead of depending on the callers to update this configuration and to be
+ // sure that UserGroupInformation is properly initialized, sentry client is explicitly
+ // doing it,
+ newConf.set(HADOOP_SECURITY_AUTHENTICATION, SentryClientTransportConstants.KERBEROS_MODE);
+ UserGroupInformation.setConfiguration(newConf);
+ isInitialized = true;
+ }
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/106e736c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
index 7bef81f..f430064 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
@@ -60,14 +60,8 @@ public class SentryGenericServiceClientDefaultImpl implements SentryGenericServi
private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occured ";
public SentryGenericServiceClientDefaultImpl(Configuration conf, SentryPolicyClientTransportConfig transportConfig) throws IOException {
- //TODO(kalyan) need to find appropriate place to add it
- // if (kerberos) {
- // // since the client uses hadoop-auth, we need to set kerberos in
- // // hadoop-auth if we plan to use kerberos
- // conf.set(HADOOP_SECURITY_AUTHENTICATION, SentryConstants.KERBEROS_MoODE);
- // }
- this.conf = conf;
transportFactory = new SentryTransportFactory(conf, transportConfig);
+ this.conf = conf;
}
/**