You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by va...@apache.org on 2017/06/14 00:57:12 UTC
[34/52] [abbrv] sentry git commit: SENTRY-1777: Generic service
client should support Kerberos(Continuation Fix) (Kalyan Kalvagadda,
Reviewed by: Vamsee Yarlagadda)
SENTRY-1777: Generic service client should support Kerberos(Continuation Fix) (Kalyan Kalvagadda, Reviewed by: Vamsee Yarlagadda)
CDH-54182
Change-Id: I585a68c4835527982ffd4b597922f9acfc1ad8bd
Reviewed-on: http://gerrit.sjc.cloudera.com:8080/22940
Reviewed-by: Na Li <li...@cloudera.com>
Reviewed-by: Vamsee Yarlagadda <va...@cloudera.com>
Tested-by: Jenkins User
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/77b43f11
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/77b43f11
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/77b43f11
Branch: refs/for/cdh5-1.5.1_ha
Commit: 77b43f110d20f04d24b2bef8530adc5fa7e9f27a
Parents: afe476b
Author: Vamsee Yarlagadda <va...@cloudera.com>
Authored: Mon May 22 11:29:47 2017 -0700
Committer: Vamsee Yarlagadda <va...@cloudera.com>
Committed: Mon May 22 12:51:48 2017 -0700
----------------------------------------------------------------------
.../transport/SentryTransportFactory.java | 8 ++-
.../hdfs/TestSentryHDFSServiceClientForUgi.java | 70 +++++++++++++++++++
.../TestSentryGenericServiceClientForUgi.java | 68 +++++++++++++++++++
.../TestSentryPolicyServiceClientForUgi.java | 71 ++++++++++++++++++++
4 files changed, 214 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/77b43f11/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java
index f609d33..74aced2 100644
--- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java
@@ -74,8 +74,6 @@ public class SentryTransportFactory {
super(mechanism, null, protocol, serverName, SASL_PROPERTIES, null,
transport);
if (wrapUgi) {
- //Re-initializing UserGroupInformation, if needed
- UserGroupInformationInitializer.initialize(conf);
ugi = UserGroupInformation.getLoginUser();
}
}
@@ -130,7 +128,11 @@ public class SentryTransportFactory {
try {
this.connectionTimeout = transportConfig.getServerRpcConnTimeoutInMs(conf);
this.connectionFullRetryTotal = transportConfig.getSentryFullRetryTotal(conf);
-
+ if(transportConfig.isKerberosEnabled(conf) &&
+ transportConfig.useUserGroupInformation(conf)) {
+ // Re-initializing UserGroupInformation, if needed
+ UserGroupInformationInitializer.initialize(conf);
+ }
String hostsAndPortsStr = transportConfig.getSentryServerRpcAddress(conf);
int serverPort = transportConfig.getServerRpcPort(conf);
http://git-wip-us.apache.org/repos/asf/sentry/blob/77b43f11/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestSentryHDFSServiceClientForUgi.java
----------------------------------------------------------------------
diff --git a/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestSentryHDFSServiceClientForUgi.java b/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestSentryHDFSServiceClientForUgi.java
new file mode 100644
index 0000000..09d417e
--- /dev/null
+++ b/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestSentryHDFSServiceClientForUgi.java
@@ -0,0 +1,70 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.hdfs;
+
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
+
+public class TestSentryHDFSServiceClientForUgi extends SentryHdfsServiceIntegrationBase {
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ kerberos = true;
+ beforeSetup();
+ setupConf();
+ startSentryService();
+ afterSetup();
+ }
+
+ public static void setupConf() throws Exception {
+ // If kerberos is enabled, SentryTransportFactory should make sure that
+ // HADOOP_SECURITY_AUTHENTICATION is appropriately configured.
+ SentryGenericServiceIntegrationBase.setupConf();
+ conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS);
+ conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true");
+ conf.set(HADOOP_SECURITY_AUTHENTICATION, "simple");
+ UserGroupInformation.setConfiguration(conf);
+ }
+
+ /**
+ * Test UserGroupInformationInitializer
+ * <p>
+ * Ensures that SentryTransportFactory is making sure that HADOOP_SECURITY_AUTHENTICATION
+ * is appropriately configured and UserGroupInformation is initialized accordingly
+ * by validating the static information in UserGroupInformation Class
+ *
+ * @throws Exception
+ */
+
+ @Test
+ public void testUserGroupInformationInitializer() throws Exception {
+ kerberos = false;
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ assert UserGroupInformation.isSecurityEnabled();
+ }
+ });
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/77b43f11/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceClientForUgi.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceClientForUgi.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceClientForUgi.java
new file mode 100644
index 0000000..3f84ae4
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceClientForUgi.java
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.service.thrift;
+
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
+
+public class TestSentryGenericServiceClientForUgi extends SentryGenericServiceIntegrationBase {
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ kerberos = true;
+ beforeSetup();
+ setupConf();
+ startSentryService();
+ afterSetup();
+ }
+
+ public static void setupConf() throws Exception {
+ // If kerberos is enabled, SentryTransportFactory should make sure that
+ // HADOOP_SECURITY_AUTHENTICATION is appropriately configured.
+ SentryGenericServiceIntegrationBase.setupConf();
+ conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS);
+ conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true");
+ conf.set(HADOOP_SECURITY_AUTHENTICATION, "simple");
+ UserGroupInformation.setConfiguration(conf);
+ }
+
+ /**
+ * Test UserGroupInformationInitializer
+ * <p>
+ * Ensures that SentryTransportFactory is making sure that HADOOP_SECURITY_AUTHENTICATION
+ * is appropriately configured and UserGroupInformation is initialized accordingly
+ * by validating the static information in UserGroupInformation Class
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testUserGroupInformationInitializer() throws Exception {
+ kerberos = false;
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ assert UserGroupInformation.isSecurityEnabled();
+ }
+ });
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/77b43f11/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyServiceClientForUgi.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyServiceClientForUgi.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyServiceClientForUgi.java
new file mode 100644
index 0000000..ef94598
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyServiceClientForUgi.java
@@ -0,0 +1,71 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
+
+public class TestSentryPolicyServiceClientForUgi extends SentryServiceIntegrationBase {
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ kerberos = true;
+ beforeSetup();
+ setupConf();
+ startSentryService();
+ afterSetup();
+ }
+
+ public static void setupConf() throws Exception {
+ // If kerberos is enabled, SentryTransportFactory should make sure that
+ // HADOOP_SECURITY_AUTHENTICATION is appropriately configured.
+ SentryGenericServiceIntegrationBase.setupConf();
+ conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS);
+ conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true");
+ conf.set(HADOOP_SECURITY_AUTHENTICATION, "simple");
+ UserGroupInformation.setConfiguration(conf);
+ }
+
+ /**
+ * Test UserGroupInformationInitializer
+ * <p>
+ * Ensures that SentryTransportFactory is making sure that HADOOP_SECURITY_AUTHENTICATION
+ * is appropriately configured and UserGroupInformation is initialized accordingly
+ * by validating the static information in UserGroupInformation Class
+ *
+ * @throws Exception
+ */
+
+ @Test
+ public void testUserGroupInformationInitializer() throws Exception {
+ kerberos = false;
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ assert UserGroupInformation.isSecurityEnabled();
+ }
+ });
+ }
+}
\ No newline at end of file