You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sentry.apache.org by Prasad Mujumdar <pr...@cloudera.com> on 2014/09/11 00:55:35 UTC

Review Request 25520: SENTRY-428: Sentry service should periodically renew the server kerberos ticket

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/25520/
-----------------------------------------------------------

Review request for sentry and Brock Noland.


Bugs: SENTRY-428
    https://issues.apache.org/jira/browse/SENTRY-428


Repository: sentry


Description
-------

Sentry service should periodically renew the server kerberos ticket. The patch introduces a new thread to renew the ticket when less than 20% time left for the ticket to expire.


Diffs
-----

  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java PRE-CREATION 
  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java 33e51de 
  sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java PRE-CREATION 
  sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java PRE-CREATION 
  sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java 3209ccf 
  sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java 838e8d3 

Diff: https://reviews.apache.org/r/25520/diff/


Testing
-------

Added a minikdc unit test to verify the timeout. The test is diabled by default as it needs to block for few mins to simulate the timeout (miniKDC doesn't allow setting default ticket life too low).
Manually verified in a secure cluster.


Thanks,

Prasad Mujumdar

Re: Review Request 25520: SENTRY-428: Sentry service should periodically renew the server kerberos ticket

Posted by Brock Noland <br...@cloudera.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/25520/#review52981
-----------------------------------------------------------


LGTM! Nice work!! one command a few ws issues. Feel free to fix up on commit.


sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
<https://reviews.apache.org/r/25520/#comment92278>

    this should be volatile



sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
<https://reviews.apache.org/r/25520/#comment92279>

    ws



sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
<https://reviews.apache.org/r/25520/#comment92280>

    ws



sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
<https://reviews.apache.org/r/25520/#comment92281>

    ws


- Brock Noland


On Sept. 10, 2014, 10:55 p.m., Prasad Mujumdar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/25520/
> -----------------------------------------------------------
> 
> (Updated Sept. 10, 2014, 10:55 p.m.)
> 
> 
> Review request for sentry and Brock Noland.
> 
> 
> Bugs: SENTRY-428
>     https://issues.apache.org/jira/browse/SENTRY-428
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> Sentry service should periodically renew the server kerberos ticket. The patch introduces a new thread to renew the ticket when less than 20% time left for the ticket to expire.
> 
> 
> Diffs
> -----
> 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java PRE-CREATION 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java 33e51de 
>   sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java PRE-CREATION 
>   sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java PRE-CREATION 
>   sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java 3209ccf 
>   sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java 838e8d3 
> 
> Diff: https://reviews.apache.org/r/25520/diff/
> 
> 
> Testing
> -------
> 
> Added a minikdc unit test to verify the timeout. The test is diabled by default as it needs to block for few mins to simulate the timeout (miniKDC doesn't allow setting default ticket life too low).
> Manually verified in a secure cluster.
> 
> 
> Thanks,
> 
> Prasad Mujumdar
> 
>