You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Prasad Mujumdar <pr...@cloudera.com> on 2014/09/11 00:55:35 UTC
Review Request 25520: SENTRY-428: Sentry service should periodically
renew the server kerberos ticket
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/25520/
-----------------------------------------------------------
Review request for sentry and Brock Noland.
Bugs: SENTRY-428
https://issues.apache.org/jira/browse/SENTRY-428
Repository: sentry
Description
-------
Sentry service should periodically renew the server kerberos ticket. The patch introduces a new thread to renew the ticket when less than 20% time left for the ticket to expire.
Diffs
-----
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java PRE-CREATION
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java 33e51de
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java PRE-CREATION
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java PRE-CREATION
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java 3209ccf
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java 838e8d3
Diff: https://reviews.apache.org/r/25520/diff/
Testing
-------
Added a minikdc unit test to verify the timeout. The test is diabled by default as it needs to block for few mins to simulate the timeout (miniKDC doesn't allow setting default ticket life too low).
Manually verified in a secure cluster.
Thanks,
Prasad Mujumdar
Re: Review Request 25520: SENTRY-428: Sentry service should
periodically renew the server kerberos ticket
Posted by Brock Noland <br...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/25520/#review52981
-----------------------------------------------------------
LGTM! Nice work!! one command a few ws issues. Feel free to fix up on commit.
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
<https://reviews.apache.org/r/25520/#comment92278>
this should be volatile
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
<https://reviews.apache.org/r/25520/#comment92279>
ws
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
<https://reviews.apache.org/r/25520/#comment92280>
ws
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
<https://reviews.apache.org/r/25520/#comment92281>
ws
- Brock Noland
On Sept. 10, 2014, 10:55 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/25520/
> -----------------------------------------------------------
>
> (Updated Sept. 10, 2014, 10:55 p.m.)
>
>
> Review request for sentry and Brock Noland.
>
>
> Bugs: SENTRY-428
> https://issues.apache.org/jira/browse/SENTRY-428
>
>
> Repository: sentry
>
>
> Description
> -------
>
> Sentry service should periodically renew the server kerberos ticket. The patch introduces a new thread to renew the ticket when less than 20% time left for the ticket to expire.
>
>
> Diffs
> -----
>
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java PRE-CREATION
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java 33e51de
> sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java PRE-CREATION
> sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java PRE-CREATION
> sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java 3209ccf
> sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java 838e8d3
>
> Diff: https://reviews.apache.org/r/25520/diff/
>
>
> Testing
> -------
>
> Added a minikdc unit test to verify the timeout. The test is diabled by default as it needs to block for few mins to simulate the timeout (miniKDC doesn't allow setting default ticket life too low).
> Manually verified in a secure cluster.
>
>
> Thanks,
>
> Prasad Mujumdar
>
>