You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Prasad Mujumdar <pr...@cloudera.com> on 2014/06/10 23:27:10 UTC
Review Request 22443: SENTRY-289 Kerberos based connection from HS2 and
Metastore to Sentry service fails
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/22443/
-----------------------------------------------------------
Review request for sentry.
Bugs: SENTRY-289
https://issues.apache.org/jira/browse/SENTRY-289
Repository: sentry
Description
-------
The Sentry client started by HS2 or metastore needs to wrapp the transport open as privileged action of the current UGI. This allows the SASL negotiation to access the kerberos ticket for authentication.
Diffs
-----
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 812f310
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java c41f8b9
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java 203858e
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java 4a2b900
Diff: https://reviews.apache.org/r/22443/diff/
Testing
-------
Manually tested the secure connection from HS2.
Thanks,
Prasad Mujumdar
Re: Review Request 22443: SENTRY-289 Kerberos based connection from HS2 and
Metastore to Sentry service fails
Posted by Sravya Tirukkovalur <sr...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/22443/#review45325
-----------------------------------------------------------
Prasad, I actually tested it on a real deployment and I hit this:
'org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient$UgiTransport' (current frame, stack[1]) is not assignable to 'sentry/org/apache/thrift/transport/TTransport'
- Sravya Tirukkovalur
On June 10, 2014, 10:17 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/22443/
> -----------------------------------------------------------
>
> (Updated June 10, 2014, 10:17 p.m.)
>
>
> Review request for sentry.
>
>
> Bugs: SENTRY-289
> https://issues.apache.org/jira/browse/SENTRY-289
>
>
> Repository: sentry
>
>
> Description
> -------
>
> The Sentry client started by HS2 or metastore needs to wrapp the transport open as privileged action of the current UGI. This allows the SASL negotiation to access the kerberos ticket for authentication.
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 812f310
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java c41f8b9
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java 203858e
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java 4a2b900
> sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java 61bdfed
>
> Diff: https://reviews.apache.org/r/22443/diff/
>
>
> Testing
> -------
>
> Manually tested the secure connection from HS2.
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 22443: SENTRY-289 Kerberos based connection from HS2 and
Metastore to Sentry service fails
Posted by Sravya Tirukkovalur <sr...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/22443/#review45335
-----------------------------------------------------------
Ship it!
Ship It!
- Sravya Tirukkovalur
On June 11, 2014, 4:18 a.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/22443/
> -----------------------------------------------------------
>
> (Updated June 11, 2014, 4:18 a.m.)
>
>
> Review request for sentry.
>
>
> Bugs: SENTRY-289
> https://issues.apache.org/jira/browse/SENTRY-289
>
>
> Repository: sentry
>
>
> Description
> -------
>
> The Sentry client started by HS2 or metastore needs to wrapp the transport open as privileged action of the current UGI. This allows the SASL negotiation to access the kerberos ticket for authentication.
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 812f310
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java c41f8b9
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java 203858e
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java 4a2b900
> sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java 61bdfed
>
> Diff: https://reviews.apache.org/r/22443/diff/
>
>
> Testing
> -------
>
> Manually tested the secure connection from HS2.
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 22443: SENTRY-289 Kerberos based connection from HS2 and
Metastore to Sentry service fails
Posted by Jarek Cecho <ja...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/22443/#review45333
-----------------------------------------------------------
Ship it!
Ship It!
- Jarek Cecho
On June 11, 2014, 4:18 a.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/22443/
> -----------------------------------------------------------
>
> (Updated June 11, 2014, 4:18 a.m.)
>
>
> Review request for sentry.
>
>
> Bugs: SENTRY-289
> https://issues.apache.org/jira/browse/SENTRY-289
>
>
> Repository: sentry
>
>
> Description
> -------
>
> The Sentry client started by HS2 or metastore needs to wrapp the transport open as privileged action of the current UGI. This allows the SASL negotiation to access the kerberos ticket for authentication.
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 812f310
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java c41f8b9
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java 203858e
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java 4a2b900
> sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java 61bdfed
>
> Diff: https://reviews.apache.org/r/22443/diff/
>
>
> Testing
> -------
>
> Manually tested the secure connection from HS2.
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 22443: SENTRY-289 Kerberos based connection from HS2 and
Metastore to Sentry service fails
Posted by Prasad Mujumdar <pr...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/22443/
-----------------------------------------------------------
(Updated June 11, 2014, 4:18 a.m.)
Review request for sentry.
Changes
-------
refactored the patch to get rid of the FilterTransport from Hive. Tested on secure cluster.
Bugs: SENTRY-289
https://issues.apache.org/jira/browse/SENTRY-289
Repository: sentry
Description
-------
The Sentry client started by HS2 or metastore needs to wrapp the transport open as privileged action of the current UGI. This allows the SASL negotiation to access the kerberos ticket for authentication.
Diffs (updated)
-----
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 812f310
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java c41f8b9
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java 203858e
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java 4a2b900
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java 61bdfed
Diff: https://reviews.apache.org/r/22443/diff/
Testing
-------
Manually tested the secure connection from HS2.
Thanks,
Prasad Mujumdar
Re: Review Request 22443: SENTRY-289 Kerberos based connection from HS2 and
Metastore to Sentry service fails
Posted by Sravya Tirukkovalur <sr...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/22443/#review45319
-----------------------------------------------------------
Ship it!
Looks good to me.
- Sravya Tirukkovalur
On June 10, 2014, 10:17 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/22443/
> -----------------------------------------------------------
>
> (Updated June 10, 2014, 10:17 p.m.)
>
>
> Review request for sentry.
>
>
> Bugs: SENTRY-289
> https://issues.apache.org/jira/browse/SENTRY-289
>
>
> Repository: sentry
>
>
> Description
> -------
>
> The Sentry client started by HS2 or metastore needs to wrapp the transport open as privileged action of the current UGI. This allows the SASL negotiation to access the kerberos ticket for authentication.
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 812f310
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java c41f8b9
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java 203858e
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java 4a2b900
> sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java 61bdfed
>
> Diff: https://reviews.apache.org/r/22443/diff/
>
>
> Testing
> -------
>
> Manually tested the secure connection from HS2.
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 22443: SENTRY-289 Kerberos based connection from HS2 and
Metastore to Sentry service fails
Posted by Prasad Mujumdar <pr...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/22443/
-----------------------------------------------------------
(Updated June 10, 2014, 10:17 p.m.)
Review request for sentry.
Changes
-------
Updated TestSentryServiceIntegration test
Bugs: SENTRY-289
https://issues.apache.org/jira/browse/SENTRY-289
Repository: sentry
Description
-------
The Sentry client started by HS2 or metastore needs to wrapp the transport open as privileged action of the current UGI. This allows the SASL negotiation to access the kerberos ticket for authentication.
Diffs (updated)
-----
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 812f310
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java c41f8b9
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java 203858e
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java 4a2b900
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java 61bdfed
Diff: https://reviews.apache.org/r/22443/diff/
Testing
-------
Manually tested the secure connection from HS2.
Thanks,
Prasad Mujumdar