You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sentry.apache.org by Prasad Mujumdar <pr...@cloudera.com> on 2014/06/10 23:27:10 UTC

Review Request 22443: SENTRY-289 Kerberos based connection from HS2 and Metastore to Sentry service fails

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/22443/
-----------------------------------------------------------

Review request for sentry.


Bugs: SENTRY-289
    https://issues.apache.org/jira/browse/SENTRY-289


Repository: sentry


Description
-------

The Sentry client started by HS2 or metastore needs to wrapp the transport open as privileged action of the current UGI. This allows the SASL negotiation to access the kerberos ticket for authentication.


Diffs
-----

  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 812f310 
  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java c41f8b9 
  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java 203858e 
  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java 4a2b900 

Diff: https://reviews.apache.org/r/22443/diff/


Testing
-------

Manually tested the secure connection from HS2.


Thanks,

Prasad Mujumdar

Re: Review Request 22443: SENTRY-289 Kerberos based connection from HS2 and Metastore to Sentry service fails

Posted by Sravya Tirukkovalur <sr...@cloudera.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/22443/#review45325
-----------------------------------------------------------


Prasad, I actually tested it on a real deployment and I hit this:

'org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient$UgiTransport' (current frame, stack[1]) is not assignable to 'sentry/org/apache/thrift/transport/TTransport'

- Sravya Tirukkovalur


On June 10, 2014, 10:17 p.m., Prasad Mujumdar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/22443/
> -----------------------------------------------------------
> 
> (Updated June 10, 2014, 10:17 p.m.)
> 
> 
> Review request for sentry.
> 
> 
> Bugs: SENTRY-289
>     https://issues.apache.org/jira/browse/SENTRY-289
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> The Sentry client started by HS2 or metastore needs to wrapp the transport open as privileged action of the current UGI. This allows the SASL negotiation to access the kerberos ticket for authentication.
> 
> 
> Diffs
> -----
> 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 812f310 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java c41f8b9 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java 203858e 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java 4a2b900 
>   sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java 61bdfed 
> 
> Diff: https://reviews.apache.org/r/22443/diff/
> 
> 
> Testing
> -------
> 
> Manually tested the secure connection from HS2.
> 
> 
> Thanks,
> 
> Prasad Mujumdar
> 
>

Re: Review Request 22443: SENTRY-289 Kerberos based connection from HS2 and Metastore to Sentry service fails

Posted by Sravya Tirukkovalur <sr...@cloudera.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/22443/#review45335
-----------------------------------------------------------

Ship it!


Ship It!

- Sravya Tirukkovalur


On June 11, 2014, 4:18 a.m., Prasad Mujumdar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/22443/
> -----------------------------------------------------------
> 
> (Updated June 11, 2014, 4:18 a.m.)
> 
> 
> Review request for sentry.
> 
> 
> Bugs: SENTRY-289
>     https://issues.apache.org/jira/browse/SENTRY-289
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> The Sentry client started by HS2 or metastore needs to wrapp the transport open as privileged action of the current UGI. This allows the SASL negotiation to access the kerberos ticket for authentication.
> 
> 
> Diffs
> -----
> 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 812f310 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java c41f8b9 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java 203858e 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java 4a2b900 
>   sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java 61bdfed 
> 
> Diff: https://reviews.apache.org/r/22443/diff/
> 
> 
> Testing
> -------
> 
> Manually tested the secure connection from HS2.
> 
> 
> Thanks,
> 
> Prasad Mujumdar
> 
>

Re: Review Request 22443: SENTRY-289 Kerberos based connection from HS2 and Metastore to Sentry service fails

Posted by Jarek Cecho <ja...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/22443/#review45333
-----------------------------------------------------------

Ship it!


Ship It!

- Jarek Cecho


On June 11, 2014, 4:18 a.m., Prasad Mujumdar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/22443/
> -----------------------------------------------------------
> 
> (Updated June 11, 2014, 4:18 a.m.)
> 
> 
> Review request for sentry.
> 
> 
> Bugs: SENTRY-289
>     https://issues.apache.org/jira/browse/SENTRY-289
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> The Sentry client started by HS2 or metastore needs to wrapp the transport open as privileged action of the current UGI. This allows the SASL negotiation to access the kerberos ticket for authentication.
> 
> 
> Diffs
> -----
> 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 812f310 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java c41f8b9 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java 203858e 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java 4a2b900 
>   sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java 61bdfed 
> 
> Diff: https://reviews.apache.org/r/22443/diff/
> 
> 
> Testing
> -------
> 
> Manually tested the secure connection from HS2.
> 
> 
> Thanks,
> 
> Prasad Mujumdar
> 
>

Re: Review Request 22443: SENTRY-289 Kerberos based connection from HS2 and Metastore to Sentry service fails

Posted by Prasad Mujumdar <pr...@cloudera.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/22443/
-----------------------------------------------------------

(Updated June 11, 2014, 4:18 a.m.)


Review request for sentry.


Changes
-------

refactored the patch to get rid of the FilterTransport from Hive. Tested on secure cluster.


Bugs: SENTRY-289
    https://issues.apache.org/jira/browse/SENTRY-289


Repository: sentry


Description
-------

The Sentry client started by HS2 or metastore needs to wrapp the transport open as privileged action of the current UGI. This allows the SASL negotiation to access the kerberos ticket for authentication.


Diffs (updated)
-----

  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 812f310 
  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java c41f8b9 
  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java 203858e 
  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java 4a2b900 
  sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java 61bdfed 

Diff: https://reviews.apache.org/r/22443/diff/


Testing
-------

Manually tested the secure connection from HS2.


Thanks,

Prasad Mujumdar

Re: Review Request 22443: SENTRY-289 Kerberos based connection from HS2 and Metastore to Sentry service fails

Posted by Sravya Tirukkovalur <sr...@cloudera.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/22443/#review45319
-----------------------------------------------------------

Ship it!


Looks good to me.

- Sravya Tirukkovalur


On June 10, 2014, 10:17 p.m., Prasad Mujumdar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/22443/
> -----------------------------------------------------------
> 
> (Updated June 10, 2014, 10:17 p.m.)
> 
> 
> Review request for sentry.
> 
> 
> Bugs: SENTRY-289
>     https://issues.apache.org/jira/browse/SENTRY-289
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> The Sentry client started by HS2 or metastore needs to wrapp the transport open as privileged action of the current UGI. This allows the SASL negotiation to access the kerberos ticket for authentication.
> 
> 
> Diffs
> -----
> 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 812f310 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java c41f8b9 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java 203858e 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java 4a2b900 
>   sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java 61bdfed 
> 
> Diff: https://reviews.apache.org/r/22443/diff/
> 
> 
> Testing
> -------
> 
> Manually tested the secure connection from HS2.
> 
> 
> Thanks,
> 
> Prasad Mujumdar
> 
>

Re: Review Request 22443: SENTRY-289 Kerberos based connection from HS2 and Metastore to Sentry service fails

Posted by Prasad Mujumdar <pr...@cloudera.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/22443/
-----------------------------------------------------------

(Updated June 10, 2014, 10:17 p.m.)


Review request for sentry.


Changes
-------

Updated TestSentryServiceIntegration test


Bugs: SENTRY-289
    https://issues.apache.org/jira/browse/SENTRY-289


Repository: sentry


Description
-------

The Sentry client started by HS2 or metastore needs to wrapp the transport open as privileged action of the current UGI. This allows the SASL negotiation to access the kerberos ticket for authentication.


Diffs (updated)
-----

  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 812f310 
  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java c41f8b9 
  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java 203858e 
  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java 4a2b900 
  sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java 61bdfed 

Diff: https://reviews.apache.org/r/22443/diff/


Testing
-------

Manually tested the secure connection from HS2.


Thanks,

Prasad Mujumdar