You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by pr...@apache.org on 2014/06/08 21:14:15 UTC

git commit: SENTRY-266: Implement _HOST substitution in principal (Jarek Jarcec Cecho via Prasad Mujumdar)

Repository: incubator-sentry
Updated Branches:
  refs/heads/master 546617be3 -> 23134c631


SENTRY-266: Implement _HOST substitution in principal (Jarek Jarcec Cecho via Prasad Mujumdar)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/23134c63
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/23134c63
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/23134c63

Branch: refs/heads/master
Commit: 23134c6312035e6a7073d8e58d0332c1da60d913
Parents: 546617b
Author: Prasad Mujumdar <pr...@cloudera.com>
Authored: Sun Jun 8 12:13:51 2014 -0700
Committer: Prasad Mujumdar <pr...@cloudera.com>
Committed: Sun Jun 8 12:13:51 2014 -0700

----------------------------------------------------------------------
 .../thrift/SentryPolicyServiceClient.java       | 10 +++--
 .../sentry/service/thrift/SentryService.java    | 12 ++++-
 .../thrift/TestSentryServiceWithKerberos.java   | 47 ++++++++++++++++++++
 .../thrift/SentryServiceIntegrationBase.java    | 20 +++------
 4 files changed, 71 insertions(+), 18 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/23134c63/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
index aec490c..c41f8b9 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
@@ -29,6 +29,7 @@ import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.security.SaslRpcServer;
 import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
+import org.apache.hadoop.security.SecurityUtil;
 import org.apache.sentry.SentryUserException;
 import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Authorizable;
@@ -78,9 +79,12 @@ public class SentryPolicyServiceClient {
     transport = new TSocket(serverAddress.getHostName(),
         serverAddress.getPort(), connectionTimeout);
     if (kerberos) {
-      String serverPrincipal = Preconditions.checkNotNull(
-          conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL
-          + " is required");
+      String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required");
+
+      // Resolve server host in the same way as we are doing on server side
+      serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress());
+      LOGGER.info("Using server kerberos principal: " + serverPrincipal);
+
       serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal);
       Preconditions.checkArgument(serverPrincipalParts.length == 3,
            "Kerberos principal should have 3 parts: " + serverPrincipal);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/23134c63/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
index 9e5c334..e4111fb 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
@@ -46,6 +46,7 @@ import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.security.SaslRpcServer;
 import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
+import org.apache.hadoop.security.SecurityUtil;
 import org.apache.sentry.Command;
 import org.apache.sentry.service.thrift.ServiceConstants.ConfUtilties;
 import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
@@ -103,8 +104,15 @@ public class SentryService implements Callable {
     minThreads = conf.getInt(ServerConfig.RPC_MIN_THREADS,
         ServerConfig.RPC_MIN_THREADS_DEFAULT);
     if (kerberos) {
-      principal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL),
-          ServerConfig.PRINCIPAL + " is required");
+      // Use Hadoop libraries to translate the _HOST placeholder with actual hostname
+      try {
+        String rawPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required");
+        principal = SecurityUtil.getServerPrincipal(rawPrincipal, address.getAddress());
+      } catch(IOException io) {
+        throw new RuntimeException("Can't translate kerberos principal'", io);
+      }
+      LOGGER.info("Using kerberos principal: " + principal);
+
       principalParts = SaslRpcServer.splitKerberosName(principal);
       Preconditions.checkArgument(principalParts.length == 3,
           "Kerberos principal should have 3 parts: " + principal);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/23134c63/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java
new file mode 100644
index 0000000..3209ccf
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java
@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.service.thrift;
+
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Test various kerberos related stuff on the SentryService side
+ */
+public class TestSentryServiceWithKerberos extends SentryServiceIntegrationBase {
+
+  private static final Logger LOGGER = LoggerFactory.getLogger(TestSentryServiceFailureCase.class);
+
+  public String getServerKerberosName() {
+    return "sentry/_HOST@" + REALM;
+  }
+
+  /**
+   * Test that we are correctly substituting "_HOST" if/when needed.
+   *
+   * @throws Exception
+   */
+  @Test
+  public void testHostSubstitution() throws Exception {
+    // We just need to ensure that we are able to correct connect to the server
+    connectToSentryService();
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/23134c63/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
index b3bd1ef..66d6eef 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
@@ -32,6 +32,7 @@ import org.apache.commons.io.FileUtils;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.minikdc.KerberosSecurityTestcase;
 import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.net.NetUtils;
 import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
 import org.apache.sentry.provider.file.PolicyFile;
 import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
@@ -55,18 +56,7 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc
     }
   }
 
-  protected static final String SERVER_HOST;
-  static {
-    String serverHost;
-    try {
-      // Dynamically find name of local interface
-      serverHost = java.net.InetAddress.getLocalHost().getHostName().toLowerCase();
-    } catch (UnknownHostException e) {
-      LOGGER.error("Can't get localhost proper hostname, missing /etc/hosts configuration? Using 'localhost'.", e);
-      serverHost = "localhost"; // default value is simply localhost
-    }
-    SERVER_HOST = serverHost;
-  }
+  protected static final String SERVER_HOST = NetUtils.createSocketAddr("localhost:80").getAddress().getCanonicalHostName();
   protected static final String REALM = "EXAMPLE.COM";
   protected static final String SERVER_PRINCIPAL = "sentry/" + SERVER_HOST;
   protected static final String SERVER_KERBEROS_NAME = "sentry/" + SERVER_HOST + "@" + REALM;
@@ -118,7 +108,7 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc
       clientKeytab = new File(kdcWorkDir, "client.keytab");
       kdc.createPrincipal(serverKeytab, SERVER_PRINCIPAL);
       kdc.createPrincipal(clientKeytab, CLIENT_PRINCIPAL);
-      conf.set(ServerConfig.PRINCIPAL, SERVER_KERBEROS_NAME);
+      conf.set(ServerConfig.PRINCIPAL, getServerKerberosName());
       conf.set(ServerConfig.KEY_TAB, serverKeytab.getPath());
       conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_NAME);
     } else {
@@ -188,6 +178,10 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc
     afterTeardown();
   }
 
+  public String getServerKerberosName() {
+    return SERVER_KERBEROS_NAME;
+  }
+
   public void beforeSetup() throws Exception {
 
   }