You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by pr...@apache.org on 2014/06/08 21:14:15 UTC
git commit: SENTRY-266: Implement _HOST substitution in principal
(Jarek Jarcec Cecho via Prasad Mujumdar)
Repository: incubator-sentry
Updated Branches:
refs/heads/master 546617be3 -> 23134c631
SENTRY-266: Implement _HOST substitution in principal (Jarek Jarcec Cecho via Prasad Mujumdar)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/23134c63
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/23134c63
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/23134c63
Branch: refs/heads/master
Commit: 23134c6312035e6a7073d8e58d0332c1da60d913
Parents: 546617b
Author: Prasad Mujumdar <pr...@cloudera.com>
Authored: Sun Jun 8 12:13:51 2014 -0700
Committer: Prasad Mujumdar <pr...@cloudera.com>
Committed: Sun Jun 8 12:13:51 2014 -0700
----------------------------------------------------------------------
.../thrift/SentryPolicyServiceClient.java | 10 +++--
.../sentry/service/thrift/SentryService.java | 12 ++++-
.../thrift/TestSentryServiceWithKerberos.java | 47 ++++++++++++++++++++
.../thrift/SentryServiceIntegrationBase.java | 20 +++------
4 files changed, 71 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/23134c63/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
index aec490c..c41f8b9 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
@@ -29,6 +29,7 @@ import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
+import org.apache.hadoop.security.SecurityUtil;
import org.apache.sentry.SentryUserException;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Authorizable;
@@ -78,9 +79,12 @@ public class SentryPolicyServiceClient {
transport = new TSocket(serverAddress.getHostName(),
serverAddress.getPort(), connectionTimeout);
if (kerberos) {
- String serverPrincipal = Preconditions.checkNotNull(
- conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL
- + " is required");
+ String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required");
+
+ // Resolve server host in the same way as we are doing on server side
+ serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress());
+ LOGGER.info("Using server kerberos principal: " + serverPrincipal);
+
serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal);
Preconditions.checkArgument(serverPrincipalParts.length == 3,
"Kerberos principal should have 3 parts: " + serverPrincipal);
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/23134c63/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
index 9e5c334..e4111fb 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
@@ -46,6 +46,7 @@ import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
+import org.apache.hadoop.security.SecurityUtil;
import org.apache.sentry.Command;
import org.apache.sentry.service.thrift.ServiceConstants.ConfUtilties;
import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
@@ -103,8 +104,15 @@ public class SentryService implements Callable {
minThreads = conf.getInt(ServerConfig.RPC_MIN_THREADS,
ServerConfig.RPC_MIN_THREADS_DEFAULT);
if (kerberos) {
- principal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL),
- ServerConfig.PRINCIPAL + " is required");
+ // Use Hadoop libraries to translate the _HOST placeholder with actual hostname
+ try {
+ String rawPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required");
+ principal = SecurityUtil.getServerPrincipal(rawPrincipal, address.getAddress());
+ } catch(IOException io) {
+ throw new RuntimeException("Can't translate kerberos principal'", io);
+ }
+ LOGGER.info("Using kerberos principal: " + principal);
+
principalParts = SaslRpcServer.splitKerberosName(principal);
Preconditions.checkArgument(principalParts.length == 3,
"Kerberos principal should have 3 parts: " + principal);
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/23134c63/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java
new file mode 100644
index 0000000..3209ccf
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java
@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.service.thrift;
+
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Test various kerberos related stuff on the SentryService side
+ */
+public class TestSentryServiceWithKerberos extends SentryServiceIntegrationBase {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(TestSentryServiceFailureCase.class);
+
+ public String getServerKerberosName() {
+ return "sentry/_HOST@" + REALM;
+ }
+
+ /**
+ * Test that we are correctly substituting "_HOST" if/when needed.
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testHostSubstitution() throws Exception {
+ // We just need to ensure that we are able to correct connect to the server
+ connectToSentryService();
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/23134c63/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
index b3bd1ef..66d6eef 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
@@ -32,6 +32,7 @@ import org.apache.commons.io.FileUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.minikdc.KerberosSecurityTestcase;
import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.net.NetUtils;
import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
import org.apache.sentry.provider.file.PolicyFile;
import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
@@ -55,18 +56,7 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc
}
}
- protected static final String SERVER_HOST;
- static {
- String serverHost;
- try {
- // Dynamically find name of local interface
- serverHost = java.net.InetAddress.getLocalHost().getHostName().toLowerCase();
- } catch (UnknownHostException e) {
- LOGGER.error("Can't get localhost proper hostname, missing /etc/hosts configuration? Using 'localhost'.", e);
- serverHost = "localhost"; // default value is simply localhost
- }
- SERVER_HOST = serverHost;
- }
+ protected static final String SERVER_HOST = NetUtils.createSocketAddr("localhost:80").getAddress().getCanonicalHostName();
protected static final String REALM = "EXAMPLE.COM";
protected static final String SERVER_PRINCIPAL = "sentry/" + SERVER_HOST;
protected static final String SERVER_KERBEROS_NAME = "sentry/" + SERVER_HOST + "@" + REALM;
@@ -118,7 +108,7 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc
clientKeytab = new File(kdcWorkDir, "client.keytab");
kdc.createPrincipal(serverKeytab, SERVER_PRINCIPAL);
kdc.createPrincipal(clientKeytab, CLIENT_PRINCIPAL);
- conf.set(ServerConfig.PRINCIPAL, SERVER_KERBEROS_NAME);
+ conf.set(ServerConfig.PRINCIPAL, getServerKerberosName());
conf.set(ServerConfig.KEY_TAB, serverKeytab.getPath());
conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_NAME);
} else {
@@ -188,6 +178,10 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc
afterTeardown();
}
+ public String getServerKerberosName() {
+ return SERVER_KERBEROS_NAME;
+ }
+
public void beforeSetup() throws Exception {
}