You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by br...@apache.org on 2013/12/05 17:25:38 UTC

git commit: SENTRY-68 - Give sentry-solr-binding the ability to authenticate via kerberos (Gregory Chanan via Brock Noland)

Updated Branches:
  refs/heads/master b00ccf587 -> f9adb0b26


SENTRY-68 - Give sentry-solr-binding the ability to authenticate via kerberos (Gregory Chanan via Brock Noland)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/f9adb0b2
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/f9adb0b2
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/f9adb0b2

Branch: refs/heads/master
Commit: f9adb0b26b497de3eb16264ec3b22950c1308d5c
Parents: b00ccf5
Author: Brock Noland <br...@apache.org>
Authored: Thu Dec 5 10:25:06 2013 -0600
Committer: Brock Noland <br...@apache.org>
Committed: Thu Dec 5 10:25:06 2013 -0600

----------------------------------------------------------------------
 .../binding/solr/authz/SolrAuthzBinding.java    | 44 ++++++++++++++++++++
 1 file changed, 44 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/f9adb0b2/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
index 5c2d7bc..995f376 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
@@ -24,6 +24,7 @@ import java.util.Set;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.sentry.core.common.Subject;
 import org.apache.sentry.core.model.search.Collection;
 import org.apache.sentry.core.model.search.SearchModelAction;
@@ -36,11 +37,20 @@ import org.apache.sentry.provider.common.ProviderBackend;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.google.common.base.Strings;
+
 public class SolrAuthzBinding {
   private static final Logger LOG = LoggerFactory
       .getLogger(SolrAuthzBinding.class);
   private static final String[] HADOOP_CONF_FILES = {"core-site.xml",
     "hdfs-site.xml", "mapred-site.xml", "yarn-site.xml", "hadoop-site.xml"};
+  public static final String KERBEROS_ENABLED = "solr.hdfs.security.kerberos.enabled";
+  public static final String KERBEROS_KEYTAB = "solr.hdfs.security.kerberos.keytabfile";
+  public static final String KERBEROS_PRINCIPAL = "solr.hdfs.security.kerberos.principal";
+  private static final String kerberosEnabledProp = Strings.nullToEmpty(System.getProperty(KERBEROS_ENABLED)).trim();
+  private static final String keytabProp = Strings.nullToEmpty(System.getProperty(KERBEROS_KEYTAB)).trim();
+  private static final String principalProp = Strings.nullToEmpty(System.getProperty(KERBEROS_PRINCIPAL)).trim();
+  private static Boolean kerberosInit;
 
   private final SolrAuthzConf authzConf;
   private final AuthorizationProvider authProvider;
@@ -68,6 +78,10 @@ public class SolrAuthzBinding {
     Constructor<?> providerBackendConstructor =
       Class.forName(providerBackendName).getDeclaredConstructor(Configuration.class, String.class);
     providerBackendConstructor.setAccessible(true);
+
+    if (kerberosEnabledProp.equalsIgnoreCase("true")) {
+      initKerberos(keytabProp, principalProp);
+    }
     Configuration conf = getConf();
     ProviderBackend providerBackend =
       (ProviderBackend) providerBackendConstructor.newInstance(new Object[] {conf, resourceName});
@@ -130,4 +144,34 @@ public class SolrAuthzBinding {
     }
     return conf;
   }
+
+  /**
+   * Initialize kerberos via UserGroupInformation.  Will only attempt to login
+   * during the first request, subsequent calls will have no effect.
+   */
+  public static void initKerberos(String keytabFile, String principal) {
+    if (keytabFile == null || keytabFile.length() == 0) {
+      throw new IllegalArgumentException("keytabFile required because kerberos is enabled");
+    }
+    if (principal == null || principal.length() == 0) {
+      throw new IllegalArgumentException("principal required because kerberos is enabled");
+    }
+    synchronized (SolrAuthzBinding.class) {
+      if (kerberosInit == null) {
+        kerberosInit = new Boolean(true);
+        Configuration conf = new Configuration();
+        conf.set("hadoop.security.authentication", "kerberos");
+        UserGroupInformation.setConfiguration(conf);
+        LOG.info(
+            "Attempting to acquire kerberos ticket with keytab: {}, principal: {} ",
+            keytabFile, principal);
+        try {
+          UserGroupInformation.loginUserFromKeytab(principal, keytabFile);
+        } catch (IOException ioe) {
+          throw new RuntimeException(ioe);
+        }
+        LOG.info("Got Kerberos ticket");
+      }
+    }
+  }
 }