impala-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tarmstr...@apache.org
Subject [06/23] incubator-impala git commit: IMPALA-3554: Use kerberos principal in SentryProxy class
Date Wed, 01 Jun 2016 06:32:25 GMT
IMPALA-3554: Use kerberos principal in SentryProxy class

For kerberized clusters, users expect the Catalog service to use
the kerberos principal instead of operating sytem user that runs
the Catalog process. This patch fixes that.

Change-Id: I842e558e59023c7d937796a4cac51a013d948e02
Reviewed-on: http://gerrit.cloudera.org:8080/3165
Reviewed-by: Bharath Vissapragada <bharathv@cloudera.com>
Tested-by: Internal Jenkins


Project: http://git-wip-us.apache.org/repos/asf/incubator-impala/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-impala/commit/e26dc856
Tree: http://git-wip-us.apache.org/repos/asf/incubator-impala/tree/e26dc856
Diff: http://git-wip-us.apache.org/repos/asf/incubator-impala/diff/e26dc856

Branch: refs/heads/master
Commit: e26dc856847ec01fde9fc4bc77fbc0f7937a2a61
Parents: 0b7ae6e
Author: Bharath Vissapragada <bharathv@cloudera.com>
Authored: Fri May 20 22:44:12 2016 -0700
Committer: Tim Armstrong <tarmstrong@cloudera.com>
Committed: Tue May 31 23:32:10 2016 -0700

----------------------------------------------------------------------
 be/src/catalog/catalog.cc                             |  5 +++--
 .../impala/catalog/CatalogServiceCatalog.java         |  4 ++--
 .../java/com/cloudera/impala/service/JniCatalog.java  |  4 ++--
 .../java/com/cloudera/impala/util/SentryProxy.java    | 14 +++++++++++---
 .../impala/testutil/CatalogServiceTestCatalog.java    |  2 +-
 5 files changed, 19 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/e26dc856/be/src/catalog/catalog.cc
----------------------------------------------------------------------
diff --git a/be/src/catalog/catalog.cc b/be/src/catalog/catalog.cc
index 26810f1..113cda4 100644
--- a/be/src/catalog/catalog.cc
+++ b/be/src/catalog/catalog.cc
@@ -41,7 +41,7 @@ DECLARE_int32(non_impala_java_vlog);
 
 Catalog::Catalog() {
   JniMethodDescriptor methods[] = {
-    {"<init>", "(ZILjava/lang/String;IIZ)V", &catalog_ctor_},
+    {"<init>", "(ZILjava/lang/String;IIZLjava/lang/String;)V", &catalog_ctor_},
     {"updateCatalog", "([B)[B", &update_metastore_id_},
     {"execDdl", "([B)[B", &exec_ddl_id_},
     {"resetMetadata", "([B)[B", &reset_metadata_id_},
@@ -70,10 +70,11 @@ Catalog::Catalog() {
   // auth_to_local rules are read if --load_auth_to_local_rules is set to true
   // and impala is kerberized.
   jboolean auth_to_local = FLAGS_load_auth_to_local_rules && !FLAGS_principal.empty();
+  jstring principal = jni_env->NewStringUTF(FLAGS_principal.c_str());
   jobject catalog = jni_env->NewObject(catalog_class_, catalog_ctor_,
       load_in_background, num_metadata_loading_threads, sentry_config,
       FlagToTLogLevel(FLAGS_v), FlagToTLogLevel(FLAGS_non_impala_java_vlog),
-      auth_to_local);
+      auth_to_local, principal);
   EXIT_IF_EXC(jni_env);
   ABORT_IF_ERROR(JniUtil::LocalToGlobalRef(jni_env, catalog, &catalog_));
 }

http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/e26dc856/fe/src/main/java/com/cloudera/impala/catalog/CatalogServiceCatalog.java
----------------------------------------------------------------------
diff --git a/fe/src/main/java/com/cloudera/impala/catalog/CatalogServiceCatalog.java b/fe/src/main/java/com/cloudera/impala/catalog/CatalogServiceCatalog.java
index 4ac7b81..a55b0d3 100644
--- a/fe/src/main/java/com/cloudera/impala/catalog/CatalogServiceCatalog.java
+++ b/fe/src/main/java/com/cloudera/impala/catalog/CatalogServiceCatalog.java
@@ -155,14 +155,14 @@ public class CatalogServiceCatalog extends Catalog {
    * will be loaded in the background
    */
   public CatalogServiceCatalog(boolean loadInBackground, int numLoadingThreads,
-      SentryConfig sentryConfig, TUniqueId catalogServiceId) {
+      SentryConfig sentryConfig, TUniqueId catalogServiceId, String kerberosPrincipal) {
     super(true);
     catalogServiceId_ = catalogServiceId;
     tableLoadingMgr_ = new TableLoadingMgr(this, numLoadingThreads);
     loadInBackground_ = loadInBackground;
     cachePoolReader_.scheduleAtFixedRate(new CachePoolReader(), 0, 1, TimeUnit.MINUTES);
     if (sentryConfig != null) {
-      sentryProxy_ = new SentryProxy(sentryConfig, this);
+      sentryProxy_ = new SentryProxy(sentryConfig, this, kerberosPrincipal);
     } else {
       sentryProxy_ = null;
     }

http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/e26dc856/fe/src/main/java/com/cloudera/impala/service/JniCatalog.java
----------------------------------------------------------------------
diff --git a/fe/src/main/java/com/cloudera/impala/service/JniCatalog.java b/fe/src/main/java/com/cloudera/impala/service/JniCatalog.java
index eb3ac92..4a4d529 100644
--- a/fe/src/main/java/com/cloudera/impala/service/JniCatalog.java
+++ b/fe/src/main/java/com/cloudera/impala/service/JniCatalog.java
@@ -77,7 +77,7 @@ public class JniCatalog {
 
   public JniCatalog(boolean loadInBackground, int numMetadataLoadingThreads,
       String sentryServiceConfig, int impalaLogLevel, int otherLogLevel,
-      boolean allowAuthToLocal) throws InternalException {
+      boolean allowAuthToLocal, String kerberosPrincipal) throws InternalException {
     BackendConfig.setAuthToLocal(allowAuthToLocal);
     Preconditions.checkArgument(numMetadataLoadingThreads > 0);
     // This trick saves having to pass a TLogLevel enum, which is an object and more
@@ -94,7 +94,7 @@ public class JniCatalog {
     LOG.info(JniUtil.getJavaVersion());
 
     catalog_ = new CatalogServiceCatalog(loadInBackground,
-        numMetadataLoadingThreads, sentryConfig, getServiceId());
+        numMetadataLoadingThreads, sentryConfig, getServiceId(), kerberosPrincipal);
     try {
       catalog_.reset();
     } catch (CatalogException e) {

http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/e26dc856/fe/src/main/java/com/cloudera/impala/util/SentryProxy.java
----------------------------------------------------------------------
diff --git a/fe/src/main/java/com/cloudera/impala/util/SentryProxy.java b/fe/src/main/java/com/cloudera/impala/util/SentryProxy.java
index 9b0fdce..c7c7480 100644
--- a/fe/src/main/java/com/cloudera/impala/util/SentryProxy.java
+++ b/fe/src/main/java/com/cloudera/impala/util/SentryProxy.java
@@ -36,6 +36,7 @@ import com.cloudera.impala.common.ImpalaException;
 import com.cloudera.impala.common.ImpalaRuntimeException;
 import com.cloudera.impala.thrift.TPrivilege;
 import com.google.common.base.Preconditions;
+import com.google.common.base.Strings;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
 
@@ -65,14 +66,21 @@ public class SentryProxy {
   // The interface to access the Sentry Policy Service to read policy metadata.
   private final SentryPolicyService sentryPolicyService_;
 
-  // This is user that the Catalog Service is running as. This user should always be a
+  // This is the user that the Catalog Service is running as. For kerberized clusters,
+  // this is set to the Kerberos principal of Catalog. This user should always be a
   // Sentry Service admin => have full rights to read/update the Sentry Service.
-  private final User processUser_ = new User(System.getProperty("user.name"));
+  private final User processUser_;
 
-  public SentryProxy(SentryConfig sentryConfig, CatalogServiceCatalog catalog) {
+  public SentryProxy(SentryConfig sentryConfig, CatalogServiceCatalog catalog,
+      String kerberosPrincipal) {
     Preconditions.checkNotNull(catalog);
     Preconditions.checkNotNull(sentryConfig);
     catalog_ = catalog;
+    if (Strings.isNullOrEmpty(kerberosPrincipal)) {
+      processUser_ = new User(System.getProperty("user.name"));
+    } else {
+      processUser_ = new User(kerberosPrincipal);
+    }
     sentryPolicyService_ = new SentryPolicyService(sentryConfig);
     // Sentry Service is enabled.
     // TODO: Make this configurable

http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/e26dc856/fe/src/test/java/com/cloudera/impala/testutil/CatalogServiceTestCatalog.java
----------------------------------------------------------------------
diff --git a/fe/src/test/java/com/cloudera/impala/testutil/CatalogServiceTestCatalog.java
b/fe/src/test/java/com/cloudera/impala/testutil/CatalogServiceTestCatalog.java
index 35cb4bd..c115369 100644
--- a/fe/src/test/java/com/cloudera/impala/testutil/CatalogServiceTestCatalog.java
+++ b/fe/src/test/java/com/cloudera/impala/testutil/CatalogServiceTestCatalog.java
@@ -28,7 +28,7 @@ public class CatalogServiceTestCatalog extends CatalogServiceCatalog {
 
   public CatalogServiceTestCatalog(boolean loadInBackground, int numLoadingThreads,
       SentryConfig sentryConfig, TUniqueId catalogServiceId) {
-    super(loadInBackground, numLoadingThreads, sentryConfig, catalogServiceId);
+    super(loadInBackground, numLoadingThreads, sentryConfig, catalogServiceId, null);
 
     // Cache pools are typically loaded asynchronously, but as there is no fixed execution
     // order for tests, the cache pools are loaded synchronously before the tests are


Mime
View raw message