impala-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bharath Vissapragada (Code Review)" <ger...@cloudera.org>
Subject [Impala-CR](cdh5-trunk) IMPALA-2660: Respect auth_to_local configs from hdfs configs
Date Tue, 10 May 2016 15:59:32 GMT
Hello Henry Robinson, Alex Behm,

I'd like you to reexamine a change.  Please visit

    http://gerrit.cloudera.org:8080/2800

to look at the new patch set (#12).

Change subject: IMPALA-2660: Respect auth_to_local configs from hdfs configs
......................................................................

IMPALA-2660: Respect auth_to_local configs from hdfs configs

This patch implements a new feature to read the auth_to_local
configs from hdfs configuration files, using the parameter
hadoop.security.auth_to_local. This is done by modifying the
User#getShortName() method to use its hdfs equivalent.

This patch includes an end to end authorization test using
sentry where we add specific auth_to_local setting for a certain
user and test if the sentry authorization passes for this user
after applying these rules. Given we don't have tests that run
on a kerberized min-cluster, this patch adds a hack to load this
configuration during even on non-kerberized 'test runs'.

However this feature is disabled by default to preserve the
existing behavior. To enable it,

1. Use kerberos as authentication mechanism (by setting --principal) and
2. Add "--load_auth_to_local_rules=true" to the cluster startup args

Change-Id: I76485b83c14ba26f6fce66e5f83e8014667829e0
---
M be/src/catalog/catalog.cc
M be/src/common/global-flags.cc
M be/src/service/frontend.cc
M fe/src/main/java/com/cloudera/impala/analysis/AnalysisContext.java
M fe/src/main/java/com/cloudera/impala/analysis/ShowGrantRoleStmt.java
M fe/src/main/java/com/cloudera/impala/analysis/ShowRolesStmt.java
M fe/src/main/java/com/cloudera/impala/authorization/AuthorizationChecker.java
M fe/src/main/java/com/cloudera/impala/authorization/User.java
M fe/src/main/java/com/cloudera/impala/service/BackendConfig.java
M fe/src/main/java/com/cloudera/impala/service/Frontend.java
M fe/src/main/java/com/cloudera/impala/service/JniCatalog.java
M fe/src/main/java/com/cloudera/impala/service/JniFrontend.java
M fe/src/main/java/com/cloudera/impala/util/RequestPoolService.java
M fe/src/test/java/com/cloudera/impala/analysis/AuditingTest.java
M fe/src/test/java/com/cloudera/impala/analysis/AuthorizationTest.java
M fe/src/test/java/com/cloudera/impala/util/TestRequestPoolService.java
M fe/src/test/resources/authz-policy.ini.template
M testdata/cluster/node_templates/common/etc/hadoop/conf/core-site.xml.tmpl
18 files changed, 278 insertions(+), 81 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala refs/changes/00/2800/12
-- 
To view, visit http://gerrit.cloudera.org:8080/2800
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I76485b83c14ba26f6fce66e5f83e8014667829e0
Gerrit-PatchSet: 12
Gerrit-Project: Impala
Gerrit-Branch: cdh5-trunk
Gerrit-Owner: Bharath Vissapragada <bharathv@cloudera.com>
Gerrit-Reviewer: Alex Behm <alex.behm@cloudera.com>
Gerrit-Reviewer: Bharath Vissapragada <bharathv@cloudera.com>
Gerrit-Reviewer: Henry Robinson <henry@cloudera.com>
Gerrit-Reviewer: Juan Yu <jyu@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sailesh@cloudera.com>

Mime
View raw message