Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 1010F2009F3 for ; Fri, 20 May 2016 23:25:13 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 0EC431607AA; Fri, 20 May 2016 21:25:13 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 873B9160A25 for ; Fri, 20 May 2016 23:25:11 +0200 (CEST) Received: (qmail 27832 invoked by uid 500); 20 May 2016 21:25:10 -0000 Mailing-List: contact commits-help@sentry.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@sentry.apache.org Delivered-To: mailing list commits@sentry.apache.org Received: (qmail 27823 invoked by uid 99); 20 May 2016 21:25:10 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 May 2016 21:25:10 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 9C39DDFC13; Fri, 20 May 2016 21:25:10 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sravya@apache.org To: commits@sentry.apache.org Message-Id: <87b7df6482264c73847ca26f1442114c@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: sentry git commit: SENTRY-1265: Sentry service should not require a TGT as it is not talking to other kerberos services as a client ( Sravya Tirukkovalur, Reviewed by: Lenni Kuff, Hao Hao) Date: Fri, 20 May 2016 21:25:10 +0000 (UTC) archived-at: Fri, 20 May 2016 21:25:13 -0000 Repository: sentry Updated Branches: refs/heads/master 6888f4a13 -> c29f19bda SENTRY-1265: Sentry service should not require a TGT as it is not talking to other kerberos services as a client ( Sravya Tirukkovalur, Reviewed by: Lenni Kuff, Hao Hao) Change-Id: Ia3e3bda0f7131da89d93a7729dc814aec0b8852d Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/c29f19bd Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/c29f19bd Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/c29f19bd Branch: refs/heads/master Commit: c29f19bda26dfdffc5cc37862c12caddcc1c68ad Parents: 6888f4a Author: Sravya Tirukkovalur Authored: Fri May 20 14:24:14 2016 -0700 Committer: Sravya Tirukkovalur Committed: Fri May 20 14:24:14 2016 -0700 ---------------------------------------------------------------------- .../service/thrift/SentryKerberosContext.java | 15 ++++++-- .../sentry/service/thrift/SentryService.java | 3 +- .../sentry/service/thrift/ServiceConstants.java | 6 +++ .../SentryGenericServiceIntegrationBase.java | 4 +- .../TestAuditLogForSentryGenericService.java | 5 +-- .../generic/tools/TestSentryConfigToolSolr.java | 2 +- .../db/generic/tools/TestSentryShellKafka.java | 2 +- .../db/generic/tools/TestSentryShellSolr.java | 2 +- .../thrift/TestConnectionWithTicketTimeout.java | 8 +++- .../thrift/TestSentryServiceClientPool.java | 4 +- .../thrift/TestSentryServiceFailureCase.java | 6 +-- .../thrift/TestSentryWebServerWithKerberos.java | 5 ++- .../provider/db/tools/TestSentryShellHive.java | 2 +- .../thrift/SentryServiceIntegrationBase.java | 39 ++++++-------------- 14 files changed, 50 insertions(+), 53 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java index 93481cb..f54f161 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java @@ -40,7 +40,9 @@ public class SentryKerberosContext implements Runnable { private LoginContext loginContext; private Subject subject; private final javax.security.auth.login.Configuration kerberosConfig; + @Deprecated private Thread renewerThread; + @Deprecated private boolean shutDownRenewer = false; public SentryKerberosContext(String principal, String keyTab, boolean autoRenewTicket) @@ -54,7 +56,8 @@ public class SentryKerberosContext implements Runnable { } } - public void loginWithNewContext() throws LoginException { + private void loginWithNewContext() throws LoginException { + LOGGER.info("Logging in with new Context"); logoutSubject(); loginContext = new LoginContext("", subject, null, kerberosConfig); loginContext.login(); @@ -80,6 +83,7 @@ public class SentryKerberosContext implements Runnable { * Get the Kerberos TGT * @return the user's TGT or null if none was found */ + @Deprecated private KerberosTicket getTGT() { Set tickets = subject.getPrivateCredentials(KerberosTicket.class); for(KerberosTicket ticket: tickets) { @@ -91,17 +95,21 @@ public class SentryKerberosContext implements Runnable { } return null; } - + + @Deprecated private long getRefreshTime(KerberosTicket tgt) { long start = tgt.getStartTime().getTime(); long end = tgt.getEndTime().getTime(); + LOGGER.debug("Ticket start time: " + start); + LOGGER.debug("Ticket End time: " + end); return start + (long) ((end - start) * TICKET_RENEW_WINDOW); } - + /*** * Ticket renewer thread * wait till 80% time interval left on the ticket and then renew it */ + @Deprecated @Override public void run() { try { @@ -133,6 +141,7 @@ public class SentryKerberosContext implements Runnable { } } + @Deprecated public void startRenewerThread() { renewerThread = new Thread(this); renewerThread.start(); http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java index d8edf93..5783649 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java @@ -155,7 +155,8 @@ public class SentryService implements Callable { try { status = Status.STARTED; if (kerberos) { - kerberosContext = new SentryKerberosContext(principal, keytab, true); + Boolean autoRenewTicket = conf.getBoolean(ServerConfig.SENTRY_KERBEROS_TGT_AUTORENEW, ServerConfig.SENTRY_KERBEROS_TGT_AUTORENEW_DEFAULT); + kerberosContext = new SentryKerberosContext(principal, keytab, autoRenewTicket); Subject.doAs(kerberosContext.getSubject(), new PrivilegedExceptionAction() { @Override public Void run() throws Exception { http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java index 42eb1bb..32a4044 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java @@ -183,6 +183,12 @@ public class ServiceConstants { // action factories for external components public static final String SENTRY_COMPONENT_ACTION_FACTORY_FORMAT = "sentry.%s.action.factory"; + + // Sentry is never a client to other Kerberos Services, it should not be required to renew the TGT + @Deprecated + public static final String SENTRY_KERBEROS_TGT_AUTORENEW = "sentry.service.kerberos.tgt.autorenew"; + @Deprecated + public static final Boolean SENTRY_KERBEROS_TGT_AUTORENEW_DEFAULT = false; } public static class ClientConfig { http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java index cec925b..94cade1 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java @@ -20,8 +20,6 @@ package org.apache.sentry.provider.db.generic.service.thrift; import java.security.PrivilegedExceptionAction; import java.util.Set; -import javax.security.auth.Subject; - import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; import org.junit.After; import org.slf4j.Logger; @@ -40,7 +38,7 @@ public class SentryGenericServiceIntegrationBase extends SentryServiceIntegratio // The client should already be logged in when running in solr // therefore we must manually login in the integration tests if (kerberos) { - this.client = Subject.doAs(clientSubject, new PrivilegedExceptionAction() { + this.client = clientUgi.doAs( new PrivilegedExceptionAction() { @Override public SentryGenericServiceClient run() throws Exception { return SentryGenericServiceClientFactory.create(conf); http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java index c3adacf..6c7d22d 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java @@ -28,8 +28,6 @@ import java.util.HashMap; import java.util.Map; import java.util.Set; -import javax.security.auth.Subject; - import org.apache.log4j.Level; import org.apache.log4j.Logger; import org.apache.sentry.provider.db.log.appender.AuditLoggerTestAppender; @@ -91,8 +89,7 @@ public class TestAuditLogForSentryGenericService extends SentryServiceIntegratio @Override public void connectToSentryService() throws Exception { if (kerberos) { - this.client = Subject.doAs(clientSubject, - new PrivilegedExceptionAction() { + this.client = clientUgi.doAs(new PrivilegedExceptionAction() { @Override public SentryGenericServiceClient run() throws Exception { return SentryGenericServiceClientFactory.create(conf); http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java index df5e2e6..84543fb 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java @@ -61,7 +61,7 @@ public class TestSentryConfigToolSolr extends SentryGenericServiceIntegrationBas conf.writeXml(to); to.close(); } - requestorName = System.getProperty("user.name", ""); + requestorName = clientUgi.getShortUserName();//System.getProperty("user.name", ""); Set requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); setLocalGroupMapping(requestorName, requestorUserGroupNames); // add ADMIN_USER for the after() in SentryServiceIntegrationBase http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java index a38d58b..f35cdb1 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java @@ -61,7 +61,7 @@ public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase { conf.writeXml(to); to.close(); } - requestorName = System.getProperty("user.name", ""); + requestorName = clientUgi.getShortUserName();//.getProperty("user.name", ""); Set requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); setLocalGroupMapping(requestorName, requestorUserGroupNames); // add ADMIN_USER for the after() in SentryServiceIntegrationBase http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java index 8eab028..0c5c711 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java @@ -61,7 +61,7 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase { conf.writeXml(to); to.close(); } - requestorName = System.getProperty("user.name", ""); + requestorName = clientUgi.getShortUserName();//System.getProperty("user.name", ""); Set requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); setLocalGroupMapping(requestorName, requestorUserGroupNames); // add ADMIN_USER for the after() in SentryServiceIntegrationBase http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java index e204099..36fa4b5 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java @@ -19,11 +19,12 @@ package org.apache.sentry.provider.db.service.thrift; import org.apache.hadoop.minikdc.MiniKdc; +import org.apache.sentry.service.thrift.ServiceConstants; import org.junit.BeforeClass; import org.junit.Ignore; import org.junit.Test; -@Ignore("SENTRY-515: Not part of automated unit testing, as it takes too long") +@Ignore("SENTRY-515: Not part of automated unit testing, as it takes too long. Fails until we move to a hadoop 2.6.1. See HADOOP-10786") public class TestConnectionWithTicketTimeout extends org.apache.sentry.service.thrift.SentryServiceIntegrationBase { @@ -37,7 +38,10 @@ public class TestConnectionWithTicketTimeout extends } public static void beforeSetup() throws Exception { - kdcConfOverlay.setProperty(MiniKdc.MAX_TICKET_LIFETIME, "300001"); + kdcConfOverlay.setProperty(MiniKdc.MAX_TICKET_LIFETIME, "360001"); + //Only UGI based client connections renew their TGT, this is not a problem in the real world + // as this is not configurable and always true + conf.set(ServiceConstants.ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"); } /*** http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java index e5285bd..8dc5e34 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java @@ -30,8 +30,6 @@ import java.util.concurrent.Executors; import java.util.concurrent.Future; import java.util.concurrent.FutureTask; -import javax.security.auth.Subject; - import org.apache.sentry.SentryUserException; import org.apache.sentry.service.thrift.SentryServiceFactory; import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; @@ -83,7 +81,7 @@ public class TestSentryServiceClientPool extends SentryServiceIntegrationBase { Callable func = new Callable() { public Boolean call() throws Exception { - return Subject.doAs(clientSubject, new PrivilegedExceptionAction() { + return clientUgi.doAs(new PrivilegedExceptionAction() { @Override public Boolean run() throws Exception { try { http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java index a453ff3..51bba31 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java @@ -18,8 +18,6 @@ package org.apache.sentry.provider.db.service.thrift; -import java.security.PrivilegedActionException; - import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; import org.junit.After; @@ -61,9 +59,9 @@ public class TestSentryServiceFailureCase extends SentryServiceIntegrationBase { try { connectToSentryService(); Assert.fail("Failed to receive Exception"); - } catch(PrivilegedActionException e) { + } catch(Exception e) { LOGGER.info("Excepted exception", e); - Exception cause = e.getException(); + Throwable cause = e.getCause(); if (cause == null) { throw e; } http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java index 90ce080..ece2ee8 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java @@ -68,15 +68,16 @@ public class TestSentryWebServerWithKerberos extends SentryServiceIntegrationBas @Test public void testPing() throws Exception { - runTestAsSubject(new TestOperation(){ + clientUgi.doAs(new PrivilegedExceptionAction() { @Override - public void runTestAsSubject() throws Exception { + public Void run() throws Exception { final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/ping"); HttpURLConnection conn = new AuthenticatedURL(new KerberosAuthenticator()). openConnection(url, new AuthenticatedURL.Token()); Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode()); String response = IOUtils.toString(conn.getInputStream()); Assert.assertEquals("pong\n", response); + return null; }} ); } http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java index 21dfa0f..d8fea90 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java @@ -59,7 +59,7 @@ public class TestSentryShellHive extends SentryServiceIntegrationBase { conf.writeXml(to); to.close(); } - requestorName = System.getProperty("user.name", ""); + requestorName = clientUgi.getShortUserName(); Set requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); setLocalGroupMapping(requestorName, requestorUserGroupNames); // add ADMIN_USER for the after() in SentryServiceIntegrationBase http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java index 14de0fa..cb2d9c9 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java @@ -19,14 +19,10 @@ package org.apache.sentry.service.thrift; import java.io.File; import java.security.PrivilegedExceptionAction; -import java.util.HashSet; import java.util.Properties; import java.util.Set; import java.util.concurrent.TimeoutException; -import javax.security.auth.Subject; -import javax.security.auth.kerberos.KerberosPrincipal; -import javax.security.auth.login.LoginContext; import com.google.common.io.Resources; import org.apache.commons.io.FileUtils; @@ -34,6 +30,7 @@ import org.apache.curator.test.TestingServer; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.minikdc.MiniKdc; import org.apache.hadoop.net.NetUtils; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.sentry.provider.db.service.persistent.HAContext; import org.apache.sentry.provider.db.service.thrift.SentryMiniKdcTestcase; import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; @@ -51,7 +48,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.google.common.base.Strings; -import com.google.common.collect.Sets; import com.google.common.io.Files; public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase { @@ -77,8 +73,7 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase protected static File serverKeytab; protected static File httpKeytab; protected static File clientKeytab; - protected static Subject clientSubject; - protected static LoginContext clientLoginContext; + protected static UserGroupInformation clientUgi; protected static boolean kerberos; protected final static Configuration conf = new Configuration(false); protected PolicyFile policyFile; @@ -146,14 +141,11 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase conf.set(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_KEYTAB, serverKeytab.getPath()); - conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "false"); - clientSubject = new Subject(false, Sets.newHashSet( - new KerberosPrincipal(CLIENT_KERBEROS_NAME)), new HashSet(), - new HashSet()); - clientLoginContext = new LoginContext("", clientSubject, null, - KerberosConfiguration.createClientConfig(CLIENT_KERBEROS_NAME, clientKeytab)); - clientLoginContext.login(); - clientSubject = clientLoginContext.getSubject(); + conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"); + conf.set("hadoop.security.authentication", "kerberos"); + UserGroupInformation.setConfiguration(conf); + UserGroupInformation.loginUserFromKeytab(CLIENT_PRINCIPAL, clientKeytab.getPath()); + clientUgi = UserGroupInformation.getLoginUser(); } else { LOGGER.info("Stopped KDC"); conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE); @@ -243,7 +235,7 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase public void connectToSentryService() throws Exception { if (kerberos) { - client = Subject.doAs(clientSubject, new PrivilegedExceptionAction() { + client = clientUgi.doAs(new PrivilegedExceptionAction() { @Override public SentryPolicyServiceClient run() throws Exception { return SentryServiceClientFactory.create(conf); @@ -258,13 +250,6 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase public static void tearDown() throws Exception { beforeTeardown(); - if(clientLoginContext != null) { - try { - clientLoginContext.logout(); - } catch (Exception e) { - LOGGER.warn("Error logging client out", e); - } - } if(server != null) { server.stop(); } @@ -351,16 +336,16 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase } protected void runTestAsSubject(final TestOperation test) throws Exception { - if (kerberos) { - Subject.doAs(clientSubject, new PrivilegedExceptionAction() { + /*if (false) { + clientUgi.doAs(new PrivilegedExceptionAction() { @Override public Void run() throws Exception { test.runTestAsSubject(); return null; }}); } else { - test.runTestAsSubject(); - } + */ test.runTestAsSubject(); + //} } protected interface TestOperation {