sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From vam...@apache.org
Subject [30/52] [abbrv] sentry git commit: SENTRY-1766 Generic model clients using kerberos can no longer connect to Sentry server
Date Wed, 14 Jun 2017 00:57:08 GMT
SENTRY-1766 Generic model clients using kerberos can no longer connect to Sentry server

CDH-53688

Change-Id: I71f033cb86edeae375835d8dbbd48a514f2622ca
Reviewed-on: http://gerrit.sjc.cloudera.com:8080/22705
Reviewed-by: Vamsee Yarlagadda <vamsee@cloudera.com>
Reviewed-by: Na Li <lina.li@cloudera.com>
Tested-by: Jenkins User


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/106e736c
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/106e736c
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/106e736c

Branch: refs/for/cdh5-1.5.1_ha
Commit: 106e736c9837111b51a652a58624fa14782f0064
Parents: 2038160
Author: Kalyan Kumar Kalvagadda <kkalyan@cloudera.com>
Authored: Thu May 18 22:35:26 2017 -0500
Committer: Kalyan Kumar Kalvagadda <kkalyan@cloudera.com>
Committed: Thu May 18 22:00:47 2017 -0700

----------------------------------------------------------------------
 .../transport/SentryTransportFactory.java       |  5 +-
 .../UserGroupInformationInitializer.java        | 52 ++++++++++++++++++++
 .../SentryGenericServiceClientDefaultImpl.java  |  8 +--
 3 files changed, 55 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/106e736c/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java
b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java
index 9b9f9e8..f609d33 100644
--- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java
@@ -74,9 +74,8 @@ public class SentryTransportFactory {
       super(mechanism, null, protocol, serverName, SASL_PROPERTIES, null,
         transport);
       if (wrapUgi) {
-        // If we don't set the configuration, the UGI will be created based on
-        // what's on the classpath, which may lack the kerberos changes we require
-        UserGroupInformation.setConfiguration(conf);
+        //Re-initializing UserGroupInformation, if needed
+        UserGroupInformationInitializer.initialize(conf);
         ugi = UserGroupInformation.getLoginUser();
       }
     }

http://git-wip-us.apache.org/repos/asf/sentry/blob/106e736c/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java
b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java
new file mode 100644
index 0000000..19ba12c
--- /dev/null
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.core.common.transport;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
+
+/**
+ * Wrapper to initialize UserGroupInformation
+ */
+
+public class UserGroupInformationInitializer {
+
+  // initialize() method could be called my multiple threads.
+  // to attain visibility guarantee on isInitialized, it is declared volatile.
+  private static volatile boolean isInitialized = false;
+
+  // initialization block may be executed multiple times. This is fine as setConfiguration
is
+  // thread-safe
+  public static void initialize(Configuration conf) {
+    if(!isInitialized) {
+      Configuration newConf = new Configuration(conf);
+      // When kerberos is enabled,  UserGroupInformation should have been initialized with
+      // HADOOP_SECURITY_AUTHENTICATION property. There are instances where this is not done.
+      // Example: Solr and Kafka while using sentry generic clients were not updating this
+      // property. Instead of depending on the callers to update this configuration and to
be
+      // sure that UserGroupInformation is properly initialized, sentry client is explicitly
+      // doing it,
+      newConf.set(HADOOP_SECURITY_AUTHENTICATION, SentryClientTransportConstants.KERBEROS_MODE);
+      UserGroupInformation.setConfiguration(newConf);
+      isInitialized = true;
+    }
+  }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/sentry/blob/106e736c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
index 7bef81f..f430064 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
@@ -60,14 +60,8 @@ public class SentryGenericServiceClientDefaultImpl implements SentryGenericServi
   private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occured ";
 
   public SentryGenericServiceClientDefaultImpl(Configuration conf, SentryPolicyClientTransportConfig
transportConfig) throws IOException {
-    //TODO(kalyan) need to find appropriate place to add it
-    // if (kerberos) {
-    //  // since the client uses hadoop-auth, we need to set kerberos in
-    //  // hadoop-auth if we plan to use kerberos
-    //  conf.set(HADOOP_SECURITY_AUTHENTICATION, SentryConstants.KERBEROS_MoODE);
-    // }
-    this.conf = conf;
     transportFactory = new SentryTransportFactory(conf, transportConfig);
+    this.conf = conf;
   }
 
   /**


Mime
View raw message