sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pras...@apache.org
Subject incubator-sentry git commit: SENTRY-683: HDFS service client should ensure the kerberos ticket validity before new service connection (Prasad Mujumdar, reviewed by Arun Suresh)
Date Mon, 30 Mar 2015 06:42:45 GMT
Repository: incubator-sentry
Updated Branches:
  refs/heads/master da98b3db0 -> 51f9d262f


SENTRY-683: HDFS service client should ensure the kerberos ticket validity before new service
connection (Prasad Mujumdar, reviewed by Arun Suresh)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/51f9d262
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/51f9d262
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/51f9d262

Branch: refs/heads/master
Commit: 51f9d262f8c03d24b7b3cb3df47bcc15e20fb45a
Parents: da98b3d
Author: Prasad Mujumdar <prasadm@apache.org>
Authored: Sun Mar 29 23:42:43 2015 -0700
Committer: Prasad Mujumdar <prasadm@apache.org>
Committed: Sun Mar 29 23:42:43 2015 -0700

----------------------------------------------------------------------
 pom.xml                                         |  6 ++
 sentry-hdfs/sentry-hdfs-common/pom.xml          | 21 +++++
 .../sentry/hdfs/SentryHDFSServiceClient.java    |  7 ++
 .../hdfs/SentryHdfsServiceIntegrationBase.java  | 82 ++++++++++++++++++++
 .../sentry/hdfs/TestKrbConnectionTimeout.java   | 60 ++++++++++++++
 sentry-provider/sentry-provider-db/pom.xml      | 11 +++
 6 files changed, 187 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/51f9d262/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 2f97880..de84ebe 100644
--- a/pom.xml
+++ b/pom.xml
@@ -410,6 +410,12 @@ limitations under the License.
       </dependency>
       <dependency>
         <groupId>org.apache.sentry</groupId>
+        <artifactId>sentry-provider-db</artifactId>
+        <version>${project.version}</version>
+        <type>test-jar</type>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.sentry</groupId>
         <artifactId>sentry-policy-common</artifactId>
         <version>${project.version}</version>
       </dependency>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/51f9d262/sentry-hdfs/sentry-hdfs-common/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-hdfs/sentry-hdfs-common/pom.xml b/sentry-hdfs/sentry-hdfs-common/pom.xml
index 34f69e9..dfbfc86 100644
--- a/sentry-hdfs/sentry-hdfs-common/pom.xml
+++ b/sentry-hdfs/sentry-hdfs-common/pom.xml
@@ -54,6 +54,27 @@ limitations under the License.
       <artifactId>hadoop-common</artifactId>
       <scope>provided</scope>
     </dependency>
+    <dependency>
+      <groupId>org.apache.hadoop</groupId>
+      <artifactId>hadoop-minikdc</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-provider-db</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-provider-file</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-provider-db</artifactId>
+      <type>test-jar</type>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
   <build>
     <sourceDirectory>${basedir}/src/main/java</sourceDirectory>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/51f9d262/sentry-hdfs/sentry-hdfs-common/src/main/java/org/apache/sentry/hdfs/SentryHDFSServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-hdfs/sentry-hdfs-common/src/main/java/org/apache/sentry/hdfs/SentryHDFSServiceClient.java
b/sentry-hdfs/sentry-hdfs-common/src/main/java/org/apache/sentry/hdfs/SentryHDFSServiceClient.java
index 5425daa..726d88c 100644
--- a/sentry-hdfs/sentry-hdfs-common/src/main/java/org/apache/sentry/hdfs/SentryHDFSServiceClient.java
+++ b/sentry-hdfs/sentry-hdfs-common/src/main/java/org/apache/sentry/hdfs/SentryHDFSServiceClient.java
@@ -102,6 +102,13 @@ public class SentryHDFSServiceClient {
         baseOpen();
       } else {
         try {
+          // ensure that the ticket is valid before connecting to service. Note that
+          // checkTGTAndReloginFromKeytab() renew the ticket only when more than 80%
+          // of ticket lifetime has passed. 
+          if (ugi.isFromKeytab()) {
+            ugi.checkTGTAndReloginFromKeytab();
+          }
+
           ugi.doAs(new PrivilegedExceptionAction<Void>() {
             public Void run() throws TTransportException {
               baseOpen();

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/51f9d262/sentry-hdfs/sentry-hdfs-common/src/test/java/org/apache/sentry/hdfs/SentryHdfsServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-hdfs/sentry-hdfs-common/src/test/java/org/apache/sentry/hdfs/SentryHdfsServiceIntegrationBase.java
b/sentry-hdfs/sentry-hdfs-common/src/test/java/org/apache/sentry/hdfs/SentryHdfsServiceIntegrationBase.java
new file mode 100644
index 0000000..f8f7eba
--- /dev/null
+++ b/sentry-hdfs/sentry-hdfs-common/src/test/java/org/apache/sentry/hdfs/SentryHdfsServiceIntegrationBase.java
@@ -0,0 +1,82 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.hdfs;
+
+import java.security.PrivilegedExceptionAction;
+
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.sentry.SentryUserException;
+import org.apache.sentry.hdfs.ServiceConstants.ClientConfig;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.After;
+import org.junit.Before;
+
+public class SentryHdfsServiceIntegrationBase extends
+    SentryServiceIntegrationBase {
+
+  protected SentryHDFSServiceClient hdfsClient;
+
+  @Before
+  public void before() throws Exception {
+    conf.set("hadoop.security.authentication", "kerberos");
+    UserGroupInformation.setConfiguration(conf);
+    UserGroupInformation.loginUserFromKeytab(CLIENT_PRINCIPAL,
+        clientKeytab.getPath());
+
+    connectToHdfsSyncService();
+  }
+
+  @After
+  public void after() throws SentryUserException {
+    if (hdfsClient != null) {
+      hdfsClient.close();
+    }
+  }
+
+  protected void connectToHdfsSyncService() throws Exception {
+    if (hdfsClient != null) {
+      hdfsClient.close();
+    }
+
+    // SentryHdfs client configuration setup
+    conf.set(ClientConfig.SERVER_RPC_ADDRESS, server.getAddress()
+        .getHostName());
+    conf.set(ClientConfig.SERVER_RPC_ADDRESS, server.getAddress()
+        .getHostName());
+    conf.set(ClientConfig.SERVER_RPC_PORT,
+        String.valueOf(server.getAddress().getPort()));
+
+    if (kerberos) {
+      conf.set(ClientConfig.SECURITY_MODE, ClientConfig.SECURITY_MODE_KERBEROS);
+      conf.set(ClientConfig.SECURITY_USE_UGI_TRANSPORT, "true");
+      conf.set(ClientConfig.PRINCIPAL, getServerKerberosName());
+      hdfsClient = UserGroupInformation.getLoginUser().doAs(
+          new PrivilegedExceptionAction<SentryHDFSServiceClient>() {
+            @Override
+            public SentryHDFSServiceClient run() throws Exception {
+              return new SentryHDFSServiceClient(conf);
+            }
+          });
+    } else {
+      hdfsClient = new SentryHDFSServiceClient(conf);
+    }
+    hdfsClient.close();
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/51f9d262/sentry-hdfs/sentry-hdfs-common/src/test/java/org/apache/sentry/hdfs/TestKrbConnectionTimeout.java
----------------------------------------------------------------------
diff --git a/sentry-hdfs/sentry-hdfs-common/src/test/java/org/apache/sentry/hdfs/TestKrbConnectionTimeout.java
b/sentry-hdfs/sentry-hdfs-common/src/test/java/org/apache/sentry/hdfs/TestKrbConnectionTimeout.java
new file mode 100644
index 0000000..2db72b1
--- /dev/null
+++ b/sentry-hdfs/sentry-hdfs-common/src/test/java/org/apache/sentry/hdfs/TestKrbConnectionTimeout.java
@@ -0,0 +1,60 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.hdfs;
+
+import static org.junit.Assert.*;
+
+import java.security.PrivilegedExceptionAction;
+
+import javax.security.auth.Subject;
+
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.junit.Assume;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class TestKrbConnectionTimeout extends
+ SentryHdfsServiceIntegrationBase {
+
+  @BeforeClass
+  public static void testSetup() throws Exception {
+    Assume.assumeTrue("true".equalsIgnoreCase(System.getProperty(
+        "sentry.hive.test.ticket.timeout", "false")));
+    kdcConfOverlay.setProperty(MiniKdc.MAX_TICKET_LIFETIME, "300001");
+    setup();
+  }
+
+  /***
+   * Test is run only when sentry.hive.test.ticket.timeout is set to "true"
+   * @throws Exception
+   */
+  @Before
+  public void beforeMethod() {
+  }
+
+  @Test
+  public void testConnectionAfterTicketTimeout() throws Exception {
+    Thread.sleep(400000);
+    connectToHdfsSyncService();
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/51f9d262/sentry-provider/sentry-provider-db/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/pom.xml b/sentry-provider/sentry-provider-db/pom.xml
index 9f47b29..27ad670 100644
--- a/sentry-provider/sentry-provider-db/pom.xml
+++ b/sentry-provider/sentry-provider-db/pom.xml
@@ -237,6 +237,17 @@ limitations under the License.
           </execution>
         </executions>
       </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <executions>
+          <execution>
+            <goals>
+              <goal>test-jar</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
   </build>
   <profiles>


Mime
View raw message