sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sra...@apache.org
Subject sentry git commit: SENTRY-1265: Sentry service should not require a TGT as it is not talking to other kerberos services as a client ( Sravya Tirukkovalur, Reviewed by: Lenni Kuff, Hao Hao)
Date Fri, 20 May 2016 21:25:10 GMT
Repository: sentry
Updated Branches:
  refs/heads/master 6888f4a13 -> c29f19bda


SENTRY-1265: Sentry service should not require a TGT as it is not talking to other kerberos
services as a client ( Sravya Tirukkovalur, Reviewed by: Lenni Kuff, Hao Hao)

Change-Id: Ia3e3bda0f7131da89d93a7729dc814aec0b8852d


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/c29f19bd
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/c29f19bd
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/c29f19bd

Branch: refs/heads/master
Commit: c29f19bda26dfdffc5cc37862c12caddcc1c68ad
Parents: 6888f4a
Author: Sravya Tirukkovalur <sravya@apache.org>
Authored: Fri May 20 14:24:14 2016 -0700
Committer: Sravya Tirukkovalur <sravya@apache.org>
Committed: Fri May 20 14:24:14 2016 -0700

----------------------------------------------------------------------
 .../service/thrift/SentryKerberosContext.java   | 15 ++++++--
 .../sentry/service/thrift/SentryService.java    |  3 +-
 .../sentry/service/thrift/ServiceConstants.java |  6 +++
 .../SentryGenericServiceIntegrationBase.java    |  4 +-
 .../TestAuditLogForSentryGenericService.java    |  5 +--
 .../generic/tools/TestSentryConfigToolSolr.java |  2 +-
 .../db/generic/tools/TestSentryShellKafka.java  |  2 +-
 .../db/generic/tools/TestSentryShellSolr.java   |  2 +-
 .../thrift/TestConnectionWithTicketTimeout.java |  8 +++-
 .../thrift/TestSentryServiceClientPool.java     |  4 +-
 .../thrift/TestSentryServiceFailureCase.java    |  6 +--
 .../thrift/TestSentryWebServerWithKerberos.java |  5 ++-
 .../provider/db/tools/TestSentryShellHive.java  |  2 +-
 .../thrift/SentryServiceIntegrationBase.java    | 39 ++++++--------------
 14 files changed, 50 insertions(+), 53 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
index 93481cb..f54f161 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
@@ -40,7 +40,9 @@ public class SentryKerberosContext implements Runnable {
   private LoginContext loginContext;
   private Subject subject;
   private final javax.security.auth.login.Configuration kerberosConfig;
+  @Deprecated
   private Thread renewerThread;
+  @Deprecated
   private boolean shutDownRenewer = false;
 
   public SentryKerberosContext(String principal, String keyTab, boolean autoRenewTicket)
@@ -54,7 +56,8 @@ public class SentryKerberosContext implements Runnable {
     }
   }
 
-  public void loginWithNewContext() throws LoginException {
+  private void loginWithNewContext() throws LoginException {
+    LOGGER.info("Logging in with new Context");
     logoutSubject();
     loginContext = new LoginContext("", subject, null, kerberosConfig);
     loginContext.login();
@@ -80,6 +83,7 @@ public class SentryKerberosContext implements Runnable {
    * Get the Kerberos TGT
    * @return the user's TGT or null if none was found
    */
+  @Deprecated
   private KerberosTicket getTGT() {
     Set<KerberosTicket> tickets = subject.getPrivateCredentials(KerberosTicket.class);
     for(KerberosTicket ticket: tickets) {
@@ -91,17 +95,21 @@ public class SentryKerberosContext implements Runnable {
     }
     return null;
   }
-  
+
+  @Deprecated
   private long getRefreshTime(KerberosTicket tgt) {
     long start = tgt.getStartTime().getTime();
     long end = tgt.getEndTime().getTime();
+    LOGGER.debug("Ticket start time: " + start);
+    LOGGER.debug("Ticket End time: " + end);
     return start + (long) ((end - start) * TICKET_RENEW_WINDOW);
   }
-  
+
   /***
    * Ticket renewer thread
    * wait till 80% time interval left on the ticket and then renew it
    */
+  @Deprecated
   @Override
   public void run() {
     try {
@@ -133,6 +141,7 @@ public class SentryKerberosContext implements Runnable {
     }
   }
 
+  @Deprecated
   public void startRenewerThread() {
     renewerThread = new Thread(this);
     renewerThread.start();

http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
index d8edf93..5783649 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
@@ -155,7 +155,8 @@ public class SentryService implements Callable {
     try {
       status = Status.STARTED;
       if (kerberos) {
-        kerberosContext = new SentryKerberosContext(principal, keytab, true);
+        Boolean autoRenewTicket = conf.getBoolean(ServerConfig.SENTRY_KERBEROS_TGT_AUTORENEW,
ServerConfig.SENTRY_KERBEROS_TGT_AUTORENEW_DEFAULT);
+        kerberosContext = new SentryKerberosContext(principal, keytab, autoRenewTicket);
         Subject.doAs(kerberosContext.getSubject(), new PrivilegedExceptionAction<Void>()
{
           @Override
           public Void run() throws Exception {

http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
index 42eb1bb..32a4044 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
@@ -183,6 +183,12 @@ public class ServiceConstants {
 
     // action factories for external components
     public static final String SENTRY_COMPONENT_ACTION_FACTORY_FORMAT = "sentry.%s.action.factory";
+
+    // Sentry is never a client to other Kerberos Services, it should not be required to
renew the TGT
+    @Deprecated
+    public static final String SENTRY_KERBEROS_TGT_AUTORENEW = "sentry.service.kerberos.tgt.autorenew";
+    @Deprecated
+    public static final Boolean SENTRY_KERBEROS_TGT_AUTORENEW_DEFAULT = false;
   }
 
   public static class ClientConfig {

http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java
index cec925b..94cade1 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java
@@ -20,8 +20,6 @@ package org.apache.sentry.provider.db.generic.service.thrift;
 import java.security.PrivilegedExceptionAction;
 import java.util.Set;
 
-import javax.security.auth.Subject;
-
 import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
 import org.junit.After;
 import org.slf4j.Logger;
@@ -40,7 +38,7 @@ public class SentryGenericServiceIntegrationBase extends SentryServiceIntegratio
     // The client should already be logged in when running in solr
     // therefore we must manually login in the integration tests
     if (kerberos) {
-      this.client = Subject.doAs(clientSubject, new PrivilegedExceptionAction<SentryGenericServiceClient>()
{
+      this.client = clientUgi.doAs( new PrivilegedExceptionAction<SentryGenericServiceClient>()
{
         @Override
         public SentryGenericServiceClient run() throws Exception {
           return SentryGenericServiceClientFactory.create(conf);

http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java
index c3adacf..6c7d22d 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java
@@ -28,8 +28,6 @@ import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
 
-import javax.security.auth.Subject;
-
 import org.apache.log4j.Level;
 import org.apache.log4j.Logger;
 import org.apache.sentry.provider.db.log.appender.AuditLoggerTestAppender;
@@ -91,8 +89,7 @@ public class TestAuditLogForSentryGenericService extends SentryServiceIntegratio
   @Override
   public void connectToSentryService() throws Exception {
     if (kerberos) {
-      this.client = Subject.doAs(clientSubject,
-          new PrivilegedExceptionAction<SentryGenericServiceClient>() {
+      this.client = clientUgi.doAs(new PrivilegedExceptionAction<SentryGenericServiceClient>()
{
             @Override
             public SentryGenericServiceClient run() throws Exception {
               return SentryGenericServiceClientFactory.create(conf);

http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
index df5e2e6..84543fb 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
@@ -61,7 +61,7 @@ public class TestSentryConfigToolSolr extends SentryGenericServiceIntegrationBas
       conf.writeXml(to);
       to.close();
     }
-    requestorName = System.getProperty("user.name", "");
+    requestorName = clientUgi.getShortUserName();//System.getProperty("user.name", "");
     Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
     setLocalGroupMapping(requestorName, requestorUserGroupNames);
     // add ADMIN_USER for the after() in SentryServiceIntegrationBase

http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java
index a38d58b..f35cdb1 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java
@@ -61,7 +61,7 @@ public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase
{
       conf.writeXml(to);
       to.close();
     }
-    requestorName = System.getProperty("user.name", "");
+    requestorName = clientUgi.getShortUserName();//.getProperty("user.name", "");
     Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
     setLocalGroupMapping(requestorName, requestorUserGroupNames);
     // add ADMIN_USER for the after() in SentryServiceIntegrationBase

http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java
index 8eab028..0c5c711 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java
@@ -61,7 +61,7 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase
{
       conf.writeXml(to);
       to.close();
     }
-    requestorName = System.getProperty("user.name", "");
+    requestorName = clientUgi.getShortUserName();//System.getProperty("user.name", "");
     Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
     setLocalGroupMapping(requestorName, requestorUserGroupNames);
     // add ADMIN_USER for the after() in SentryServiceIntegrationBase

http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java
index e204099..36fa4b5 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java
@@ -19,11 +19,12 @@
 package org.apache.sentry.provider.db.service.thrift;
 
 import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.sentry.service.thrift.ServiceConstants;
 import org.junit.BeforeClass;
 import org.junit.Ignore;
 import org.junit.Test;
 
-@Ignore("SENTRY-515: Not part of automated unit testing, as it takes too long")
+@Ignore("SENTRY-515: Not part of automated unit testing, as it takes too long. Fails until
we move to a hadoop 2.6.1. See HADOOP-10786")
 public class TestConnectionWithTicketTimeout extends
     org.apache.sentry.service.thrift.SentryServiceIntegrationBase {
 
@@ -37,7 +38,10 @@ public class TestConnectionWithTicketTimeout extends
   }
 
   public static void beforeSetup() throws Exception {
-    kdcConfOverlay.setProperty(MiniKdc.MAX_TICKET_LIFETIME, "300001");
+    kdcConfOverlay.setProperty(MiniKdc.MAX_TICKET_LIFETIME, "360001");
+    //Only UGI based client connections renew their TGT, this is not a problem in the real
world
+    // as this is not configurable and always true
+    conf.set(ServiceConstants.ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true");
   }
 
   /***

http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java
index e5285bd..8dc5e34 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java
@@ -30,8 +30,6 @@ import java.util.concurrent.Executors;
 import java.util.concurrent.Future;
 import java.util.concurrent.FutureTask;
 
-import javax.security.auth.Subject;
-
 import org.apache.sentry.SentryUserException;
 import org.apache.sentry.service.thrift.SentryServiceFactory;
 import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
@@ -83,7 +81,7 @@ public class TestSentryServiceClientPool extends SentryServiceIntegrationBase
{
 
         Callable<Boolean> func = new Callable<Boolean>() {
           public Boolean call() throws Exception {
-            return Subject.doAs(clientSubject, new PrivilegedExceptionAction<Boolean>()
{
+            return clientUgi.doAs(new PrivilegedExceptionAction<Boolean>() {
               @Override
               public Boolean run() throws Exception {
                 try {

http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java
index a453ff3..51bba31 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java
@@ -18,8 +18,6 @@
 
 package org.apache.sentry.provider.db.service.thrift;
 
-import java.security.PrivilegedActionException;
-
 import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
 import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
 import org.junit.After;
@@ -61,9 +59,9 @@ public class TestSentryServiceFailureCase extends SentryServiceIntegrationBase
{
     try {
       connectToSentryService();
       Assert.fail("Failed to receive Exception");
-    } catch(PrivilegedActionException e) {
+    } catch(Exception e) {
       LOGGER.info("Excepted exception", e);
-      Exception cause = e.getException();
+      Throwable cause = e.getCause();
       if (cause == null) {
         throw e;
       }

http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
index 90ce080..ece2ee8 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
@@ -68,15 +68,16 @@ public class TestSentryWebServerWithKerberos extends SentryServiceIntegrationBas
 
   @Test
   public void testPing() throws Exception {
-    runTestAsSubject(new TestOperation(){
+    clientUgi.doAs(new PrivilegedExceptionAction<Void>() {
       @Override
-      public void runTestAsSubject() throws Exception {
+      public Void run() throws Exception {
         final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/ping");
         HttpURLConnection conn = new AuthenticatedURL(new KerberosAuthenticator()).
             openConnection(url, new AuthenticatedURL.Token());
         Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
         String response = IOUtils.toString(conn.getInputStream());
         Assert.assertEquals("pong\n", response);
+      return null;
       }} );
   }
 

http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
index 21dfa0f..d8fea90 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
@@ -59,7 +59,7 @@ public class TestSentryShellHive extends SentryServiceIntegrationBase {
       conf.writeXml(to);
       to.close();
     }
-    requestorName = System.getProperty("user.name", "");
+    requestorName = clientUgi.getShortUserName();
     Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
     setLocalGroupMapping(requestorName, requestorUserGroupNames);
     // add ADMIN_USER for the after() in SentryServiceIntegrationBase

http://git-wip-us.apache.org/repos/asf/sentry/blob/c29f19bd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
index 14de0fa..cb2d9c9 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
@@ -19,14 +19,10 @@
 package org.apache.sentry.service.thrift;
 import java.io.File;
 import java.security.PrivilegedExceptionAction;
-import java.util.HashSet;
 import java.util.Properties;
 import java.util.Set;
 import java.util.concurrent.TimeoutException;
 
-import javax.security.auth.Subject;
-import javax.security.auth.kerberos.KerberosPrincipal;
-import javax.security.auth.login.LoginContext;
 
 import com.google.common.io.Resources;
 import org.apache.commons.io.FileUtils;
@@ -34,6 +30,7 @@ import org.apache.curator.test.TestingServer;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.minikdc.MiniKdc;
 import org.apache.hadoop.net.NetUtils;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.sentry.provider.db.service.persistent.HAContext;
 import org.apache.sentry.provider.db.service.thrift.SentryMiniKdcTestcase;
 import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
@@ -51,7 +48,6 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import com.google.common.base.Strings;
-import com.google.common.collect.Sets;
 import com.google.common.io.Files;
 
 public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase {
@@ -77,8 +73,7 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase
   protected static File serverKeytab;
   protected static File httpKeytab;
   protected static File clientKeytab;
-  protected static Subject clientSubject;
-  protected static LoginContext clientLoginContext;
+  protected static UserGroupInformation clientUgi;
   protected static boolean kerberos;
   protected final static Configuration conf = new Configuration(false);
   protected PolicyFile policyFile;
@@ -146,14 +141,11 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase
       conf.set(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_KEYTAB,
           serverKeytab.getPath());
 
-      conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "false");
-      clientSubject = new Subject(false, Sets.newHashSet(
-          new KerberosPrincipal(CLIENT_KERBEROS_NAME)), new HashSet<Object>(),
-        new HashSet<Object>());
-      clientLoginContext = new LoginContext("", clientSubject, null,
-          KerberosConfiguration.createClientConfig(CLIENT_KERBEROS_NAME, clientKeytab));
-      clientLoginContext.login();
-      clientSubject = clientLoginContext.getSubject();
+      conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true");
+      conf.set("hadoop.security.authentication", "kerberos");
+      UserGroupInformation.setConfiguration(conf);
+      UserGroupInformation.loginUserFromKeytab(CLIENT_PRINCIPAL, clientKeytab.getPath());
+      clientUgi = UserGroupInformation.getLoginUser();
     } else {
       LOGGER.info("Stopped KDC");
       conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE);
@@ -243,7 +235,7 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase
 
   public void connectToSentryService() throws Exception {
     if (kerberos) {
-      client = Subject.doAs(clientSubject, new PrivilegedExceptionAction<SentryPolicyServiceClient>()
{
+      client = clientUgi.doAs(new PrivilegedExceptionAction<SentryPolicyServiceClient>()
{
         @Override
         public SentryPolicyServiceClient run() throws Exception {
           return SentryServiceClientFactory.create(conf);
@@ -258,13 +250,6 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase
   public static void tearDown() throws Exception {
     beforeTeardown();
 
-    if(clientLoginContext != null) {
-      try {
-        clientLoginContext.logout();
-      } catch (Exception e) {
-        LOGGER.warn("Error logging client out", e);
-      }
-    }
     if(server != null) {
       server.stop();
     }
@@ -351,16 +336,16 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase
   }
 
   protected void runTestAsSubject(final TestOperation test) throws Exception {
-    if (kerberos) {
-      Subject.doAs(clientSubject, new PrivilegedExceptionAction<Void>() {
+    /*if (false) {
+      clientUgi.doAs(new PrivilegedExceptionAction<Void>() {
         @Override
         public Void run() throws Exception {
           test.runTestAsSubject();
           return null;
         }});
     } else {
-      test.runTestAsSubject();
-    }
+    */  test.runTestAsSubject();
+    //}
   }
 
   protected interface TestOperation {


Mime
View raw message