sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From vam...@apache.org
Subject sentry git commit: SENTRY-1736: Generic service client should support Kerberos (Kalyan Kalvagadda, Reviewed by: Alexander Kolbasov, Vadim Spector, Vamsee Yarlagadda)
Date Fri, 19 May 2017 02:06:45 GMT
Repository: sentry
Updated Branches:
  refs/heads/sentry-ha-redesign d8df78279 -> 68ed22c15


SENTRY-1736: Generic service client should support Kerberos (Kalyan Kalvagadda, Reviewed by:
Alexander Kolbasov, Vadim Spector, Vamsee Yarlagadda)


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/68ed22c1
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/68ed22c1
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/68ed22c1

Branch: refs/heads/sentry-ha-redesign
Commit: 68ed22c15c7716f96555f2c832ac16d3eb9465b7
Parents: d8df782
Author: Vamsee Yarlagadda <vamsee@cloudera.com>
Authored: Thu May 18 19:06:08 2017 -0700
Committer: Vamsee Yarlagadda <vamsee@cloudera.com>
Committed: Thu May 18 19:06:08 2017 -0700

----------------------------------------------------------------------
 .../transport/SentryTransportFactory.java       |  5 +-
 .../UserGroupInformationInitializer.java        | 53 ++++++++++++++++++++
 .../SentryGenericServiceClientDefaultImpl.java  | 11 +---
 3 files changed, 56 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/68ed22c1/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java
b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java
index 9b9f9e8..f609d33 100644
--- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java
@@ -74,9 +74,8 @@ public class SentryTransportFactory {
       super(mechanism, null, protocol, serverName, SASL_PROPERTIES, null,
         transport);
       if (wrapUgi) {
-        // If we don't set the configuration, the UGI will be created based on
-        // what's on the classpath, which may lack the kerberos changes we require
-        UserGroupInformation.setConfiguration(conf);
+        //Re-initializing UserGroupInformation, if needed
+        UserGroupInformationInitializer.initialize(conf);
         ugi = UserGroupInformation.getLoginUser();
       }
     }

http://git-wip-us.apache.org/repos/asf/sentry/blob/68ed22c1/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java
b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java
new file mode 100644
index 0000000..4c7487d
--- /dev/null
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java
@@ -0,0 +1,53 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.core.common.transport;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
+import static org.apache.sentry.core.common.utils.SentryConstants.KERBEROS_MODE;
+
+/**
+ * Wrapper to initialize UserGroupInformation
+ */
+
+public class UserGroupInformationInitializer {
+
+  // initialize() method could be called my multiple threads.
+  // to attain visibility guarantee on isInitialized, it is declared volatile.
+  private static volatile boolean isInitialized = false;
+
+  // initialization block may be executed multiple times. This is fine as setConfiguration
is
+  // thread-safe
+  public static void initialize(Configuration conf) {
+    if(!isInitialized) {
+      Configuration newConf = new Configuration(conf);
+      // When kerberos is enabled,  UserGroupInformation should have been initialized with
+      // HADOOP_SECURITY_AUTHENTICATION property. There are instances where this is not done.
+      // Example: Solr and Kafka while using sentry generic clients were not updating this
+      // property. Instead of depending on the callers to update this configuration and to
be
+      // sure that UserGroupInformation is properly initialized, sentry client is explicitly
+      // doing it,
+      newConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_MODE);
+      UserGroupInformation.setConfiguration(newConf);
+      isInitialized = true;
+    }
+  }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/sentry/blob/68ed22c1/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
index b7ac640..e23d13b 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
@@ -22,8 +22,6 @@ import java.util.*;
 
 import org.apache.hadoop.conf.Configuration;
 
-//import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
-
 import org.apache.sentry.core.common.exception.SentryUserException;
 import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Authorizable;
@@ -63,15 +61,8 @@ public class SentryGenericServiceClientDefaultImpl implements SentryGenericServi
   private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occured ";
 
   public SentryGenericServiceClientDefaultImpl(Configuration conf, SentryPolicyClientTransportConfig
transportConfig) throws IOException {
-
-    //TODO(kalyan) need to find appropriate place to add it
-    // if (kerberos) {
-    //  // since the client uses hadoop-auth, we need to set kerberos in
-    //  // hadoop-auth if we plan to use kerberos
-    //  conf.set(HADOOP_SECURITY_AUTHENTICATION, SentryConstants.KERBEROS_MoODE);
-    // }
-    this.conf = conf;
     transportFactory = new SentryTransportFactory(conf, transportConfig);
+    this.conf = conf;
   }
 
   /**


Mime
View raw message