sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From vam...@apache.org
Subject sentry git commit: SENTRY-1749: Sentry to use keytab supplied instead of local unix user tgt for connecting to HMS (Vamsee Yarlagadda, Reviewed by: Alexander Kolbasov, Kalyan Kalvagadda)
Date Thu, 04 May 2017 23:18:03 GMT
Repository: sentry
Updated Branches:
  refs/heads/sentry-ha-redesign 80070f277 -> 48fea2042


SENTRY-1749: Sentry to use keytab supplied instead of local unix user tgt for connecting to
HMS (Vamsee Yarlagadda, Reviewed by: Alexander Kolbasov, Kalyan Kalvagadda)


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/48fea204
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/48fea204
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/48fea204

Branch: refs/heads/sentry-ha-redesign
Commit: 48fea20427ce8daad6aa3fa2658d06c624bdb7d6
Parents: 80070f2
Author: Vamsee Yarlagadda <vamsee@cloudera.com>
Authored: Wed May 3 21:55:50 2017 -0700
Committer: Vamsee Yarlagadda <vamsee@cloudera.com>
Committed: Thu May 4 16:15:34 2017 -0700

----------------------------------------------------------------------
 .../org/apache/sentry/service/thrift/HMSFollower.java  | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/48fea204/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java
index ec8676e..99549bc 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java
@@ -30,6 +30,7 @@ import org.apache.hadoop.hive.metastore.api.NotificationEventResponse;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.security.SaslRpcServer;
 import org.apache.hadoop.security.SecurityUtil;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hive.hcatalog.messaging.HCatEventMessage;
 import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
 import org.apache.sentry.core.common.exception.SentryInvalidHMSEventException;
@@ -46,12 +47,10 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.apache.sentry.binding.metastore.messaging.json.*;
 
-import javax.security.auth.Subject;
 import javax.security.auth.login.LoginException;
 import java.io.File;
 import java.io.IOException;
 import java.net.SocketException;
-import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
 import java.util.List;
 import java.util.Map;
@@ -118,7 +117,7 @@ public class HMSFollower implements Runnable {
    * Throws @MetaException if there was a problem on creating an HMSClient
    */
   private HiveMetaStoreClient getMetaStoreClient(Configuration conf)
-      throws LoginException, MetaException, PrivilegedActionException {
+      throws IOException, InterruptedException, LoginException, MetaException {
     if(client != null) {
       return client;
     }
@@ -159,9 +158,12 @@ public class HMSFollower implements Runnable {
         // Instantiating SentryKerberosContext in non-server mode handles the ticket renewal.
         kerberosContext = new SentryKerberosContext(principal, keytab, false);
 
+        UserGroupInformation.setConfiguration(hiveConf);
+        UserGroupInformation clientUGI = UserGroupInformation.getUGIFromSubject(kerberosContext.getSubject());
+
         // HiveMetaStoreClient handles the connection retry logic to HMS and can be configured
using properties:
         // hive.metastore.connect.retries, hive.metastore.client.connect.retry.delay
-        client = Subject.doAs(kerberosContext.getSubject(), new PrivilegedExceptionAction<HiveMetaStoreClient>()
{
+        client = clientUGI.doAs(new PrivilegedExceptionAction<HiveMetaStoreClient>()
{
           @Override
           public HiveMetaStoreClient run() throws Exception {
             return new HiveMetaStoreClient(hiveConf);
@@ -172,9 +174,6 @@ public class HMSFollower implements Runnable {
         // Kerberos login failed
         LOGGER.error("Failed to setup kerberos context.");
         throw e;
-      } catch (PrivilegedActionException e) {
-        LOGGER.error("Failed to setup secure connection to HMS.");
-        throw e;
       } finally {
         // Shutdown kerberos context if HMS connection failed to setup to avoid thread leaks.
         if ((kerberosContext != null) && (client == null)) {


Mime
View raw message