sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From linaataus...@apache.org
Subject [sentry] branch master updated: SENTRY-2486: Wrong user name when sentry HMSFollower gets full snapshot from HMS at insecure mode (Na Li, reviewed by Arjun Mishra, Kalyan Kumar Kalvagadda)
Date Mon, 28 Jan 2019 21:01:13 GMT
This is an automated email from the ASF dual-hosted git repository.

linaataustin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sentry.git


The following commit(s) were added to refs/heads/master by this push:
     new 63f7f89  SENTRY-2486: Wrong user name when sentry HMSFollower gets full snapshot
from HMS at insecure mode (Na Li, reviewed by Arjun Mishra, Kalyan Kumar Kalvagadda)
63f7f89 is described below

commit 63f7f8939bc9a02272a4033b07ee4cb95d8d4785
Author: lina.li <lina.li@cloudera.com>
AuthorDate: Mon Jan 28 14:58:09 2019 -0600

    SENTRY-2486: Wrong user name when sentry HMSFollower gets full snapshot from HMS at insecure
mode (Na Li, reviewed by Arjun Mishra, Kalyan Kumar Kalvagadda)
---
 .../service/thrift/HiveSimpleConnectionFactory.java       | 10 +++++++---
 .../provider/db/service/persistent/TestHMSFollower.java   |  2 ++
 .../sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java    | 15 +++++++++++----
 3 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java
b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java
index 31e58fd..f57175c 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java
@@ -76,6 +76,7 @@ public final class HiveSimpleConnectionFactory implements HiveConnectionFactory
       return;
     }
 
+    LOGGER.info("Using secured connection to HMS");
     int port = conf.getInt(ServerConfig.RPC_PORT, ServerConfig.RPC_PORT_DEFAULT);
     String rawPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL),
         "%s is required", ServerConfig.PRINCIPAL);
@@ -106,11 +107,14 @@ public final class HiveSimpleConnectionFactory implements HiveConnectionFactory
    * @throws MetaException        if other errors happened
    */
   public HMSClient connect() throws IOException, InterruptedException, MetaException {
+    UserGroupInformation clientUGI;
+
     if (insecure) {
-      return new HMSClient(new HiveMetaStoreClient(hiveConf));
-    }
-    UserGroupInformation clientUGI =
+      clientUGI = UserGroupInformation.getCurrentUser();
+    } else {
+      clientUGI =
         UserGroupInformation.getUGIFromSubject(kerberosContext.getSubject());
+    }
     return new HMSClient(clientUGI.doAs(new PrivilegedExceptionAction<HiveMetaStoreClient>()
{
       @Override
       public HiveMetaStoreClient run() throws MetaException {
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java
b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java
index 0d62941..310cf6a 100644
--- a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java
@@ -53,6 +53,7 @@ import org.apache.sentry.binding.metastore.messaging.json.SentryJSONMessageFacto
 import org.apache.sentry.core.common.utils.PubSub;
 import org.apache.sentry.core.common.utils.SentryConstants;
 import org.apache.sentry.hdfs.UniquePathsUpdate;
+import org.apache.sentry.service.common.ServiceConstants.ServerConfig;
 import org.apache.sentry.service.thrift.SentryHMSClient;
 import org.apache.sentry.service.thrift.HiveConnectionFactory;
 import org.apache.sentry.service.thrift.HiveSimpleConnectionFactory;
@@ -85,6 +86,7 @@ public class TestHMSFollower {
 
   @BeforeClass
   public static void setup() throws IOException, LoginException {
+    configuration.set(ServerConfig.PRINCIPAL, "sentry/_HOST@TEST.COM");
     hiveConnectionFactory = new HiveSimpleConnectionFactory(configuration, new HiveConf());
     hiveConnectionFactory.init();
     configuration.set("sentry.hive.sync.create", "true");
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
index 47f7466..4c09e68 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
@@ -193,6 +193,7 @@ public abstract class TestHDFSIntegrationBase {
   protected static File policyFileLocation;
   protected static UserGroupInformation adminUgi;
   protected static UserGroupInformation hiveUgi;
+  protected static UserGroupInformation sentryUgi;
 
   // Variables which are used for cleanup after test
   // Please set these values in each test
@@ -520,6 +521,9 @@ public abstract class TestHDFSIntegrationBase {
     hiveUgi = UserGroupInformation.createUserForTesting(
         "hive", new String[] { "hive" });
 
+    sentryUgi = UserGroupInformation.createUserForTesting(
+        "sentry", new String[] { "sentry" });
+
     // Create SentryService and its internal objects.
     // Set Sentry port
     createSentry();
@@ -579,7 +583,8 @@ public abstract class TestHDFSIntegrationBase {
         // on the storage.
         hiveConf.set("hive.metastore.authorization.storage.checks", "true");
         hiveConf.set("hive.metastore.uris", "thrift://localhost:" + hmsPort);
-        hiveConf.set("sentry.metastore.service.users", "hive");// queries made by hive user
(beeline) skip meta store check
+        // queries made by hive user (beeline) and sentry to HMS skip meta store check
+        hiveConf.set("sentry.metastore.service.users", "hive,sentry");
 
         File confDir = assertCreateDir(new File(baseDir, "etc"));
         File hiveSite = new File(confDir, "hive-site.xml");
@@ -662,7 +667,8 @@ public abstract class TestHDFSIntegrationBase {
         hiveConf.set("hive.metastore.event.message.factory", "org.apache.sentry.binding.metastore.messaging.json.SentryJSONMessageFactory");
         hiveConf.set("hive.security.authorization.task.factory", "org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl");
         hiveConf.set("hive.server2.session.hook", "org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook");
-        hiveConf.set("sentry.metastore.service.users", "hive");// queries made by hive user
(beeline) skip meta store check
+        // queries made by hive user (beeline) and sentry to HMS skip meta store check
+        hiveConf.set("sentry.metastore.service.users", "hive,sentry");
         // make sure metastore calls sentry post event listener
         hiveConf.set("hive.metastore.event.listeners", "org.apache.sentry.binding.metastore.SentrySyncHMSNotificationsPostEventListener");
 
@@ -852,7 +858,7 @@ public abstract class TestHDFSIntegrationBase {
     }
     SentryHDFSServiceClientFactory.factoryReset();
     try {
-      hiveUgi.doAs(new PrivilegedExceptionAction() {
+      sentryUgi.doAs(new PrivilegedExceptionAction() {
         @Override
         public Void run() throws Exception {
           sentryServer.startAll();
@@ -869,10 +875,11 @@ public abstract class TestHDFSIntegrationBase {
   private static void createSentry() throws Exception {
     try {
 
-      hiveUgi.doAs(new PrivilegedExceptionAction<Void>() {
+      sentryUgi.doAs(new PrivilegedExceptionAction<Void>() {
         @Override
         public Void run() throws Exception {
           sentryConf.set(SENTRY_HDFS_INTEGRATION_PATH_PREFIXES, MANAGED_PREFIXES);
+          sentryProperties.put(ServerConfig.PRINCIPAL, "sentry/_HOST@TEST.COM");
           sentryProperties.put(HiveServerFactory.AUTHZ_PROVIDER_BACKEND,
               SimpleDBProviderBackend.class.getName());
           sentryProperties.put(ConfVars.HIVE_AUTHORIZATION_TASK_FACTORY.varname,


Mime
View raw message