IMPALA-3554: Use kerberos principal in SentryProxy class For kerberized clusters, users expect the Catalog service to use the kerberos principal instead of operating sytem user that runs the Catalog process. This patch fixes that.
Change-Id: I842e558e59023c7d937796a4cac51a013d948e02 Reviewed-on: http://gerrit.cloudera.org:8080/3165 Reviewed-by: Bharath Vissapragada <[email protected]> Tested-by: Internal Jenkins Project: http://git-wip-us.apache.org/repos/asf/incubator-impala/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-impala/commit/e26dc856 Tree: http://git-wip-us.apache.org/repos/asf/incubator-impala/tree/e26dc856 Diff: http://git-wip-us.apache.org/repos/asf/incubator-impala/diff/e26dc856 Branch: refs/heads/master Commit: e26dc856847ec01fde9fc4bc77fbc0f7937a2a61 Parents: 0b7ae6e Author: Bharath Vissapragada <[email protected]> Authored: Fri May 20 22:44:12 2016 -0700 Committer: Tim Armstrong <[email protected]> Committed: Tue May 31 23:32:10 2016 -0700 ---------------------------------------------------------------------- be/src/catalog/catalog.cc | 5 +++-- .../impala/catalog/CatalogServiceCatalog.java | 4 ++-- .../java/com/cloudera/impala/service/JniCatalog.java | 4 ++-- .../java/com/cloudera/impala/util/SentryProxy.java | 14 +++++++++++--- .../impala/testutil/CatalogServiceTestCatalog.java | 2 +- 5 files changed, 19 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/e26dc856/be/src/catalog/catalog.cc ---------------------------------------------------------------------- diff --git a/be/src/catalog/catalog.cc b/be/src/catalog/catalog.cc index 26810f1..113cda4 100644 --- a/be/src/catalog/catalog.cc +++ b/be/src/catalog/catalog.cc @@ -41,7 +41,7 @@ DECLARE_int32(non_impala_java_vlog); Catalog::Catalog() { JniMethodDescriptor methods[] = { - {"<init>", "(ZILjava/lang/String;IIZ)V", &catalog_ctor_}, + {"<init>", "(ZILjava/lang/String;IIZLjava/lang/String;)V", &catalog_ctor_}, {"updateCatalog", "([B)[B", &update_metastore_id_}, {"execDdl", "([B)[B", &exec_ddl_id_}, {"resetMetadata", "([B)[B", &reset_metadata_id_}, @@ -70,10 +70,11 @@ Catalog::Catalog() { // auth_to_local rules are read if --load_auth_to_local_rules is set to true // and impala is kerberized. jboolean auth_to_local = FLAGS_load_auth_to_local_rules && !FLAGS_principal.empty(); + jstring principal = jni_env->NewStringUTF(FLAGS_principal.c_str()); jobject catalog = jni_env->NewObject(catalog_class_, catalog_ctor_, load_in_background, num_metadata_loading_threads, sentry_config, FlagToTLogLevel(FLAGS_v), FlagToTLogLevel(FLAGS_non_impala_java_vlog), - auth_to_local); + auth_to_local, principal); EXIT_IF_EXC(jni_env); ABORT_IF_ERROR(JniUtil::LocalToGlobalRef(jni_env, catalog, &catalog_)); } http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/e26dc856/fe/src/main/java/com/cloudera/impala/catalog/CatalogServiceCatalog.java ---------------------------------------------------------------------- diff --git a/fe/src/main/java/com/cloudera/impala/catalog/CatalogServiceCatalog.java b/fe/src/main/java/com/cloudera/impala/catalog/CatalogServiceCatalog.java index 4ac7b81..a55b0d3 100644 --- a/fe/src/main/java/com/cloudera/impala/catalog/CatalogServiceCatalog.java +++ b/fe/src/main/java/com/cloudera/impala/catalog/CatalogServiceCatalog.java @@ -155,14 +155,14 @@ public class CatalogServiceCatalog extends Catalog { * will be loaded in the background */ public CatalogServiceCatalog(boolean loadInBackground, int numLoadingThreads, - SentryConfig sentryConfig, TUniqueId catalogServiceId) { + SentryConfig sentryConfig, TUniqueId catalogServiceId, String kerberosPrincipal) { super(true); catalogServiceId_ = catalogServiceId; tableLoadingMgr_ = new TableLoadingMgr(this, numLoadingThreads); loadInBackground_ = loadInBackground; cachePoolReader_.scheduleAtFixedRate(new CachePoolReader(), 0, 1, TimeUnit.MINUTES); if (sentryConfig != null) { - sentryProxy_ = new SentryProxy(sentryConfig, this); + sentryProxy_ = new SentryProxy(sentryConfig, this, kerberosPrincipal); } else { sentryProxy_ = null; } http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/e26dc856/fe/src/main/java/com/cloudera/impala/service/JniCatalog.java ---------------------------------------------------------------------- diff --git a/fe/src/main/java/com/cloudera/impala/service/JniCatalog.java b/fe/src/main/java/com/cloudera/impala/service/JniCatalog.java index eb3ac92..4a4d529 100644 --- a/fe/src/main/java/com/cloudera/impala/service/JniCatalog.java +++ b/fe/src/main/java/com/cloudera/impala/service/JniCatalog.java @@ -77,7 +77,7 @@ public class JniCatalog { public JniCatalog(boolean loadInBackground, int numMetadataLoadingThreads, String sentryServiceConfig, int impalaLogLevel, int otherLogLevel, - boolean allowAuthToLocal) throws InternalException { + boolean allowAuthToLocal, String kerberosPrincipal) throws InternalException { BackendConfig.setAuthToLocal(allowAuthToLocal); Preconditions.checkArgument(numMetadataLoadingThreads > 0); // This trick saves having to pass a TLogLevel enum, which is an object and more @@ -94,7 +94,7 @@ public class JniCatalog { LOG.info(JniUtil.getJavaVersion()); catalog_ = new CatalogServiceCatalog(loadInBackground, - numMetadataLoadingThreads, sentryConfig, getServiceId()); + numMetadataLoadingThreads, sentryConfig, getServiceId(), kerberosPrincipal); try { catalog_.reset(); } catch (CatalogException e) { http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/e26dc856/fe/src/main/java/com/cloudera/impala/util/SentryProxy.java ---------------------------------------------------------------------- diff --git a/fe/src/main/java/com/cloudera/impala/util/SentryProxy.java b/fe/src/main/java/com/cloudera/impala/util/SentryProxy.java index 9b0fdce..c7c7480 100644 --- a/fe/src/main/java/com/cloudera/impala/util/SentryProxy.java +++ b/fe/src/main/java/com/cloudera/impala/util/SentryProxy.java @@ -36,6 +36,7 @@ import com.cloudera.impala.common.ImpalaException; import com.cloudera.impala.common.ImpalaRuntimeException; import com.cloudera.impala.thrift.TPrivilege; import com.google.common.base.Preconditions; +import com.google.common.base.Strings; import com.google.common.collect.Lists; import com.google.common.collect.Sets; @@ -65,14 +66,21 @@ public class SentryProxy { // The interface to access the Sentry Policy Service to read policy metadata. private final SentryPolicyService sentryPolicyService_; - // This is user that the Catalog Service is running as. This user should always be a + // This is the user that the Catalog Service is running as. For kerberized clusters, + // this is set to the Kerberos principal of Catalog. This user should always be a // Sentry Service admin => have full rights to read/update the Sentry Service. - private final User processUser_ = new User(System.getProperty("user.name")); + private final User processUser_; - public SentryProxy(SentryConfig sentryConfig, CatalogServiceCatalog catalog) { + public SentryProxy(SentryConfig sentryConfig, CatalogServiceCatalog catalog, + String kerberosPrincipal) { Preconditions.checkNotNull(catalog); Preconditions.checkNotNull(sentryConfig); catalog_ = catalog; + if (Strings.isNullOrEmpty(kerberosPrincipal)) { + processUser_ = new User(System.getProperty("user.name")); + } else { + processUser_ = new User(kerberosPrincipal); + } sentryPolicyService_ = new SentryPolicyService(sentryConfig); // Sentry Service is enabled. // TODO: Make this configurable http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/e26dc856/fe/src/test/java/com/cloudera/impala/testutil/CatalogServiceTestCatalog.java ---------------------------------------------------------------------- diff --git a/fe/src/test/java/com/cloudera/impala/testutil/CatalogServiceTestCatalog.java b/fe/src/test/java/com/cloudera/impala/testutil/CatalogServiceTestCatalog.java index 35cb4bd..c115369 100644 --- a/fe/src/test/java/com/cloudera/impala/testutil/CatalogServiceTestCatalog.java +++ b/fe/src/test/java/com/cloudera/impala/testutil/CatalogServiceTestCatalog.java @@ -28,7 +28,7 @@ public class CatalogServiceTestCatalog extends CatalogServiceCatalog { public CatalogServiceTestCatalog(boolean loadInBackground, int numLoadingThreads, SentryConfig sentryConfig, TUniqueId catalogServiceId) { - super(loadInBackground, numLoadingThreads, sentryConfig, catalogServiceId); + super(loadInBackground, numLoadingThreads, sentryConfig, catalogServiceId, null); // Cache pools are typically loaded asynchronously, but as there is no fixed execution // order for tests, the cache pools are loaded synchronously before the tests are
