Repository: sentry Updated Branches: refs/heads/sentry-ha-redesign 80070f277 -> 48fea2042
SENTRY-1749: Sentry to use keytab supplied instead of local unix user tgt for connecting to HMS (Vamsee Yarlagadda, Reviewed by: Alexander Kolbasov, Kalyan Kalvagadda) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/48fea204 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/48fea204 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/48fea204 Branch: refs/heads/sentry-ha-redesign Commit: 48fea20427ce8daad6aa3fa2658d06c624bdb7d6 Parents: 80070f2 Author: Vamsee Yarlagadda <[email protected]> Authored: Wed May 3 21:55:50 2017 -0700 Committer: Vamsee Yarlagadda <[email protected]> Committed: Thu May 4 16:15:34 2017 -0700 ---------------------------------------------------------------------- .../org/apache/sentry/service/thrift/HMSFollower.java | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/48fea204/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java index ec8676e..99549bc 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java @@ -30,6 +30,7 @@ import org.apache.hadoop.hive.metastore.api.NotificationEventResponse; import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.security.SaslRpcServer; import org.apache.hadoop.security.SecurityUtil; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.hive.hcatalog.messaging.HCatEventMessage; import org.apache.sentry.binding.hive.conf.HiveAuthzConf; import org.apache.sentry.core.common.exception.SentryInvalidHMSEventException; @@ -46,12 +47,10 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.apache.sentry.binding.metastore.messaging.json.*; -import javax.security.auth.Subject; import javax.security.auth.login.LoginException; import java.io.File; import java.io.IOException; import java.net.SocketException; -import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; import java.util.List; import java.util.Map; @@ -118,7 +117,7 @@ public class HMSFollower implements Runnable { * Throws @MetaException if there was a problem on creating an HMSClient */ private HiveMetaStoreClient getMetaStoreClient(Configuration conf) - throws LoginException, MetaException, PrivilegedActionException { + throws IOException, InterruptedException, LoginException, MetaException { if(client != null) { return client; } @@ -159,9 +158,12 @@ public class HMSFollower implements Runnable { // Instantiating SentryKerberosContext in non-server mode handles the ticket renewal. kerberosContext = new SentryKerberosContext(principal, keytab, false); + UserGroupInformation.setConfiguration(hiveConf); + UserGroupInformation clientUGI = UserGroupInformation.getUGIFromSubject(kerberosContext.getSubject()); + // HiveMetaStoreClient handles the connection retry logic to HMS and can be configured using properties: // hive.metastore.connect.retries, hive.metastore.client.connect.retry.delay - client = Subject.doAs(kerberosContext.getSubject(), new PrivilegedExceptionAction<HiveMetaStoreClient>() { + client = clientUGI.doAs(new PrivilegedExceptionAction<HiveMetaStoreClient>() { @Override public HiveMetaStoreClient run() throws Exception { return new HiveMetaStoreClient(hiveConf); @@ -172,9 +174,6 @@ public class HMSFollower implements Runnable { // Kerberos login failed LOGGER.error("Failed to setup kerberos context."); throw e; - } catch (PrivilegedActionException e) { - LOGGER.error("Failed to setup secure connection to HMS."); - throw e; } finally { // Shutdown kerberos context if HMS connection failed to setup to avoid thread leaks. if ((kerberosContext != null) && (client == null)) {
