Repository: sentry Updated Branches: refs/heads/sentry-ha-redesign d8df78279 -> 68ed22c15
SENTRY-1736: Generic service client should support Kerberos (Kalyan Kalvagadda, Reviewed by: Alexander Kolbasov, Vadim Spector, Vamsee Yarlagadda) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/68ed22c1 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/68ed22c1 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/68ed22c1 Branch: refs/heads/sentry-ha-redesign Commit: 68ed22c15c7716f96555f2c832ac16d3eb9465b7 Parents: d8df782 Author: Vamsee Yarlagadda <[email protected]> Authored: Thu May 18 19:06:08 2017 -0700 Committer: Vamsee Yarlagadda <[email protected]> Committed: Thu May 18 19:06:08 2017 -0700 ---------------------------------------------------------------------- .../transport/SentryTransportFactory.java | 5 +- .../UserGroupInformationInitializer.java | 53 ++++++++++++++++++++ .../SentryGenericServiceClientDefaultImpl.java | 11 +--- 3 files changed, 56 insertions(+), 13 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/68ed22c1/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java index 9b9f9e8..f609d33 100644 --- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java @@ -74,9 +74,8 @@ public class SentryTransportFactory { super(mechanism, null, protocol, serverName, SASL_PROPERTIES, null, transport); if (wrapUgi) { - // If we don't set the configuration, the UGI will be created based on - // what's on the classpath, which may lack the kerberos changes we require - UserGroupInformation.setConfiguration(conf); + //Re-initializing UserGroupInformation, if needed + UserGroupInformationInitializer.initialize(conf); ugi = UserGroupInformation.getLoginUser(); } } http://git-wip-us.apache.org/repos/asf/sentry/blob/68ed22c1/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java new file mode 100644 index 0000000..4c7487d --- /dev/null +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java @@ -0,0 +1,53 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.core.common.transport; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.UserGroupInformation; + +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION; +import static org.apache.sentry.core.common.utils.SentryConstants.KERBEROS_MODE; + +/** + * Wrapper to initialize UserGroupInformation + */ + +public class UserGroupInformationInitializer { + + // initialize() method could be called my multiple threads. + // to attain visibility guarantee on isInitialized, it is declared volatile. + private static volatile boolean isInitialized = false; + + // initialization block may be executed multiple times. This is fine as setConfiguration is + // thread-safe + public static void initialize(Configuration conf) { + if(!isInitialized) { + Configuration newConf = new Configuration(conf); + // When kerberos is enabled, UserGroupInformation should have been initialized with + // HADOOP_SECURITY_AUTHENTICATION property. There are instances where this is not done. + // Example: Solr and Kafka while using sentry generic clients were not updating this + // property. Instead of depending on the callers to update this configuration and to be + // sure that UserGroupInformation is properly initialized, sentry client is explicitly + // doing it, + newConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_MODE); + UserGroupInformation.setConfiguration(newConf); + isInitialized = true; + } + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sentry/blob/68ed22c1/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java index b7ac640..e23d13b 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java @@ -22,8 +22,6 @@ import java.util.*; import org.apache.hadoop.conf.Configuration; -//import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION; - import org.apache.sentry.core.common.exception.SentryUserException; import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Authorizable; @@ -63,15 +61,8 @@ public class SentryGenericServiceClientDefaultImpl implements SentryGenericServi private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occured "; public SentryGenericServiceClientDefaultImpl(Configuration conf, SentryPolicyClientTransportConfig transportConfig) throws IOException { - - //TODO(kalyan) need to find appropriate place to add it - // if (kerberos) { - // // since the client uses hadoop-auth, we need to set kerberos in - // // hadoop-auth if we plan to use kerberos - // conf.set(HADOOP_SECURITY_AUTHENTICATION, SentryConstants.KERBEROS_MoODE); - // } - this.conf = conf; transportFactory = new SentryTransportFactory(conf, transportConfig); + this.conf = conf; } /**
