SENTRY-1777: Generic service client should support Kerberos(Continuation Fix) (Kalyan Kalvagadda, Reviewed by: Vamsee Yarlagadda)
CDH-54182 Change-Id: I585a68c4835527982ffd4b597922f9acfc1ad8bd Reviewed-on: http://gerrit.sjc.cloudera.com:8080/22940 Reviewed-by: Na Li <[email protected]> Reviewed-by: Vamsee Yarlagadda <[email protected]> Tested-by: Jenkins User Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/77b43f11 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/77b43f11 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/77b43f11 Branch: refs/for/cdh5-1.5.1_ha Commit: 77b43f110d20f04d24b2bef8530adc5fa7e9f27a Parents: afe476b Author: Vamsee Yarlagadda <[email protected]> Authored: Mon May 22 11:29:47 2017 -0700 Committer: Vamsee Yarlagadda <[email protected]> Committed: Mon May 22 12:51:48 2017 -0700 ---------------------------------------------------------------------- .../transport/SentryTransportFactory.java | 8 ++- .../hdfs/TestSentryHDFSServiceClientForUgi.java | 70 +++++++++++++++++++ .../TestSentryGenericServiceClientForUgi.java | 68 +++++++++++++++++++ .../TestSentryPolicyServiceClientForUgi.java | 71 ++++++++++++++++++++ 4 files changed, 214 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/77b43f11/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java index f609d33..74aced2 100644 --- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java @@ -74,8 +74,6 @@ public class SentryTransportFactory { super(mechanism, null, protocol, serverName, SASL_PROPERTIES, null, transport); if (wrapUgi) { - //Re-initializing UserGroupInformation, if needed - UserGroupInformationInitializer.initialize(conf); ugi = UserGroupInformation.getLoginUser(); } } @@ -130,7 +128,11 @@ public class SentryTransportFactory { try { this.connectionTimeout = transportConfig.getServerRpcConnTimeoutInMs(conf); this.connectionFullRetryTotal = transportConfig.getSentryFullRetryTotal(conf); - + if(transportConfig.isKerberosEnabled(conf) && + transportConfig.useUserGroupInformation(conf)) { + // Re-initializing UserGroupInformation, if needed + UserGroupInformationInitializer.initialize(conf); + } String hostsAndPortsStr = transportConfig.getSentryServerRpcAddress(conf); int serverPort = transportConfig.getServerRpcPort(conf); http://git-wip-us.apache.org/repos/asf/sentry/blob/77b43f11/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestSentryHDFSServiceClientForUgi.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestSentryHDFSServiceClientForUgi.java b/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestSentryHDFSServiceClientForUgi.java new file mode 100644 index 0000000..09d417e --- /dev/null +++ b/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestSentryHDFSServiceClientForUgi.java @@ -0,0 +1,70 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.hdfs; + +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase; +import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; +import org.junit.BeforeClass; +import org.junit.Test; + +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION; + +public class TestSentryHDFSServiceClientForUgi extends SentryHdfsServiceIntegrationBase { + + @BeforeClass + public static void setup() throws Exception { + kerberos = true; + beforeSetup(); + setupConf(); + startSentryService(); + afterSetup(); + } + + public static void setupConf() throws Exception { + // If kerberos is enabled, SentryTransportFactory should make sure that + // HADOOP_SECURITY_AUTHENTICATION is appropriately configured. + SentryGenericServiceIntegrationBase.setupConf(); + conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS); + conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"); + conf.set(HADOOP_SECURITY_AUTHENTICATION, "simple"); + UserGroupInformation.setConfiguration(conf); + } + + /** + * Test UserGroupInformationInitializer + * <p> + * Ensures that SentryTransportFactory is making sure that HADOOP_SECURITY_AUTHENTICATION + * is appropriately configured and UserGroupInformation is initialized accordingly + * by validating the static information in UserGroupInformation Class + * + * @throws Exception + */ + + @Test + public void testUserGroupInformationInitializer() throws Exception { + kerberos = false; + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + assert UserGroupInformation.isSecurityEnabled(); + } + }); + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sentry/blob/77b43f11/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceClientForUgi.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceClientForUgi.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceClientForUgi.java new file mode 100644 index 0000000..3f84ae4 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceClientForUgi.java @@ -0,0 +1,68 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.generic.service.thrift; + +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; +import org.junit.BeforeClass; +import org.junit.Test; + +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION; + +public class TestSentryGenericServiceClientForUgi extends SentryGenericServiceIntegrationBase { + + @BeforeClass + public static void setup() throws Exception { + kerberos = true; + beforeSetup(); + setupConf(); + startSentryService(); + afterSetup(); + } + + public static void setupConf() throws Exception { + // If kerberos is enabled, SentryTransportFactory should make sure that + // HADOOP_SECURITY_AUTHENTICATION is appropriately configured. + SentryGenericServiceIntegrationBase.setupConf(); + conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS); + conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"); + conf.set(HADOOP_SECURITY_AUTHENTICATION, "simple"); + UserGroupInformation.setConfiguration(conf); + } + + /** + * Test UserGroupInformationInitializer + * <p> + * Ensures that SentryTransportFactory is making sure that HADOOP_SECURITY_AUTHENTICATION + * is appropriately configured and UserGroupInformation is initialized accordingly + * by validating the static information in UserGroupInformation Class + * + * @throws Exception + */ + @Test + public void testUserGroupInformationInitializer() throws Exception { + kerberos = false; + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + assert UserGroupInformation.isSecurityEnabled(); + } + }); + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/77b43f11/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyServiceClientForUgi.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyServiceClientForUgi.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyServiceClientForUgi.java new file mode 100644 index 0000000..ef94598 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyServiceClientForUgi.java @@ -0,0 +1,71 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.service.thrift; + +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase; +import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; +import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; +import org.junit.BeforeClass; +import org.junit.Test; + +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION; + +public class TestSentryPolicyServiceClientForUgi extends SentryServiceIntegrationBase { + + @BeforeClass + public static void setup() throws Exception { + kerberos = true; + beforeSetup(); + setupConf(); + startSentryService(); + afterSetup(); + } + + public static void setupConf() throws Exception { + // If kerberos is enabled, SentryTransportFactory should make sure that + // HADOOP_SECURITY_AUTHENTICATION is appropriately configured. + SentryGenericServiceIntegrationBase.setupConf(); + conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS); + conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"); + conf.set(HADOOP_SECURITY_AUTHENTICATION, "simple"); + UserGroupInformation.setConfiguration(conf); + } + + /** + * Test UserGroupInformationInitializer + * <p> + * Ensures that SentryTransportFactory is making sure that HADOOP_SECURITY_AUTHENTICATION + * is appropriately configured and UserGroupInformation is initialized accordingly + * by validating the static information in UserGroupInformation Class + * + * @throws Exception + */ + + @Test + public void testUserGroupInformationInitializer() throws Exception { + kerberos = false; + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + assert UserGroupInformation.isSecurityEnabled(); + } + }); + } +} \ No newline at end of file
