SENTRY-1766 Generic model clients using kerberos can no longer connect to Sentry server
CDH-53688 Change-Id: I71f033cb86edeae375835d8dbbd48a514f2622ca Reviewed-on: http://gerrit.sjc.cloudera.com:8080/22705 Reviewed-by: Vamsee Yarlagadda <[email protected]> Reviewed-by: Na Li <[email protected]> Tested-by: Jenkins User Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/106e736c Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/106e736c Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/106e736c Branch: refs/for/cdh5-1.5.1_ha Commit: 106e736c9837111b51a652a58624fa14782f0064 Parents: 2038160 Author: Kalyan Kumar Kalvagadda <[email protected]> Authored: Thu May 18 22:35:26 2017 -0500 Committer: Kalyan Kumar Kalvagadda <[email protected]> Committed: Thu May 18 22:00:47 2017 -0700 ---------------------------------------------------------------------- .../transport/SentryTransportFactory.java | 5 +- .../UserGroupInformationInitializer.java | 52 ++++++++++++++++++++ .../SentryGenericServiceClientDefaultImpl.java | 8 +-- 3 files changed, 55 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/106e736c/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java index 9b9f9e8..f609d33 100644 --- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/SentryTransportFactory.java @@ -74,9 +74,8 @@ public class SentryTransportFactory { super(mechanism, null, protocol, serverName, SASL_PROPERTIES, null, transport); if (wrapUgi) { - // If we don't set the configuration, the UGI will be created based on - // what's on the classpath, which may lack the kerberos changes we require - UserGroupInformation.setConfiguration(conf); + //Re-initializing UserGroupInformation, if needed + UserGroupInformationInitializer.initialize(conf); ugi = UserGroupInformation.getLoginUser(); } } http://git-wip-us.apache.org/repos/asf/sentry/blob/106e736c/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java new file mode 100644 index 0000000..19ba12c --- /dev/null +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/transport/UserGroupInformationInitializer.java @@ -0,0 +1,52 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.core.common.transport; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.UserGroupInformation; + +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION; + +/** + * Wrapper to initialize UserGroupInformation + */ + +public class UserGroupInformationInitializer { + + // initialize() method could be called my multiple threads. + // to attain visibility guarantee on isInitialized, it is declared volatile. + private static volatile boolean isInitialized = false; + + // initialization block may be executed multiple times. This is fine as setConfiguration is + // thread-safe + public static void initialize(Configuration conf) { + if(!isInitialized) { + Configuration newConf = new Configuration(conf); + // When kerberos is enabled, UserGroupInformation should have been initialized with + // HADOOP_SECURITY_AUTHENTICATION property. There are instances where this is not done. + // Example: Solr and Kafka while using sentry generic clients were not updating this + // property. Instead of depending on the callers to update this configuration and to be + // sure that UserGroupInformation is properly initialized, sentry client is explicitly + // doing it, + newConf.set(HADOOP_SECURITY_AUTHENTICATION, SentryClientTransportConstants.KERBEROS_MODE); + UserGroupInformation.setConfiguration(newConf); + isInitialized = true; + } + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sentry/blob/106e736c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java index 7bef81f..f430064 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java @@ -60,14 +60,8 @@ public class SentryGenericServiceClientDefaultImpl implements SentryGenericServi private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occured "; public SentryGenericServiceClientDefaultImpl(Configuration conf, SentryPolicyClientTransportConfig transportConfig) throws IOException { - //TODO(kalyan) need to find appropriate place to add it - // if (kerberos) { - // // since the client uses hadoop-auth, we need to set kerberos in - // // hadoop-auth if we plan to use kerberos - // conf.set(HADOOP_SECURITY_AUTHENTICATION, SentryConstants.KERBEROS_MoODE); - // } - this.conf = conf; transportFactory = new SentryTransportFactory(conf, transportConfig); + this.conf = conf; } /**
