This is an automated email from the ASF dual-hosted git repository.
linaataustin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sentry.git
The following commit(s) were added to refs/heads/master by this push:
new 63f7f89 SENTRY-2486: Wrong user name when sentry HMSFollower gets
full snapshot from HMS at insecure mode (Na Li, reviewed by Arjun Mishra,
Kalyan Kumar Kalvagadda)
63f7f89 is described below
commit 63f7f8939bc9a02272a4033b07ee4cb95d8d4785
Author: lina.li <[email protected]>
AuthorDate: Mon Jan 28 14:58:09 2019 -0600
SENTRY-2486: Wrong user name when sentry HMSFollower gets full snapshot
from HMS at insecure mode (Na Li, reviewed by Arjun Mishra, Kalyan Kumar
Kalvagadda)
---
.../service/thrift/HiveSimpleConnectionFactory.java | 10 +++++++---
.../provider/db/service/persistent/TestHMSFollower.java | 2 ++
.../sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java | 15 +++++++++++----
3 files changed, 20 insertions(+), 7 deletions(-)
diff --git
a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java
b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java
index 31e58fd..f57175c 100644
---
a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java
+++
b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java
@@ -76,6 +76,7 @@ public final class HiveSimpleConnectionFactory implements
HiveConnectionFactory
return;
}
+ LOGGER.info("Using secured connection to HMS");
int port = conf.getInt(ServerConfig.RPC_PORT,
ServerConfig.RPC_PORT_DEFAULT);
String rawPrincipal =
Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL),
"%s is required", ServerConfig.PRINCIPAL);
@@ -106,11 +107,14 @@ public final class HiveSimpleConnectionFactory implements
HiveConnectionFactory
* @throws MetaException if other errors happened
*/
public HMSClient connect() throws IOException, InterruptedException,
MetaException {
+ UserGroupInformation clientUGI;
+
if (insecure) {
- return new HMSClient(new HiveMetaStoreClient(hiveConf));
- }
- UserGroupInformation clientUGI =
+ clientUGI = UserGroupInformation.getCurrentUser();
+ } else {
+ clientUGI =
UserGroupInformation.getUGIFromSubject(kerberosContext.getSubject());
+ }
return new HMSClient(clientUGI.doAs(new
PrivilegedExceptionAction<HiveMetaStoreClient>() {
@Override
public HiveMetaStoreClient run() throws MetaException {
diff --git
a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java
b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java
index 0d62941..310cf6a 100644
---
a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java
+++
b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java
@@ -53,6 +53,7 @@ import
org.apache.sentry.binding.metastore.messaging.json.SentryJSONMessageFacto
import org.apache.sentry.core.common.utils.PubSub;
import org.apache.sentry.core.common.utils.SentryConstants;
import org.apache.sentry.hdfs.UniquePathsUpdate;
+import org.apache.sentry.service.common.ServiceConstants.ServerConfig;
import org.apache.sentry.service.thrift.SentryHMSClient;
import org.apache.sentry.service.thrift.HiveConnectionFactory;
import org.apache.sentry.service.thrift.HiveSimpleConnectionFactory;
@@ -85,6 +86,7 @@ public class TestHMSFollower {
@BeforeClass
public static void setup() throws IOException, LoginException {
+ configuration.set(ServerConfig.PRINCIPAL, "sentry/[email protected]");
hiveConnectionFactory = new HiveSimpleConnectionFactory(configuration, new
HiveConf());
hiveConnectionFactory.init();
configuration.set("sentry.hive.sync.create", "true");
diff --git
a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
index 47f7466..4c09e68 100644
---
a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
+++
b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
@@ -193,6 +193,7 @@ public abstract class TestHDFSIntegrationBase {
protected static File policyFileLocation;
protected static UserGroupInformation adminUgi;
protected static UserGroupInformation hiveUgi;
+ protected static UserGroupInformation sentryUgi;
// Variables which are used for cleanup after test
// Please set these values in each test
@@ -520,6 +521,9 @@ public abstract class TestHDFSIntegrationBase {
hiveUgi = UserGroupInformation.createUserForTesting(
"hive", new String[] { "hive" });
+ sentryUgi = UserGroupInformation.createUserForTesting(
+ "sentry", new String[] { "sentry" });
+
// Create SentryService and its internal objects.
// Set Sentry port
createSentry();
@@ -579,7 +583,8 @@ public abstract class TestHDFSIntegrationBase {
// on the storage.
hiveConf.set("hive.metastore.authorization.storage.checks", "true");
hiveConf.set("hive.metastore.uris", "thrift://localhost:" + hmsPort);
- hiveConf.set("sentry.metastore.service.users", "hive");// queries made
by hive user (beeline) skip meta store check
+ // queries made by hive user (beeline) and sentry to HMS skip meta
store check
+ hiveConf.set("sentry.metastore.service.users", "hive,sentry");
File confDir = assertCreateDir(new File(baseDir, "etc"));
File hiveSite = new File(confDir, "hive-site.xml");
@@ -662,7 +667,8 @@ public abstract class TestHDFSIntegrationBase {
hiveConf.set("hive.metastore.event.message.factory",
"org.apache.sentry.binding.metastore.messaging.json.SentryJSONMessageFactory");
hiveConf.set("hive.security.authorization.task.factory",
"org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl");
hiveConf.set("hive.server2.session.hook",
"org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook");
- hiveConf.set("sentry.metastore.service.users", "hive");// queries made
by hive user (beeline) skip meta store check
+ // queries made by hive user (beeline) and sentry to HMS skip meta
store check
+ hiveConf.set("sentry.metastore.service.users", "hive,sentry");
// make sure metastore calls sentry post event listener
hiveConf.set("hive.metastore.event.listeners",
"org.apache.sentry.binding.metastore.SentrySyncHMSNotificationsPostEventListener");
@@ -852,7 +858,7 @@ public abstract class TestHDFSIntegrationBase {
}
SentryHDFSServiceClientFactory.factoryReset();
try {
- hiveUgi.doAs(new PrivilegedExceptionAction() {
+ sentryUgi.doAs(new PrivilegedExceptionAction() {
@Override
public Void run() throws Exception {
sentryServer.startAll();
@@ -869,10 +875,11 @@ public abstract class TestHDFSIntegrationBase {
private static void createSentry() throws Exception {
try {
- hiveUgi.doAs(new PrivilegedExceptionAction<Void>() {
+ sentryUgi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
sentryConf.set(SENTRY_HDFS_INTEGRATION_PATH_PREFIXES,
MANAGED_PREFIXES);
+ sentryProperties.put(ServerConfig.PRINCIPAL,
"sentry/[email protected]");
sentryProperties.put(HiveServerFactory.AUTHZ_PROVIDER_BACKEND,
SimpleDBProviderBackend.class.getName());
sentryProperties.put(ConfVars.HIVE_AUTHORIZATION_TASK_FACTORY.varname,
