Repository: incubator-sentry Updated Branches: refs/heads/master 546617be3 -> 23134c631
SENTRY-266: Implement _HOST substitution in principal (Jarek Jarcec Cecho via Prasad Mujumdar) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/23134c63 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/23134c63 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/23134c63 Branch: refs/heads/master Commit: 23134c6312035e6a7073d8e58d0332c1da60d913 Parents: 546617b Author: Prasad Mujumdar <[email protected]> Authored: Sun Jun 8 12:13:51 2014 -0700 Committer: Prasad Mujumdar <[email protected]> Committed: Sun Jun 8 12:13:51 2014 -0700 ---------------------------------------------------------------------- .../thrift/SentryPolicyServiceClient.java | 10 +++-- .../sentry/service/thrift/SentryService.java | 12 ++++- .../thrift/TestSentryServiceWithKerberos.java | 47 ++++++++++++++++++++ .../thrift/SentryServiceIntegrationBase.java | 20 +++------ 4 files changed, 71 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/23134c63/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java index aec490c..c41f8b9 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java @@ -29,6 +29,7 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.security.SaslRpcServer; import org.apache.hadoop.security.SaslRpcServer.AuthMethod; +import org.apache.hadoop.security.SecurityUtil; import org.apache.sentry.SentryUserException; import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Authorizable; @@ -78,9 +79,12 @@ public class SentryPolicyServiceClient { transport = new TSocket(serverAddress.getHostName(), serverAddress.getPort(), connectionTimeout); if (kerberos) { - String serverPrincipal = Preconditions.checkNotNull( - conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL - + " is required"); + String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required"); + + // Resolve server host in the same way as we are doing on server side + serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress()); + LOGGER.info("Using server kerberos principal: " + serverPrincipal); + serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal); Preconditions.checkArgument(serverPrincipalParts.length == 3, "Kerberos principal should have 3 parts: " + serverPrincipal); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/23134c63/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java index 9e5c334..e4111fb 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java @@ -46,6 +46,7 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.security.SaslRpcServer; import org.apache.hadoop.security.SaslRpcServer.AuthMethod; +import org.apache.hadoop.security.SecurityUtil; import org.apache.sentry.Command; import org.apache.sentry.service.thrift.ServiceConstants.ConfUtilties; import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; @@ -103,8 +104,15 @@ public class SentryService implements Callable { minThreads = conf.getInt(ServerConfig.RPC_MIN_THREADS, ServerConfig.RPC_MIN_THREADS_DEFAULT); if (kerberos) { - principal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), - ServerConfig.PRINCIPAL + " is required"); + // Use Hadoop libraries to translate the _HOST placeholder with actual hostname + try { + String rawPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required"); + principal = SecurityUtil.getServerPrincipal(rawPrincipal, address.getAddress()); + } catch(IOException io) { + throw new RuntimeException("Can't translate kerberos principal'", io); + } + LOGGER.info("Using kerberos principal: " + principal); + principalParts = SaslRpcServer.splitKerberosName(principal); Preconditions.checkArgument(principalParts.length == 3, "Kerberos principal should have 3 parts: " + principal); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/23134c63/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java new file mode 100644 index 0000000..3209ccf --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java @@ -0,0 +1,47 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.provider.db.service.thrift; + +import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; + +import org.junit.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * Test various kerberos related stuff on the SentryService side + */ +public class TestSentryServiceWithKerberos extends SentryServiceIntegrationBase { + + private static final Logger LOGGER = LoggerFactory.getLogger(TestSentryServiceFailureCase.class); + + public String getServerKerberosName() { + return "sentry/_HOST@" + REALM; + } + + /** + * Test that we are correctly substituting "_HOST" if/when needed. + * + * @throws Exception + */ + @Test + public void testHostSubstitution() throws Exception { + // We just need to ensure that we are able to correct connect to the server + connectToSentryService(); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/23134c63/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java index b3bd1ef..66d6eef 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java @@ -32,6 +32,7 @@ import org.apache.commons.io.FileUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.minikdc.KerberosSecurityTestcase; import org.apache.hadoop.minikdc.MiniKdc; +import org.apache.hadoop.net.NetUtils; import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; import org.apache.sentry.provider.file.PolicyFile; import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig; @@ -55,18 +56,7 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc } } - protected static final String SERVER_HOST; - static { - String serverHost; - try { - // Dynamically find name of local interface - serverHost = java.net.InetAddress.getLocalHost().getHostName().toLowerCase(); - } catch (UnknownHostException e) { - LOGGER.error("Can't get localhost proper hostname, missing /etc/hosts configuration? Using 'localhost'.", e); - serverHost = "localhost"; // default value is simply localhost - } - SERVER_HOST = serverHost; - } + protected static final String SERVER_HOST = NetUtils.createSocketAddr("localhost:80").getAddress().getCanonicalHostName(); protected static final String REALM = "EXAMPLE.COM"; protected static final String SERVER_PRINCIPAL = "sentry/" + SERVER_HOST; protected static final String SERVER_KERBEROS_NAME = "sentry/" + SERVER_HOST + "@" + REALM; @@ -118,7 +108,7 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc clientKeytab = new File(kdcWorkDir, "client.keytab"); kdc.createPrincipal(serverKeytab, SERVER_PRINCIPAL); kdc.createPrincipal(clientKeytab, CLIENT_PRINCIPAL); - conf.set(ServerConfig.PRINCIPAL, SERVER_KERBEROS_NAME); + conf.set(ServerConfig.PRINCIPAL, getServerKerberosName()); conf.set(ServerConfig.KEY_TAB, serverKeytab.getPath()); conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_NAME); } else { @@ -188,6 +178,10 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc afterTeardown(); } + public String getServerKerberosName() { + return SERVER_KERBEROS_NAME; + } + public void beforeSetup() throws Exception { }
