Repository: incubator-sentry Updated Branches: refs/heads/master 066b1c404 -> d37830c9a
SENTRY-289: Kerberos based connection from HS2 and Metastore to Sentry service fails (Prasad Mujumdar via Jarek Jarcec Cecho) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/d37830c9 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/d37830c9 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/d37830c9 Branch: refs/heads/master Commit: d37830c9a9b5c8bd571b87e676eb38627b38a139 Parents: 066b1c4 Author: Jarek Jarcec Cecho <[email protected]> Authored: Tue Jun 10 21:37:25 2014 -0700 Committer: Jarek Jarcec Cecho <[email protected]> Committed: Tue Jun 10 21:37:25 2014 -0700 ---------------------------------------------------------------------- .../binding/hive/HiveAuthzBindingHook.java | 2 + .../thrift/SentryPolicyServiceClient.java | 64 ++++++++++++++++++-- .../service/thrift/KerberosConfiguration.java | 4 -- .../sentry/service/thrift/ServiceConstants.java | 1 + .../thrift/SentryServiceIntegrationBase.java | 6 +- 5 files changed, 65 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d37830c9/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java index 6c507b8..042fb00 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java @@ -65,6 +65,7 @@ import org.apache.sentry.core.model.db.DBModelAuthorizable; import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType; import org.apache.sentry.core.model.db.Database; import org.apache.sentry.core.model.db.Table; +import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -120,6 +121,7 @@ implements HiveDriverFilterHook { + " specifies a malformed URL '" + hiveAuthzConf + "'", e); } } + newAuthzConf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"); return newAuthzConf; } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d37830c9/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java index c41f8b9..afbedb3 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java @@ -18,18 +18,22 @@ package org.apache.sentry.provider.db.service.thrift; -import com.google.common.base.Preconditions; -import com.google.common.collect.Sets; import java.io.IOException; import java.net.InetSocketAddress; +import java.security.PrivilegedExceptionAction; import java.util.HashSet; +import java.util.List; +import java.util.Map; import java.util.Set; +import javax.security.auth.callback.CallbackHandler; + import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.security.SaslRpcServer; import org.apache.hadoop.security.SaslRpcServer.AuthMethod; import org.apache.hadoop.security.SecurityUtil; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.sentry.SentryUserException; import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Authorizable; @@ -50,7 +54,8 @@ import org.apache.thrift.transport.TTransportException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import java.util.List; +import com.google.common.base.Preconditions; +import com.google.common.collect.Sets; public class SentryPolicyServiceClient { @@ -65,6 +70,51 @@ public class SentryPolicyServiceClient { .getLogger(SentryPolicyServiceClient.class); private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occured "; + /** + * This transport wraps the Sasl transports to set up the right UGI context for open(). + */ + public static class UgiSaslClientTransport extends TSaslClientTransport { + protected UserGroupInformation ugi = null; + + public UgiSaslClientTransport(String mechanism, String authorizationId, + String protocol, String serverName, Map<String, String> props, + CallbackHandler cbh, TTransport transport, boolean wrapUgi) + throws IOException { + super(mechanism, authorizationId, protocol, serverName, props, cbh, + transport); + if (wrapUgi) { + ugi = UserGroupInformation.getCurrentUser(); + } + } + + // open the SASL transport with using the current UserGroupInformation + // This is needed to get the current login context stored + @Override + public void open() throws TTransportException { + if (ugi == null) { + baseOpen(); + } else { + try { + ugi.doAs(new PrivilegedExceptionAction<Void>() { + public Void run() throws TTransportException { + baseOpen(); + return null; + } + }); + } catch (IOException e) { + throw new TTransportException("Failed to open SASL transport", e); + } catch (InterruptedException e) { + throw new TTransportException( + "Interrupted while opening underlying transport", e); + } + } + } + + private void baseOpen() throws TTransportException { + super.open(); + } + } + public SentryPolicyServiceClient(Configuration conf) throws IOException { this.conf = conf; Preconditions.checkNotNull(this.conf, "Configuration object cannot be null"); @@ -88,9 +138,11 @@ public class SentryPolicyServiceClient { serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal); Preconditions.checkArgument(serverPrincipalParts.length == 3, "Kerberos principal should have 3 parts: " + serverPrincipal); - transport = new TSaslClientTransport( - AuthMethod.KERBEROS.getMechanismName(), null, serverPrincipalParts[0], - serverPrincipalParts[1], ClientConfig.SASL_PROPERTIES, null, transport); + boolean wrapUgi = "true".equalsIgnoreCase(conf + .get(ServerConfig.SECURITY_USE_UGI_TRANSPORT)); + transport = new UgiSaslClientTransport(AuthMethod.KERBEROS.getMechanismName(), + null, serverPrincipalParts[0], serverPrincipalParts[1], + ClientConfig.SASL_PROPERTIES, null, transport, wrapUgi); } else { serverPrincipalParts = null; } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d37830c9/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java index 203858e..41e4fe4 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java @@ -24,10 +24,6 @@ import java.util.Map; import javax.security.auth.login.AppConfigurationEntry; public class KerberosConfiguration extends javax.security.auth.login.Configuration { - static { - System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); - } - private String principal; private String keytab; private boolean isInitiator; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d37830c9/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java index 4a2b900..ba6a712 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java @@ -53,6 +53,7 @@ public class ServiceConstants { public static final String SECURITY_MODE = "sentry.service.security.mode"; public static final String SECURITY_MODE_KERBEROS = "kerberos"; public static final String SECURITY_MODE_NONE = "none"; + public static final String SECURITY_USE_UGI_TRANSPORT = "true"; public static final String ADMIN_GROUPS = "sentry.service.admin.group"; public static final String PRINCIPAL = "sentry.service.server.principal"; public static final String KEY_TAB = "sentry.service.server.keytab"; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d37830c9/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java index 61bdfed..20265a4 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java @@ -60,7 +60,9 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc protected static final String SERVER_PRINCIPAL = "sentry/" + SERVER_HOST; protected static final String SERVER_KERBEROS_NAME = "sentry/" + SERVER_HOST + "@" + REALM; protected static final String CLIENT_PRINCIPAL = "hive/" + SERVER_HOST; - protected static final String CLIENT_KERBEROS_NAME = "hive/" + SERVER_HOST + "@" + REALM; + protected static final String CLIENT_KERBEROS_SHORT_NAME = "hive"; + protected static final String CLIENT_KERBEROS_NAME = CLIENT_KERBEROS_SHORT_NAME + + "/" + SERVER_HOST + "@" + REALM; protected static final String ADMIN_USER = "admin_user"; protected static final String ADMIN_GROUP = "admin_group"; @@ -109,7 +111,7 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc kdc.createPrincipal(clientKeytab, CLIENT_PRINCIPAL); conf.set(ServerConfig.PRINCIPAL, getServerKerberosName()); conf.set(ServerConfig.KEY_TAB, serverKeytab.getPath()); - conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_NAME); + conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_SHORT_NAME); } else { LOGGER.info("Stopped KDC"); conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE);
