Repository: incubator-sentry Updated Branches: refs/heads/master 20f3960ce -> a01a75011
SENTRY-1037: Set "hadoop.security.authentication" to "kerberos" in the Generic Client (Gregory Chanan, reviewed by Sravya Tirukkovalur) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/a01a7501 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/a01a7501 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/a01a7501 Branch: refs/heads/master Commit: a01a7501114ca0934255a0fb5e2635214f8ce887 Parents: 20f3960 Author: Gregory Chanan <gcha...@cloudera.com> Authored: Thu Jan 28 16:35:05 2016 -0800 Committer: Gregory Chanan <gcha...@cloudera.com> Committed: Fri Jan 29 16:40:05 2016 -0800 ---------------------------------------------------------------------- .../thrift/SentryGenericServiceClientDefaultImpl.java | 14 +++++++++++--- .../provider/db/generic/tools/SentryShellSolr.java | 4 +++- 2 files changed, 14 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a01a7501/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java index 761b0a4..ce57513 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java @@ -28,6 +28,7 @@ import java.util.Set; import javax.security.auth.callback.CallbackHandler; import org.apache.hadoop.conf.Configuration; +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION; import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.security.SaslRpcServer; import org.apache.hadoop.security.SaslRpcServer.AuthMethod; @@ -75,11 +76,14 @@ public class SentryGenericServiceClientDefaultImpl implements SentryGenericServi public UgiSaslClientTransport(String mechanism, String authorizationId, String protocol, String serverName, Map<String, String> props, - CallbackHandler cbh, TTransport transport, boolean wrapUgi) + CallbackHandler cbh, TTransport transport, boolean wrapUgi, Configuration conf) throws IOException { super(mechanism, authorizationId, protocol, serverName, props, cbh, transport); if (wrapUgi) { + // If we don't set the configuration, the UGI will be created based on + // what's on the classpath, which may lack the kerberos changes we require + UserGroupInformation.setConfiguration(conf); ugi = UserGroupInformation.getLoginUser(); } } @@ -116,7 +120,8 @@ public class SentryGenericServiceClientDefaultImpl implements SentryGenericServi } public SentryGenericServiceClientDefaultImpl(Configuration conf) throws IOException { - this.conf = conf; + // copy the configuration because we may make modifications to it. + this.conf = new Configuration(conf); Preconditions.checkNotNull(this.conf, "Configuration object cannot be null"); this.serverAddress = NetUtils.createSocketAddr(Preconditions.checkNotNull( conf.get(ClientConfig.SERVER_RPC_ADDRESS), "Config key " @@ -130,6 +135,9 @@ public class SentryGenericServiceClientDefaultImpl implements SentryGenericServi serverAddress.getPort(), connectionTimeout); if (kerberos) { String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required"); + // since the client uses hadoop-auth, we need to set kerberos in + // hadoop-auth if we plan to use kerberos + conf.set(HADOOP_SECURITY_AUTHENTICATION, ServerConfig.SECURITY_MODE_KERBEROS); // Resolve server host in the same way as we are doing on server side serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress()); @@ -142,7 +150,7 @@ public class SentryGenericServiceClientDefaultImpl implements SentryGenericServi .get(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true")); transport = new UgiSaslClientTransport(AuthMethod.KERBEROS.getMechanismName(), null, serverPrincipalParts[0], serverPrincipalParts[1], - ClientConfig.SASL_PROPERTIES, null, transport, wrapUgi); + ClientConfig.SASL_PROPERTIES, null, transport, wrapUgi, conf); } else { serverPrincipalParts = null; } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a01a7501/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java index ec786a5..15f4a26 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java @@ -45,6 +45,7 @@ public class SentryShellSolr extends SentryShellCommon { String requestorName = System.getProperty("user.name", ""); String component = "SOLR"; Configuration conf = getSentryConf(); + String service = conf.get(SOLR_SERVICE_NAME, "service1"); SentryGenericServiceClient client = SentryGenericServiceClientFactory.create(conf); @@ -94,7 +95,8 @@ public class SentryShellSolr extends SentryShellCommon { } } catch (Exception e) { LOGGER.error(e.getMessage(), e); - System.out.println("The operation failed, please refer to log file for the root cause."); + System.out.println("The operation failed." + + e.getMessage() == null ? "" : "Message: " + e.getMessage()); } }
