Bharath Vissapragada has uploaded a new patch set (#6). Change subject: IMPALA-2660: Respect auth_to_local configs from hdfs configs ......................................................................
IMPALA-2660: Respect auth_to_local configs from hdfs configs This patch implements a new feature to read the auth_to_local configs from hdfs configuration files, using the parameter hadoop.security.auth_to_local. This is done by modifying the User#getShortName() method to use its hdfs equivalent. This patch includes an end to end authorization test using sentry where we add specific auth_to_local setting for a certain user and test if the sentry authorization passes for this user after applying these rules. Given we don't have tests that run on a kerberized min-cluster, this patch adds a hack to load this configuration during even on non-kerberized 'test runs'. However this feature is disabled by default to preserve the existing behavior. To enable it, 1. Use kerberos as authentication mechanism (by setting --principal) and 2. Add "--load_auth_to_local_rules=true" to the cluster startup args Change-Id: I76485b83c14ba26f6fce66e5f83e8014667829e0 --- M be/src/catalog/catalog.cc M be/src/common/global-flags.cc M be/src/service/frontend.cc M fe/src/main/java/com/cloudera/impala/analysis/AnalysisContext.java M fe/src/main/java/com/cloudera/impala/analysis/ShowGrantRoleStmt.java M fe/src/main/java/com/cloudera/impala/analysis/ShowRolesStmt.java M fe/src/main/java/com/cloudera/impala/authorization/AuthorizationChecker.java M fe/src/main/java/com/cloudera/impala/authorization/User.java M fe/src/main/java/com/cloudera/impala/service/BackendConfig.java M fe/src/main/java/com/cloudera/impala/service/Frontend.java M fe/src/main/java/com/cloudera/impala/service/JniCatalog.java M fe/src/main/java/com/cloudera/impala/service/JniFrontend.java M fe/src/main/java/com/cloudera/impala/util/RequestPoolService.java M fe/src/main/java/com/cloudera/impala/util/SentryPolicyService.java M fe/src/test/java/com/cloudera/impala/analysis/AuditingTest.java M fe/src/test/java/com/cloudera/impala/analysis/AuthorizationTest.java M fe/src/test/java/com/cloudera/impala/util/TestRequestPoolService.java M fe/src/test/resources/authz-policy.ini.template M testdata/cluster/node_templates/common/etc/hadoop/conf/core-site.xml.tmpl 19 files changed, 319 insertions(+), 93 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala refs/changes/00/2800/6 -- To view, visit http://gerrit.cloudera.org:8080/2800 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: newpatchset Gerrit-Change-Id: I76485b83c14ba26f6fce66e5f83e8014667829e0 Gerrit-PatchSet: 6 Gerrit-Project: Impala Gerrit-Branch: cdh5-trunk Gerrit-Owner: Bharath Vissapragada <[email protected]> Gerrit-Reviewer: Alex Behm <[email protected]> Gerrit-Reviewer: Bharath Vissapragada <[email protected]> Gerrit-Reviewer: Henry Robinson <[email protected]> Gerrit-Reviewer: Juan Yu <[email protected]> Gerrit-Reviewer: Sailesh Mukil <[email protected]>
