> On Oct. 15, 2018, 10:38 p.m., Na Li wrote: > > sentry-service/sentry-service-server/src/test/java/org/apache/sentry/service/thrift/TestGSSCallback.java > > Lines 70 (patched) > > <https://reviews.apache.org/r/69030/diff/3/?file=2098163#file2098163line70> > > > > from this rule, it seems "us...@test.realm.com" should be allowed. > > What's the reason it is not valid?
No it shouldn't. Look at the setUp() method where the only user allowed to connect is hive. Here "us...@test.realm.com" maps to "solr" which is not "hive" so allowConnect returns false - Arjun ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/69030/#review209572 ----------------------------------------------------------- On Oct. 15, 2018, 9:56 p.m., Arjun Mishra wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/69030/ > ----------------------------------------------------------- > > (Updated Oct. 15, 2018, 9:56 p.m.) > > > Review request for sentry, kalyan kumar kalvagadda, Na Li, and Sergio Pena. > > > Bugs: SENTRY-2427 > https://issues.apache.org/jira/browse/SENTRY-2427 > > > Repository: sentry > > > Description > ------- > > Sentry doesn't use auth to local group mapping hadoop configuration. We may > have a use case for cross realm users to have access to sentry service and in > which case Sentry needs to have access to those configurations. Switching to > using KerberosName will handle that case and other cases as well > > > Diffs > ----- > > > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java > d2d85d3a2 > > sentry-service/sentry-service-server/src/test/java/org/apache/sentry/service/thrift/TestGSSCallback.java > PRE-CREATION > > > Diff: https://reviews.apache.org/r/69030/diff/3/ > > > Testing > ------- > > > Thanks, > > Arjun Mishra > >