> On Jan. 28, 2019, 1:55 a.m., kalyan kumar kalvagadda wrote:
> > Idea here is to make sure that hive client knows the details of the user
> > who is sending the request. In this specific case, hive should know the
> > details of the user who running sentry service. Using
> > sentry.service.server.principal and entry.service.realm doesn’t seem
> > correct.
> >
> >
> > I have a thought.
> > ```
> > public HMSClient connect() throws IOException, InterruptedException,
> > MetaException
> > {?
> > UserGroupInformation clientUGI = null;
> > if (insecure) {?
> > clientUGI = UserGroupInformation.getCurrentUser();?
> > } else {?
> > clientUGI =
> > UserGroupInformation.getUGIFromSubject(kerberosContext.getSubject());?
> > }?
> > return new HMSClient(clientUGI.doAs(new
> > PrivilegedExceptionAction<HiveMetaStoreClient>()
> > {?
> > @Override?
> > public HiveMetaStoreClient run() throws MetaException {?
> > return new HiveMetaStoreClient(hiveConf);?
> > }?
> > }));
> > }
> >
> > ```
> > All you have additionally do is change the tests to run sentry server as
> > user “sentry”.
> >
> > Here is the sample code. I have tested it locally.
>
> Na Li wrote:
> HiveSimpleConnectionFactory is used by HMSFollower to get notifications
> from HMS server. It is not used for any other purposes in Sentry.
>
> If we following your suggestion, the user will be the login user, it
> could be "root" for one run, and "jenkins" for another run. How to make sure
> fetching notification from sentry works in your suggested approach?
>
> That is why I have this solution here. Make sure the user is "sentry" in
> insecured mode, and add "sentry" as services in HMS server.
>
> kalyan kumar kalvagadda wrote:
> Lina, Idea is to use the UserGroupInformation.getCurrentUser(). Please
> look at the patch i sugessted. All you have to do is perform doAs() while
> starting the service. I have sent you details offline.
>
> What you are suggesting will effect the users who are using sentry in non
> secure mode. Approach that i'm usggesting will address the issues with the
> tests and not change the behavior.
>
> Na Li wrote:
> Kalyan, your suggestion is the current code behavior without my code
> change.
>
> 1) Do you agree that when sentry HMS follower gets notification, the user
> name should be "sentry" instead of your name, or my name?
> 2) If you agree above, then your suggestion of using
> "UserGroupInformation.getCurrentUser()" won't work because it returns current
> login name, which is your name when you run the test, and my name if I run
> the test, or Jenkins name name if it runs on build machine.
> 3) When we have read authorization, HMS needs to check if the user has
> read access to the metadata or if user is service users.
> 3.1) If your approach is used, how do we write a test for read
> authorization? We don't know what user name to configure as service user, or
> give read access.
> 3.2) If my approach is used, we can add "sentry" as service user in test
> to pass read authorization, and sentry can get notifications
Thanks! I have updated according to your suggestion: change caller of the
HiveSimpleConnectionFactory
- Na
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69841/#review212365
-----------------------------------------------------------
On Jan. 25, 2019, 9:07 p.m., Na Li wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69841/
> -----------------------------------------------------------
>
> (Updated Jan. 25, 2019, 9:07 p.m.)
>
>
> Review request for sentry, Arjun Mishra, Haley Reeve, and kalyan kumar
> kalvagadda.
>
>
> Bugs: sentry-2486
> https://issues.apache.org/jira/browse/sentry-2486
>
>
> Repository: sentry
>
>
> Description
> -------
>
> In insecure mode, the current login user name is passed from Sentry to HMS
> server when sentry HMSFollower gets full snapshot from HMS.
>
> The user name should be "sentry" instead of current login user.
>
> This issue should not happen in production because secure mode is always
> used. Insecure mode is only used in test.
>
>
> Diffs
> -----
>
>
> sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java
> 31e58fd
>
> sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java
> 0d62941
>
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
> 47f7466
>
>
> Diff: https://reviews.apache.org/r/69841/diff/1/
>
>
> Testing
> -------
>
> Tested manually and verified the user name now is "sentry" when sentry
> HMSFollower gets notifications from HMS server
>
>
> Thanks,
>
> Na Li
>
>
