[jira] [Commented] (SENTRY-1736) Generic service client should support Kerberos

kalyan kumar kalvagadda (JIRA) Thu, 18 May 2017 08:53:16 -0700

    [ 
https://issues.apache.org/jira/browse/SENTRY-1736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16015975#comment-16015975
 ]


kalyan kumar kalvagadda commented on SENTRY-1736:
-------------------------------------------------

*Issue created by the missing code and the importance of the code.*

When ever UserGroupInformation class is instantiated it uses the static 
information in the construction of the object. This static information is 
initialized from Configuration. One of the property UserGroupInformation uses 
is HADOOP_SECURITY_AUTHENTICATION. When kerberos is enabled, this property is 
set to "kerberos". If this property is not set, kerberos would not be used by 
the client using it.

*Behavior observed with Hive, Sentry*

Hive calls setConfiguration on UserGroupInformation before connecting to other 
service using kerberos so nothings need to be done from the client side like 
wise when sentry connects to Hive, sentry calls setConfiguration on 
UserGroupInformation before using Hive client to connect to Hive.

*Behavior observed with Solr and Kafka*
But the command-line tools that we use for Solr and kafka  does not call 
setConfiguration on UserGroupInformation before connecting to sentry service. 
SentryGenericServiceClientDefaultImpl used to update the configuration provided 
with "HADOOP_SECURITY_AUTHENTICATION" property and explicitly called 
setConfiguration on UserGroupInformation before instantiating 
UserGroupInformation.  This code was commented as part of SENTRY-1593 as I did 
not know the exact purpose of code. I'm not exactly sure how Solr and kafka 
really communicate to sentry.





> Generic service client should support Kerberos
> ----------------------------------------------
>
>                 Key: SENTRY-1736
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1736
>             Project: Sentry
>          Issue Type: Sub-task
>          Components: Sentry
>    Affects Versions: sentry-ha-redesign
>            Reporter: Alexander Kolbasov
>            Assignee: kalyan kumar kalvagadda
>         Attachments: SENTRY-1736.001-sentry-ha-redesign.patch, 
> SENTRY-1736.002-sentry-ha-redesign.patch
>
>
> The  {{SentryGenericServiceClientDefaultImpl}} has the following comment in 
> constructor:
> {code}
>     //TODO(kalyan) need to find appropriate place to add it
>     // if (kerberos) {
>     //  // since the client uses hadoop-auth, we need to set kerberos in
>     //  // hadoop-auth if we plan to use kerberos
>     //  conf.set(HADOOP_SECURITY_AUTHENTICATION, 
> SentryConstants.KERBEROS_MoODE);
>     // }
> {code}
> This should be actually implemented.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (SENTRY-1736) Generic service client should support Kerberos

Reply via email to