This is an automated email from the ASF dual-hosted git repository. linaataustin pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/sentry.git
The following commit(s) were added to refs/heads/master by this push: new 63f7f89 SENTRY-2486: Wrong user name when sentry HMSFollower gets full snapshot from HMS at insecure mode (Na Li, reviewed by Arjun Mishra, Kalyan Kumar Kalvagadda) 63f7f89 is described below commit 63f7f8939bc9a02272a4033b07ee4cb95d8d4785 Author: lina.li <lina...@cloudera.com> AuthorDate: Mon Jan 28 14:58:09 2019 -0600 SENTRY-2486: Wrong user name when sentry HMSFollower gets full snapshot from HMS at insecure mode (Na Li, reviewed by Arjun Mishra, Kalyan Kumar Kalvagadda) --- .../service/thrift/HiveSimpleConnectionFactory.java | 10 +++++++--- .../provider/db/service/persistent/TestHMSFollower.java | 2 ++ .../sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java | 15 +++++++++++---- 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java index 31e58fd..f57175c 100644 --- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java +++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java @@ -76,6 +76,7 @@ public final class HiveSimpleConnectionFactory implements HiveConnectionFactory return; } + LOGGER.info("Using secured connection to HMS"); int port = conf.getInt(ServerConfig.RPC_PORT, ServerConfig.RPC_PORT_DEFAULT); String rawPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), "%s is required", ServerConfig.PRINCIPAL); @@ -106,11 +107,14 @@ public final class HiveSimpleConnectionFactory implements HiveConnectionFactory * @throws MetaException if other errors happened */ public HMSClient connect() throws IOException, InterruptedException, MetaException { + UserGroupInformation clientUGI; + if (insecure) { - return new HMSClient(new HiveMetaStoreClient(hiveConf)); - } - UserGroupInformation clientUGI = + clientUGI = UserGroupInformation.getCurrentUser(); + } else { + clientUGI = UserGroupInformation.getUGIFromSubject(kerberosContext.getSubject()); + } return new HMSClient(clientUGI.doAs(new PrivilegedExceptionAction<HiveMetaStoreClient>() { @Override public HiveMetaStoreClient run() throws MetaException { diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java index 0d62941..310cf6a 100644 --- a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java +++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java @@ -53,6 +53,7 @@ import org.apache.sentry.binding.metastore.messaging.json.SentryJSONMessageFacto import org.apache.sentry.core.common.utils.PubSub; import org.apache.sentry.core.common.utils.SentryConstants; import org.apache.sentry.hdfs.UniquePathsUpdate; +import org.apache.sentry.service.common.ServiceConstants.ServerConfig; import org.apache.sentry.service.thrift.SentryHMSClient; import org.apache.sentry.service.thrift.HiveConnectionFactory; import org.apache.sentry.service.thrift.HiveSimpleConnectionFactory; @@ -85,6 +86,7 @@ public class TestHMSFollower { @BeforeClass public static void setup() throws IOException, LoginException { + configuration.set(ServerConfig.PRINCIPAL, "sentry/_h...@test.com"); hiveConnectionFactory = new HiveSimpleConnectionFactory(configuration, new HiveConf()); hiveConnectionFactory.init(); configuration.set("sentry.hive.sync.create", "true"); diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java index 47f7466..4c09e68 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java @@ -193,6 +193,7 @@ public abstract class TestHDFSIntegrationBase { protected static File policyFileLocation; protected static UserGroupInformation adminUgi; protected static UserGroupInformation hiveUgi; + protected static UserGroupInformation sentryUgi; // Variables which are used for cleanup after test // Please set these values in each test @@ -520,6 +521,9 @@ public abstract class TestHDFSIntegrationBase { hiveUgi = UserGroupInformation.createUserForTesting( "hive", new String[] { "hive" }); + sentryUgi = UserGroupInformation.createUserForTesting( + "sentry", new String[] { "sentry" }); + // Create SentryService and its internal objects. // Set Sentry port createSentry(); @@ -579,7 +583,8 @@ public abstract class TestHDFSIntegrationBase { // on the storage. hiveConf.set("hive.metastore.authorization.storage.checks", "true"); hiveConf.set("hive.metastore.uris", "thrift://localhost:" + hmsPort); - hiveConf.set("sentry.metastore.service.users", "hive");// queries made by hive user (beeline) skip meta store check + // queries made by hive user (beeline) and sentry to HMS skip meta store check + hiveConf.set("sentry.metastore.service.users", "hive,sentry"); File confDir = assertCreateDir(new File(baseDir, "etc")); File hiveSite = new File(confDir, "hive-site.xml"); @@ -662,7 +667,8 @@ public abstract class TestHDFSIntegrationBase { hiveConf.set("hive.metastore.event.message.factory", "org.apache.sentry.binding.metastore.messaging.json.SentryJSONMessageFactory"); hiveConf.set("hive.security.authorization.task.factory", "org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl"); hiveConf.set("hive.server2.session.hook", "org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook"); - hiveConf.set("sentry.metastore.service.users", "hive");// queries made by hive user (beeline) skip meta store check + // queries made by hive user (beeline) and sentry to HMS skip meta store check + hiveConf.set("sentry.metastore.service.users", "hive,sentry"); // make sure metastore calls sentry post event listener hiveConf.set("hive.metastore.event.listeners", "org.apache.sentry.binding.metastore.SentrySyncHMSNotificationsPostEventListener"); @@ -852,7 +858,7 @@ public abstract class TestHDFSIntegrationBase { } SentryHDFSServiceClientFactory.factoryReset(); try { - hiveUgi.doAs(new PrivilegedExceptionAction() { + sentryUgi.doAs(new PrivilegedExceptionAction() { @Override public Void run() throws Exception { sentryServer.startAll(); @@ -869,10 +875,11 @@ public abstract class TestHDFSIntegrationBase { private static void createSentry() throws Exception { try { - hiveUgi.doAs(new PrivilegedExceptionAction<Void>() { + sentryUgi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { sentryConf.set(SENTRY_HDFS_INTEGRATION_PATH_PREFIXES, MANAGED_PREFIXES); + sentryProperties.put(ServerConfig.PRINCIPAL, "sentry/_h...@test.com"); sentryProperties.put(HiveServerFactory.AUTHZ_PROVIDER_BACKEND, SimpleDBProviderBackend.class.getName()); sentryProperties.put(ConfVars.HIVE_AUTHORIZATION_TASK_FACTORY.varname,