Repository: incubator-sentry Updated Branches: refs/heads/master 398183228 -> b08717243
SENTRY-294: The Sentry service client should execute UGI privilege action by default ( Prasad Mujumdar via Sravya Tirukkovalur) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/b0871724 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/b0871724 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/b0871724 Branch: refs/heads/master Commit: b08717243372973d2b264617314de629065278cb Parents: 3981832 Author: Sravya Tirukkovalur <[email protected]> Authored: Thu Jun 12 15:38:17 2014 -0700 Committer: Sravya Tirukkovalur <[email protected]> Committed: Thu Jun 12 15:38:17 2014 -0700 ---------------------------------------------------------------------- .../java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java | 2 -- .../provider/db/service/thrift/SentryPolicyServiceClient.java | 2 +- .../java/org/apache/sentry/service/thrift/ServiceConstants.java | 2 +- .../apache/sentry/service/thrift/SentryServiceIntegrationBase.java | 1 + 4 files changed, 3 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b0871724/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java index 042fb00..6c507b8 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java @@ -65,7 +65,6 @@ import org.apache.sentry.core.model.db.DBModelAuthorizable; import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType; import org.apache.sentry.core.model.db.Database; import org.apache.sentry.core.model.db.Table; -import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -121,7 +120,6 @@ implements HiveDriverFilterHook { + " specifies a malformed URL '" + hiveAuthzConf + "'", e); } } - newAuthzConf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"); return newAuthzConf; } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b0871724/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java index afbedb3..15a2e43 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java @@ -139,7 +139,7 @@ public class SentryPolicyServiceClient { Preconditions.checkArgument(serverPrincipalParts.length == 3, "Kerberos principal should have 3 parts: " + serverPrincipal); boolean wrapUgi = "true".equalsIgnoreCase(conf - .get(ServerConfig.SECURITY_USE_UGI_TRANSPORT)); + .get(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true")); transport = new UgiSaslClientTransport(AuthMethod.KERBEROS.getMechanismName(), null, serverPrincipalParts[0], serverPrincipalParts[1], ClientConfig.SASL_PROPERTIES, null, transport, wrapUgi); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b0871724/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java index ba6a712..111fabf 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java @@ -53,7 +53,7 @@ public class ServiceConstants { public static final String SECURITY_MODE = "sentry.service.security.mode"; public static final String SECURITY_MODE_KERBEROS = "kerberos"; public static final String SECURITY_MODE_NONE = "none"; - public static final String SECURITY_USE_UGI_TRANSPORT = "true"; + public static final String SECURITY_USE_UGI_TRANSPORT = "sentry.service.security.use.ugi"; public static final String ADMIN_GROUPS = "sentry.service.admin.group"; public static final String PRINCIPAL = "sentry.service.server.principal"; public static final String KEY_TAB = "sentry.service.server.keytab"; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b0871724/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java index 20265a4..838e8d3 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java @@ -139,6 +139,7 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc // therefore we must manually login in the integration tests final SentryServiceClientFactory factory = new SentryServiceClientFactory(); if (kerberos) { + conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "false"); clientSubject = new Subject(false, Sets.newHashSet( new KerberosPrincipal(CLIENT_KERBEROS_NAME)), new HashSet<Object>(), new HashSet<Object>());
