SENTRY-776: Sentry client should support cache based kerberos ticket for secure zookeeper connection (Prasad Mujumdar via Sravya Tirukkovalur)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/9943a33f Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/9943a33f Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/9943a33f Branch: refs/heads/hive_plugin_v2 Commit: 9943a33f71f1257f95bb4ee956f94e2d3c85cb84 Parents: c56f1d2 Author: Sravya Tirukkovalur <[email protected]> Authored: Mon Jun 29 11:22:04 2015 -0700 Committer: Sravya Tirukkovalur <[email protected]> Committed: Mon Jun 29 11:22:04 2015 -0700 ---------------------------------------------------------------------- .../db/service/persistent/HAContext.java | 22 ++++++++++++++++---- .../service/thrift/JaasConfiguration.java | 18 +++++++++++++++- .../sentry/service/thrift/ServiceConstants.java | 2 ++ .../thrift/SentryServiceIntegrationBase.java | 6 ++++-- 4 files changed, 41 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9943a33f/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/HAContext.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/HAContext.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/HAContext.java index 71935b1..ada6308 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/HAContext.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/HAContext.java @@ -21,7 +21,11 @@ package org.apache.sentry.provider.db.service.persistent; import java.io.IOException; import java.util.Arrays; import java.util.Collections; +import java.util.HashMap; import java.util.List; +import java.util.Map; + +import javax.security.auth.login.AppConfigurationEntry; import org.apache.curator.RetryPolicy; import org.apache.curator.framework.CuratorFramework; @@ -57,6 +61,7 @@ public class HAContext { private static boolean aclChecked = false; public final static String SENTRY_SERVICE_REGISTER_NAMESPACE = "sentry-service"; + public static final String SENTRY_ZK_JAAS_NAME = "SentryClient"; private final String zookeeperQuorum; private final int retriesMaxCount; private final int sleepMsBetweenRetries; @@ -84,7 +89,8 @@ public class HAContext { if (zkSecure) { LOGGER.info("Connecting to ZooKeeper with SASL/Kerberos and using 'sasl' ACLs"); setJaasConfiguration(conf); - System.setProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client"); + System.setProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, + SENTRY_ZK_JAAS_NAME); saslACL = Lists.newArrayList(); saslACL.add(new ACL(Perms.ALL, new Id("sasl", getServicePrincipal(conf, ServerConfig.PRINCIPAL)))); @@ -227,16 +233,24 @@ public class HAContext { // This gets ignored during most tests, see ZKXTestCaseWithSecurity#setupZKServer() private void setJaasConfiguration(Configuration conf) throws IOException { + if ("false".equalsIgnoreCase(conf.get( + ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_TICKET_CACHE, + ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_TICKET_CACHE_DEFAULT))) { String keytabFile = conf.get(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_KEYTAB); Preconditions.checkArgument(keytabFile.length() != 0, "Keytab File is not right."); String principal = conf.get(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_PRINCIPAL); - principal = SecurityUtil.getServerPrincipal(principal, conf.get(ServerConfig.RPC_ADDRESS)); + principal = SecurityUtil.getServerPrincipal(principal, + conf.get(ServerConfig.RPC_ADDRESS, ServerConfig.RPC_ADDRESS_DEFAULT)); Preconditions.checkArgument(principal.length() != 0, "Kerberos principal is not right."); // This is equivalent to writing a jaas.conf file and setting the system property, "java.security.auth.login.config", to // point to it (but this way we don't have to write a file, and it works better for the tests) - JaasConfiguration.addEntry("Client", principal, keytabFile); - javax.security.auth.login.Configuration.setConfiguration(JaasConfiguration.getInstance()); + JaasConfiguration.addEntryForKeytab(SENTRY_ZK_JAAS_NAME, principal, keytabFile); + } else { + // Create jaas conf for ticket cache + JaasConfiguration.addEntryForTicketCache(SENTRY_ZK_JAAS_NAME); + } + javax.security.auth.login.Configuration.setConfiguration(JaasConfiguration.getInstance()); } public class SASLOwnerACLProvider implements ACLProvider { http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9943a33f/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/JaasConfiguration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/JaasConfiguration.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/JaasConfiguration.java index d5f55fe..64ecae2 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/JaasConfiguration.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/JaasConfiguration.java @@ -72,7 +72,7 @@ public class JaasConfiguration extends Configuration { * @param principal The principal of the user * @param keytab The location of the keytab */ - public static void addEntry(String name, String principal, String keytab) { + public static void addEntryForKeytab(String name, String principal, String keytab) { Map<String, String> options = new HashMap<String, String>(); options.put("keyTab", keytab); options.put("principal", principal); @@ -85,6 +85,22 @@ public class JaasConfiguration extends Configuration { } /** + * Add an entry to the jaas configuration with the passed in name. The other + * necessary options will be set for you. + * + * @param name The name of the entry (e.g. "Client") + */ + public static void addEntryForTicketCache(String sectionName) { + Map<String, String> options = new HashMap<String, String>(); + options.put("useKeyTab", "false"); + options.put("storeKey", "false"); + options.put("useTicketCache", "true"); + AppConfigurationEntry entry = new AppConfigurationEntry(krb5LoginModuleName, + AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options); + entries.put(sectionName, entry); + } + + /** * Removes the specified entry. * * @param name The name of the entry to remove http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9943a33f/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java index 54dbac5..0d775f1 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java @@ -126,6 +126,8 @@ public class ServiceConstants { // principal and keytab for client to be able to connect to secure ZK. Needed for Sentry HA with secure ZK public static final String SERVER_HA_ZOOKEEPER_CLIENT_PRINCIPAL = "sentry.zookeeper.client.principal"; public static final String SERVER_HA_ZOOKEEPER_CLIENT_KEYTAB = "sentry.zookeeper.client.keytab"; + public static final String SERVER_HA_ZOOKEEPER_CLIENT_TICKET_CACHE = "sentry.zookeeper.client.ticketcache"; + public static final String SERVER_HA_ZOOKEEPER_CLIENT_TICKET_CACHE_DEFAULT = "false"; public static final ImmutableMap<String, String> SENTRY_STORE_DEFAULTS = ImmutableMap.<String, String>builder() .put("datanucleus.connectionPoolingType", "BoneCP") http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9943a33f/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java index 1b9691e..c132e13 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java @@ -34,6 +34,7 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.minikdc.MiniKdc; import org.apache.hadoop.net.NetUtils; import org.apache.sentry.SentryUserException; +import org.apache.sentry.provider.db.service.persistent.HAContext; import org.apache.sentry.provider.db.service.thrift.SentryMiniKdcTestcase; import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; import org.apache.sentry.provider.db.service.thrift.TSentryRole; @@ -323,9 +324,10 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase System.setProperty("zookeeper.kerberos.removeHostFromPrincipal", "true"); System.setProperty("zookeeper.kerberos.removeRealmFromPrincipal", "true"); - JaasConfiguration.addEntry("Server", ZK_SERVER_PRINCIPAL, ZKKeytabFile.getAbsolutePath()); + JaasConfiguration.addEntryForKeytab("Server", ZK_SERVER_PRINCIPAL, ZKKeytabFile.getAbsolutePath()); // Here's where we add the "Client" to the jaas configuration, even though we'd like not to - JaasConfiguration.addEntry("Client", SERVER_KERBEROS_NAME, serverKeytab.getAbsolutePath()); + JaasConfiguration.addEntryForKeytab(HAContext.SENTRY_ZK_JAAS_NAME, + SERVER_KERBEROS_NAME, serverKeytab.getAbsolutePath()); javax.security.auth.login.Configuration.setConfiguration(JaasConfiguration.getInstance()); System.setProperty(ZooKeeperSaslServer.LOGIN_CONTEXT_NAME_KEY, "Server");
