----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/59006/ -----------------------------------------------------------
Review request for sentry and Alexander Kolbasov. Repository: sentry Description ------- Looking at the code of Sentry and HiveMetaStoreClient, it looks like this problem has been there for a long time. But it's mostly masked by the restarts we are doing after the clean deployment. So during the course of initial service start, sentry and other services don't have any keytabs active under local unix user and during this time, the log of sentry is cluttered with the above errors. But after we do a restart after deployment completes, the Sentry code picks up the principal that was activated under "sentry" user (which users do it for testing purposes) and thus works properly. *Ideally* the service processes shouldn't depend on the keytabs active on running unix user but rather use the keytabs supplied by startup system in the process directory. Looking at the code of [HMSFollower|https://github.com/apache/sentry/blob/sentry-ha-redesign/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java] we invoke the classes of Hive - HiveMetaStoreClient which exclusively uses the UserGroupInformation object. And for UserGroupInformation object to pick up the keytab, one should explicitly call the methods like [loginUserFromKeytabAndReturnUGI|https://github.com/apache/hadoop/blob/61858a5c378da75aff9cde84d418af46d718d08b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L1406] or use [getUGIFromSubject|https://github.com/apache/hadoop/blob/61858a5c378da75aff9cde84d418af46d718d08b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L841]. For the fact that HMSFollower already logs into the keytab, we can leverage the method getUGIFromSubject() to make the UserGroupInformation aware of keytab a uthentication. If UGI object is not made aware of keytab, then the invocation of [UserGroupInformation#getCurrentUser|https://github.com/apache/hadoop/blob/61858a5c378da75aff9cde84d418af46d718d08b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L736-L742] falls back to use Unix user. To avoid this, we need to add extra logic to HMSFollower to make UserGroupInformation aware of the keytab that way it uses it for communication with HMS. Diffs ----- sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java ec8676e Diff: https://reviews.apache.org/r/59006/diff/1/ Testing ------- Successfully verified that without keytab active on the unix user, the program was successfully able to connect to HMS using the supplied keytab. Thanks, Vamsee Yarlagadda
