----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/59006/#review173974 -----------------------------------------------------------
Ship it! Ship It! - Alexander Kolbasov On May 4, 2017, 9:58 p.m., Vamsee Yarlagadda wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/59006/ > ----------------------------------------------------------- > > (Updated May 4, 2017, 9:58 p.m.) > > > Review request for sentry and Alexander Kolbasov. > > > Repository: sentry > > > Description > ------- > > Looking at the code of Sentry and HiveMetaStoreClient, it looks like this > problem has been there for a long time. But it's mostly masked by the > restarts we are doing after the clean deployment. > > So during the course of initial service start, sentry and other services > don't have any keytabs active under local unix user and during this time, the > log of sentry is cluttered with the above errors. But after we do a restart > after deployment completes, the Sentry code picks up the principal that was > activated under "sentry" user (which users do it for testing purposes) and > thus works properly. > > *Ideally* the service processes shouldn't depend on the keytabs active on > running unix user but rather use the keytabs supplied by startup system in > the process directory. > > Looking at the code of > [HMSFollower|https://github.com/apache/sentry/blob/sentry-ha-redesign/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java] > we invoke the classes of Hive - HiveMetaStoreClient which exclusively uses > the UserGroupInformation object. And for UserGroupInformation object to pick > up the keytab, one should explicitly call the methods like > [loginUserFromKeytabAndReturnUGI|https://github.com/apache/hadoop/blob/61858a5c378da75aff9cde84d418af46d718d08b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L1406] > or use > [getUGIFromSubject|https://github.com/apache/hadoop/blob/61858a5c378da75aff9cde84d418af46d718d08b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L841]. > For the fact that HMSFollower already logs into the keytab, we can leverage > the method getUGIFromSubject() to make the UserGroupInformation aware of > keytab authentication. > > If UGI object is not made aware of keytab, then the invocation of > [UserGroupInformation#getCurrentUser|https://github.com/apache/hadoop/blob/61858a5c378da75aff9cde84d418af46d718d08b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L736-L742] > falls back to use Unix user. > > To avoid this, we need to add extra logic to HMSFollower to make > UserGroupInformation aware of the keytab that way it uses it for > communication with HMS. > > > Diffs > ----- > > > sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java > ec8676e > > > Diff: https://reviews.apache.org/r/59006/diff/1/ > > > Testing > ------- > > Successfully verified that without keytab active on the unix user, the > program was successfully able to connect to HMS using the supplied keytab. > > > Thanks, > > Vamsee Yarlagadda > >