> On Jan. 28, 2019, 1:55 a.m., kalyan kumar kalvagadda wrote:
> > Idea here is to make sure that hive client knows the details of the user
> > who is sending the request. In this specific case, hive should know the
> > details of the user who running sentry service. Using
> > sentry.service.server.principal and entry.service.realm doesn’t seem
> > correct.
> >
> >
> > I have a thought.
> > ```
> > public HMSClient connect() throws IOException, InterruptedException,
> > MetaException
> > {?
> > UserGroupInformation clientUGI = null;
> > if (insecure) {?
> > clientUGI = UserGroupInformation.getCurrentUser();?
> > } else {?
> > clientUGI =
> > UserGroupInformation.getUGIFromSubject(kerberosContext.getSubject());?
> > }?
> > return new HMSClient(clientUGI.doAs(new
> > PrivilegedExceptionAction<HiveMetaStoreClient>()
> > {?
> > @Override?
> > public HiveMetaStoreClient run() throws MetaException {?
> > return new HiveMetaStoreClient(hiveConf);?
> > }?
> > }));
> > }
> >
> > ```
> > All you have additionally do is change the tests to run sentry server as
> > user “sentry”.
> >
> > Here is the sample code. I have tested it locally.
>
> Na Li wrote:
> HiveSimpleConnectionFactory is used by HMSFollower to get notifications
> from HMS server. It is not used for any other purposes in Sentry.
>
> If we following your suggestion, the user will be the login user, it
> could be "root" for one run, and "jenkins" for another run. How to make sure
> fetching notification from sentry works in your suggested approach?
>
> That is why I have this solution here. Make sure the user is "sentry" in
> insecured mode, and add "sentry" as services in HMS server.
Lina, Idea is to use the UserGroupInformation.getCurrentUser(). Please look at
the patch i sugessted. All you have to do is perform doAs() while starting the
service. I have sent you details offline.
What you are suggesting will effect the users who are using sentry in non
secure mode. Approach that i'm usggesting will address the issues with the
tests and not change the behavior.
- kalyan kumar
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69841/#review212365
-----------------------------------------------------------
On Jan. 25, 2019, 9:07 p.m., Na Li wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69841/
> -----------------------------------------------------------
>
> (Updated Jan. 25, 2019, 9:07 p.m.)
>
>
> Review request for sentry, Arjun Mishra, Haley Reeve, and kalyan kumar
> kalvagadda.
>
>
> Bugs: sentry-2486
> https://issues.apache.org/jira/browse/sentry-2486
>
>
> Repository: sentry
>
>
> Description
> -------
>
> In insecure mode, the current login user name is passed from Sentry to HMS
> server when sentry HMSFollower gets full snapshot from HMS.
>
> The user name should be "sentry" instead of current login user.
>
> This issue should not happen in production because secure mode is always
> used. Insecure mode is only used in test.
>
>
> Diffs
> -----
>
>
> sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java
> 31e58fd
>
> sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java
> 0d62941
>
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
> 47f7466
>
>
> Diff: https://reviews.apache.org/r/69841/diff/1/
>
>
> Testing
> -------
>
> Tested manually and verified the user name now is "sentry" when sentry
> HMSFollower gets notifications from HMS server
>
>
> Thanks,
>
> Na Li
>
>
