> On Jan. 28, 2019, 1:55 a.m., kalyan kumar kalvagadda wrote:
> > Idea here is to make sure that hive client knows the details of the user
> > who is sending the request. In this specific case, hive should know the
> > details of the user who running sentry service. Using
> > sentry.service.server.principal and entry.service.realm doesn’t seem
> > correct.
> >
> >
> > I have a thought.
> > ```
> > public HMSClient connect() throws IOException, InterruptedException,
> > MetaException
> > {?
> > UserGroupInformation clientUGI = null;
> > if (insecure) {?
> > clientUGI = UserGroupInformation.getCurrentUser();?
> > } else {?
> > clientUGI =
> > UserGroupInformation.getUGIFromSubject(kerberosContext.getSubject());?
> > }?
> > return new HMSClient(clientUGI.doAs(new
> > PrivilegedExceptionAction<HiveMetaStoreClient>()
> > {?
> > @Override?
> > public HiveMetaStoreClient run() throws MetaException {?
> > return new HiveMetaStoreClient(hiveConf);?
> > }?
> > }));
> > }
> >
> > ```
> > All you have additionally do is change the tests to run sentry server as
> > user “sentry”.
> >
> > Here is the sample code. I have tested it locally.
>
> Na Li wrote:
> HiveSimpleConnectionFactory is used by HMSFollower to get notifications
> from HMS server. It is not used for any other purposes in Sentry.
>
> If we following your suggestion, the user will be the login user, it
> could be "root" for one run, and "jenkins" for another run. How to make sure
> fetching notification from sentry works in your suggested approach?
>
> That is why I have this solution here. Make sure the user is "sentry" in
> insecured mode, and add "sentry" as services in HMS server.
>
> kalyan kumar kalvagadda wrote:
> Lina, Idea is to use the UserGroupInformation.getCurrentUser(). Please
> look at the patch i sugessted. All you have to do is perform doAs() while
> starting the service. I have sent you details offline.
>
> What you are suggesting will effect the users who are using sentry in non
> secure mode. Approach that i'm usggesting will address the issues with the
> tests and not change the behavior.
Kalyan, your suggestion is the current code behavior without my code change.
1) Do you agree that when sentry HMS follower gets notification, the user name
should be "sentry" instead of your name, or my name?
2) If you agree above, then your suggestion of using
"UserGroupInformation.getCurrentUser()" won't work because it returns current
login name, which is your name when you run the test, and my name if I run the
test, or Jenkins name name if it runs on build machine.
3) When we have read authorization, HMS needs to check if the user has read
access to the metadata or if user is service users.
3.1) If your approach is used, how do we write a test for read authorization?
We don't know what user name to configure as service user, or give read access.
3.2) If my approach is used, we can add "sentry" as service user in test to
pass read authorization, and sentry can get notifications
- Na
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69841/#review212365
-----------------------------------------------------------
On Jan. 25, 2019, 9:07 p.m., Na Li wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69841/
> -----------------------------------------------------------
>
> (Updated Jan. 25, 2019, 9:07 p.m.)
>
>
> Review request for sentry, Arjun Mishra, Haley Reeve, and kalyan kumar
> kalvagadda.
>
>
> Bugs: sentry-2486
> https://issues.apache.org/jira/browse/sentry-2486
>
>
> Repository: sentry
>
>
> Description
> -------
>
> In insecure mode, the current login user name is passed from Sentry to HMS
> server when sentry HMSFollower gets full snapshot from HMS.
>
> The user name should be "sentry" instead of current login user.
>
> This issue should not happen in production because secure mode is always
> used. Insecure mode is only used in test.
>
>
> Diffs
> -----
>
>
> sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java
> 31e58fd
>
> sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java
> 0d62941
>
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
> 47f7466
>
>
> Diff: https://reviews.apache.org/r/69841/diff/1/
>
>
> Testing
> -------
>
> Tested manually and verified the user name now is "sentry" when sentry
> HMSFollower gets notifications from HMS server
>
>
> Thanks,
>
> Na Li
>
>
