Alexander Kolbasov created SENTRY-1766:
------------------------------------------
Summary: Generic model clients using kerberos can no longer
connect to Sentry server
Key: SENTRY-1766
URL: https://issues.apache.org/jira/browse/SENTRY-1766
Project: Sentry
Issue Type: Sub-task
Components: Sentry
Affects Versions: sentry-ha-redesign
Reporter: Alexander Kolbasov
Assignee: Vamsee Yarlagadda
Fix For: sentry-ha-redesign
We noticed that Solr can no longer connect to Sentry when Kerberos is in the
picture and we get {{GSSException: No valid credentials provided}}.
The old code used to do:
{code}
kerberos = ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase(
conf.get(ServerConfig.SECURITY_MODE,
ServerConfig.SECURITY_MODE_KERBEROS).trim());
transport = new TSocket(serverAddress.getHostName(),
serverAddress.getPort(), connectionTimeout);
if (kerberos) {
String serverPrincipal =
Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL),
ServerConfig.PRINCIPAL + " is required");
// since the client uses hadoop-auth, we need to set kerberos in
// hadoop-auth if we plan to use kerberos
conf.set(HADOOP_SECURITY_AUTHENTICATION,
ServerConfig.SECURITY_MODE_KERBEROS);
{code}
But SENTRY-1593 changed it to
{code}
//TODO(kalyan) need to find appropriate place to add it
// if (kerberos) {
// // since the client uses hadoop-auth, we need to set kerberos in
// // hadoop-auth if we plan to use kerberos
// conf.set(HADOOP_SECURITY_AUTHENTICATION,
SentryConstants.KERBEROS_MoODE);
// }
{code}
So the relevant part of the code is commented out.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
