Re: Review Request 47569: SENTRY-1265: Sentry service should not require a TGT as it is not talking to other kerberos services as a client

[Lenni Kuff]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47569/#review134199
---


Ship it!




- Lenni Kuff


On May 20, 2016, 12:08 a.m., Sravya Tirukkovalur wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/47569/
> ---
> 
> (Updated May 20, 2016, 12:08 a.m.)
> 
> 
> Review request for sentry, Hao Hao and Lenni Kuff.
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> As part of renewThread we are logging out the subject and relogging in. This 
> is causing a client request to fail if it happens in this logout -login 
> window.
> As only TGT needs renewal, we should never run the renewThread in Sentry 
> given that Sentry never is a Kerberos Client to other Kerberos Services.
> 
> 
> Diffs
> -
> 
>   
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
>  93481cb32cb0d6743cfbc8dc7655ea6fcdf12d13 
>   
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
>  d8edf93771b29e1d2a0a533fd6a8b5772af1e6d0 
>   
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
>  42eb1bbe5ccbf0e28dcabc6655eb50dfbbd1ec23 
>   
> sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java
>  cec925b695142b409dfaf1db859e7eb267cd1f65 
>   
> sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java
>  c3adacf52216b4ce331dbb92a06064ccd26aa043 
>   
> sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java
>  e204099d81e10d3f0ce8aab2796d020df1712e2c 
>   
> sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java
>  e5285bd0a760bdcc7fe27e6af96d80ebc51d7dad 
>   
> sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java
>  a453ff3237662d4f45902473392f0d07b36bacea 
>   
> sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
>  21dfa0f1475461b989aa89123bf19645d2fce52a 
>   
> sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
>  14de0fac6a4a6cc25b36a65c4a7f02dd6fc135e9 
> 
> Diff: https://reviews.apache.org/r/47569/diff/
> 
> 
> Testing
> ---
> 
> Updated test TestConnectionWithTicketTimeout to make sure client is able to 
> connect after max.life.time
> 
> 
> Thanks,
> 
> Sravya Tirukkovalur
> 
>

Re: Review Request 47569: SENTRY-1265: Sentry service should not require a TGT as it is not talking to other kerberos services as a client

[Sravya Tirukkovalur]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47569/
---

(Updated May 20, 2016, 12:08 a.m.)


Review request for sentry, Hao Hao and Lenni Kuff.


Changes
---

As part of this patch, I am doing a UGI kerberos keytab based login in 
SentryServiceIntegrationBase, as this base class is used by many other tests, 
had to fix some issues there. Mainly, SentryConfigToolSolr is using a 
UGI.getLoggedinUser() which was previously just getting 
System.get("user.name"). Now that we are logging in "hive" user using UGI, this 
user needs to be part of admin group instead of System.get("user.name"). Made 
those changes and tested them locally. Also, one of the exceptions is now 
wrapped in a RunTimeException in UGI, so changed that test case as well. As I 
was working on this, I realized there is more clean up to do in these tests, 
but would like to keep this patch minimal, hence filed follow on jiras for more 
test changes: runTestAsSubject in SentryServiceIntegration is used 
unnecessarily in many tests(SENTRY-1281), TestAuditLogForSentryGenericService 
can extend SentryGenericServiceIntegrationBase(SENTRY-1280)


Repository: sentry


Description
---

As part of renewThread we are logging out the subject and relogging in. This is 
causing a client request to fail if it happens in this logout -login window.
As only TGT needs renewal, we should never run the renewThread in Sentry given 
that Sentry never is a Kerberos Client to other Kerberos Services.


Diffs (updated)
-

  
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
 93481cb32cb0d6743cfbc8dc7655ea6fcdf12d13 
  
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
 d8edf93771b29e1d2a0a533fd6a8b5772af1e6d0 
  
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
 42eb1bbe5ccbf0e28dcabc6655eb50dfbbd1ec23 
  
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java
 cec925b695142b409dfaf1db859e7eb267cd1f65 
  
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java
 c3adacf52216b4ce331dbb92a06064ccd26aa043 
  
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java
 e204099d81e10d3f0ce8aab2796d020df1712e2c 
  
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java
 e5285bd0a760bdcc7fe27e6af96d80ebc51d7dad 
  
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java
 a453ff3237662d4f45902473392f0d07b36bacea 
  
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
 21dfa0f1475461b989aa89123bf19645d2fce52a 
  
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
 14de0fac6a4a6cc25b36a65c4a7f02dd6fc135e9 

Diff: https://reviews.apache.org/r/47569/diff/


Testing
---

Updated test TestConnectionWithTicketTimeout to make sure client is able to 
connect after max.life.time


Thanks,

Sravya Tirukkovalur

Review Request 47569: SENTRY-1265: Sentry service should not require a TGT as it is not talking to other kerberos services as a client

[Sravya Tirukkovalur]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47569/
---

Review request for sentry.


Repository: sentry


Description
---

As part of renewThread we are logging out the subject and relogging in. This is 
causing a client request to fail if it happens in this logout -login window.
As only TGT needs renewal, we should never run the renewThread in Sentry given 
that Sentry never is a Kerberos Client to other Kerberos Services.


Diffs
-

  
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
 93481cb32cb0d6743cfbc8dc7655ea6fcdf12d13 
  
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
 d8edf93771b29e1d2a0a533fd6a8b5772af1e6d0 
  
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
 42eb1bbe5ccbf0e28dcabc6655eb50dfbbd1ec23 
  
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java
 cec925b695142b409dfaf1db859e7eb267cd1f65 
  
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java
 c3adacf52216b4ce331dbb92a06064ccd26aa043 
  
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java
 e204099d81e10d3f0ce8aab2796d020df1712e2c 
  
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java
 e5285bd0a760bdcc7fe27e6af96d80ebc51d7dad 
  
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
 14de0fac6a4a6cc25b36a65c4a7f02dd6fc135e9 

Diff: https://reviews.apache.org/r/47569/diff/


Testing
---

Updated test TestConnectionWithTicketTimeout to make sure client is able to 
connect after max.life.time


Thanks,

Sravya Tirukkovalur