Re: Review Request 47569: SENTRY-1265: Sentry service should not require a TGT as it is not talking to other kerberos services as a client
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47569/#review134199 --- Ship it! - Lenni Kuff On May 20, 2016, 12:08 a.m., Sravya Tirukkovalur wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/47569/ > --- > > (Updated May 20, 2016, 12:08 a.m.) > > > Review request for sentry, Hao Hao and Lenni Kuff. > > > Repository: sentry > > > Description > --- > > As part of renewThread we are logging out the subject and relogging in. This > is causing a client request to fail if it happens in this logout -login > window. > As only TGT needs renewal, we should never run the renewThread in Sentry > given that Sentry never is a Kerberos Client to other Kerberos Services. > > > Diffs > - > > > sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java > 93481cb32cb0d6743cfbc8dc7655ea6fcdf12d13 > > sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java > d8edf93771b29e1d2a0a533fd6a8b5772af1e6d0 > > sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java > 42eb1bbe5ccbf0e28dcabc6655eb50dfbbd1ec23 > > sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java > cec925b695142b409dfaf1db859e7eb267cd1f65 > > sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java > c3adacf52216b4ce331dbb92a06064ccd26aa043 > > sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java > e204099d81e10d3f0ce8aab2796d020df1712e2c > > sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java > e5285bd0a760bdcc7fe27e6af96d80ebc51d7dad > > sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java > a453ff3237662d4f45902473392f0d07b36bacea > > sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java > 21dfa0f1475461b989aa89123bf19645d2fce52a > > sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java > 14de0fac6a4a6cc25b36a65c4a7f02dd6fc135e9 > > Diff: https://reviews.apache.org/r/47569/diff/ > > > Testing > --- > > Updated test TestConnectionWithTicketTimeout to make sure client is able to > connect after max.life.time > > > Thanks, > > Sravya Tirukkovalur > >
Re: Review Request 47569: SENTRY-1265: Sentry service should not require a TGT as it is not talking to other kerberos services as a client
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47569/ --- (Updated May 20, 2016, 12:08 a.m.) Review request for sentry, Hao Hao and Lenni Kuff. Changes --- As part of this patch, I am doing a UGI kerberos keytab based login in SentryServiceIntegrationBase, as this base class is used by many other tests, had to fix some issues there. Mainly, SentryConfigToolSolr is using a UGI.getLoggedinUser() which was previously just getting System.get("user.name"). Now that we are logging in "hive" user using UGI, this user needs to be part of admin group instead of System.get("user.name"). Made those changes and tested them locally. Also, one of the exceptions is now wrapped in a RunTimeException in UGI, so changed that test case as well. As I was working on this, I realized there is more clean up to do in these tests, but would like to keep this patch minimal, hence filed follow on jiras for more test changes: runTestAsSubject in SentryServiceIntegration is used unnecessarily in many tests(SENTRY-1281), TestAuditLogForSentryGenericService can extend SentryGenericServiceIntegrationBase(SENTRY-1280) Repository: sentry Description --- As part of renewThread we are logging out the subject and relogging in. This is causing a client request to fail if it happens in this logout -login window. As only TGT needs renewal, we should never run the renewThread in Sentry given that Sentry never is a Kerberos Client to other Kerberos Services. Diffs (updated) - sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java 93481cb32cb0d6743cfbc8dc7655ea6fcdf12d13 sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java d8edf93771b29e1d2a0a533fd6a8b5772af1e6d0 sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java 42eb1bbe5ccbf0e28dcabc6655eb50dfbbd1ec23 sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java cec925b695142b409dfaf1db859e7eb267cd1f65 sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java c3adacf52216b4ce331dbb92a06064ccd26aa043 sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java e204099d81e10d3f0ce8aab2796d020df1712e2c sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java e5285bd0a760bdcc7fe27e6af96d80ebc51d7dad sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java a453ff3237662d4f45902473392f0d07b36bacea sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java 21dfa0f1475461b989aa89123bf19645d2fce52a sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java 14de0fac6a4a6cc25b36a65c4a7f02dd6fc135e9 Diff: https://reviews.apache.org/r/47569/diff/ Testing --- Updated test TestConnectionWithTicketTimeout to make sure client is able to connect after max.life.time Thanks, Sravya Tirukkovalur
Review Request 47569: SENTRY-1265: Sentry service should not require a TGT as it is not talking to other kerberos services as a client
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47569/ --- Review request for sentry. Repository: sentry Description --- As part of renewThread we are logging out the subject and relogging in. This is causing a client request to fail if it happens in this logout -login window. As only TGT needs renewal, we should never run the renewThread in Sentry given that Sentry never is a Kerberos Client to other Kerberos Services. Diffs - sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java 93481cb32cb0d6743cfbc8dc7655ea6fcdf12d13 sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java d8edf93771b29e1d2a0a533fd6a8b5772af1e6d0 sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java 42eb1bbe5ccbf0e28dcabc6655eb50dfbbd1ec23 sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java cec925b695142b409dfaf1db859e7eb267cd1f65 sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java c3adacf52216b4ce331dbb92a06064ccd26aa043 sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java e204099d81e10d3f0ce8aab2796d020df1712e2c sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java e5285bd0a760bdcc7fe27e6af96d80ebc51d7dad sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java 14de0fac6a4a6cc25b36a65c4a7f02dd6fc135e9 Diff: https://reviews.apache.org/r/47569/diff/ Testing --- Updated test TestConnectionWithTicketTimeout to make sure client is able to connect after max.life.time Thanks, Sravya Tirukkovalur