SENTRY-2486: Wrong user name when sentry HMSFollower gets full snapshot from HMS at insecure mode (Na Li, reviewed by Arjun Mishra, Kalyan Kumar Kalvagadda)
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java
index 31e58fd..f57175c 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java
@@ -76,6 +76,7 @@
return;
}
+ LOGGER.info("Using secured connection to HMS");
int port = conf.getInt(ServerConfig.RPC_PORT, ServerConfig.RPC_PORT_DEFAULT);
String rawPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL),
"%s is required", ServerConfig.PRINCIPAL);
@@ -106,11 +107,14 @@
* @throws MetaException if other errors happened
*/
public HMSClient connect() throws IOException, InterruptedException, MetaException {
+ UserGroupInformation clientUGI;
+
if (insecure) {
- return new HMSClient(new HiveMetaStoreClient(hiveConf));
- }
- UserGroupInformation clientUGI =
+ clientUGI = UserGroupInformation.getCurrentUser();
+ } else {
+ clientUGI =
UserGroupInformation.getUGIFromSubject(kerberosContext.getSubject());
+ }
return new HMSClient(clientUGI.doAs(new PrivilegedExceptionAction<HiveMetaStoreClient>() {
@Override
public HiveMetaStoreClient run() throws MetaException {
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java
index 0d62941..310cf6a 100644
--- a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java
@@ -53,6 +53,7 @@
import org.apache.sentry.core.common.utils.PubSub;
import org.apache.sentry.core.common.utils.SentryConstants;
import org.apache.sentry.hdfs.UniquePathsUpdate;
+import org.apache.sentry.service.common.ServiceConstants.ServerConfig;
import org.apache.sentry.service.thrift.SentryHMSClient;
import org.apache.sentry.service.thrift.HiveConnectionFactory;
import org.apache.sentry.service.thrift.HiveSimpleConnectionFactory;
@@ -85,6 +86,7 @@
@BeforeClass
public static void setup() throws IOException, LoginException {
+ configuration.set(ServerConfig.PRINCIPAL, "sentry/_HOST@TEST.COM");
hiveConnectionFactory = new HiveSimpleConnectionFactory(configuration, new HiveConf());
hiveConnectionFactory.init();
configuration.set("sentry.hive.sync.create", "true");
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
index 47f7466..4c09e68 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
@@ -193,6 +193,7 @@
protected static File policyFileLocation;
protected static UserGroupInformation adminUgi;
protected static UserGroupInformation hiveUgi;
+ protected static UserGroupInformation sentryUgi;
// Variables which are used for cleanup after test
// Please set these values in each test
@@ -520,6 +521,9 @@
hiveUgi = UserGroupInformation.createUserForTesting(
"hive", new String[] { "hive" });
+ sentryUgi = UserGroupInformation.createUserForTesting(
+ "sentry", new String[] { "sentry" });
+
// Create SentryService and its internal objects.
// Set Sentry port
createSentry();
@@ -579,7 +583,8 @@
// on the storage.
hiveConf.set("hive.metastore.authorization.storage.checks", "true");
hiveConf.set("hive.metastore.uris", "thrift://localhost:" + hmsPort);
- hiveConf.set("sentry.metastore.service.users", "hive");// queries made by hive user (beeline) skip meta store check
+ // queries made by hive user (beeline) and sentry to HMS skip meta store check
+ hiveConf.set("sentry.metastore.service.users", "hive,sentry");
File confDir = assertCreateDir(new File(baseDir, "etc"));
File hiveSite = new File(confDir, "hive-site.xml");
@@ -662,7 +667,8 @@
hiveConf.set("hive.metastore.event.message.factory", "org.apache.sentry.binding.metastore.messaging.json.SentryJSONMessageFactory");
hiveConf.set("hive.security.authorization.task.factory", "org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl");
hiveConf.set("hive.server2.session.hook", "org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook");
- hiveConf.set("sentry.metastore.service.users", "hive");// queries made by hive user (beeline) skip meta store check
+ // queries made by hive user (beeline) and sentry to HMS skip meta store check
+ hiveConf.set("sentry.metastore.service.users", "hive,sentry");
// make sure metastore calls sentry post event listener
hiveConf.set("hive.metastore.event.listeners", "org.apache.sentry.binding.metastore.SentrySyncHMSNotificationsPostEventListener");
@@ -852,7 +858,7 @@
}
SentryHDFSServiceClientFactory.factoryReset();
try {
- hiveUgi.doAs(new PrivilegedExceptionAction() {
+ sentryUgi.doAs(new PrivilegedExceptionAction() {
@Override
public Void run() throws Exception {
sentryServer.startAll();
@@ -869,10 +875,11 @@
private static void createSentry() throws Exception {
try {
- hiveUgi.doAs(new PrivilegedExceptionAction<Void>() {
+ sentryUgi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
sentryConf.set(SENTRY_HDFS_INTEGRATION_PATH_PREFIXES, MANAGED_PREFIXES);
+ sentryProperties.put(ServerConfig.PRINCIPAL, "sentry/_HOST@TEST.COM");
sentryProperties.put(HiveServerFactory.AUTHZ_PROVIDER_BACKEND,
SimpleDBProviderBackend.class.getName());
sentryProperties.put(ConfVars.HIVE_AUTHORIZATION_TASK_FACTORY.varname,