sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientFactory.java - sentry - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  * <p>
  * http://www.apache.org/licenses/LICENSE-2.0
  * <p>
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.sentry.provider.db.generic.service.thrift;

 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.sentry.core.common.transport.RetryClientInvocationHandler;
 import org.apache.sentry.core.common.transport.SentryPolicyClientTransportConfig;
 import org.apache.sentry.core.common.transport.SentryTransportFactory;
 import org.apache.sentry.core.common.transport.SentryTransportPool;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import javax.annotation.concurrent.ThreadSafe;
 import java.lang.reflect.Proxy;
 import java.util.concurrent.atomic.AtomicReference;

 import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
 import static org.apache.sentry.core.common.utils.SentryConstants.KERBEROS_MODE;

 /**
  * Produces client connection for Sentry clients using Generic model.
  * Factory is [alost] a singleton. Tests can call {@link #factoryReset()} to destroy the
  * existing factory and create a new one. This may be needed because tests modify
  * configuration and start and stop servers.
  */
 @ThreadSafe
 public final class SentryGenericServiceClientFactory {
   private static final Logger LOGGER = LoggerFactory.getLogger(SentryGenericServiceClientFactory.class);

   // Used to implement a singleton
   private static final AtomicReference<SentryGenericServiceClientFactory> clientFactory =
           new AtomicReference<>();

   private final SentryPolicyClientTransportConfig transportConfig =
           new SentryPolicyClientTransportConfig();
   private final SentryTransportPool transportPool;
   private final Configuration conf;

   /**
    * Obtain an Generic policy client instance.
    * @param conf Configuration that should be used. Configuration is only used for the
    *             initial creation and ignored afterwords.
    */
   public static SentryGenericServiceClient create(Configuration conf) throws Exception {
     SentryGenericServiceClientFactory factory = clientFactory.get();
     if (factory != null) {
       return factory.create();
     }
     factory = new SentryGenericServiceClientFactory(conf);
     boolean ok = clientFactory.compareAndSet(null, factory);
     if (ok) {
       return factory.create();
     }
     factory.close();
     return clientFactory.get().create();
   }

   /**
    * Create a new factory instance and atach it to a connection pool instance.
    * @param conf Configuration
    */
   private SentryGenericServiceClientFactory(Configuration conf) {
     Configuration clientConf = conf;

     // When kerberos is enabled,  UserGroupInformation should have been initialized with
     // HADOOP_SECURITY_AUTHENTICATION property. There are instances where this is not done.
     // Instead of depending on the callers to update this configuration and to be
     // sure that UserGroupInformation is properly initialized, sentry client is explicitly
     // doing it.
     //
     // This whole piece of code is a bit ugly but we want to avoid doing this in the transport
     // code during connection establishment, so we are doing it upfront here instead.
     boolean useKerberos = transportConfig.isKerberosEnabled(conf);

     if (useKerberos) {
       LOGGER.info("Using Kerberos authentication");
       String authMode = conf.get(HADOOP_SECURITY_AUTHENTICATION, "");
       if (authMode != KERBEROS_MODE) {
         // Force auth mode to be Kerberos
         clientConf = new Configuration(conf);
         clientConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_MODE);
       }
     }

     this.conf = clientConf;

     boolean useUGI = transportConfig.useUserGroupInformation(conf);

     if (useUGI) {
       LOGGER.info("Using UserGroupInformation authentication");
       UserGroupInformation.setConfiguration(this.conf);
     }

     transportPool = new SentryTransportPool(conf, transportConfig,
             new SentryTransportFactory(conf, transportConfig));
   }

   /**
    * Create a new client connection to the server for Generic model clients
    * @return client instance
    * @throws Exception if something goes wrong
    */
   private SentryGenericServiceClient create() throws Exception {
     return (SentryGenericServiceClient) Proxy
       .newProxyInstance(SentryGenericServiceClientDefaultImpl.class.getClassLoader(),
         SentryGenericServiceClientDefaultImpl.class.getInterfaces(),
         new RetryClientInvocationHandler(conf,
           new SentryGenericServiceClientDefaultImpl(conf, transportPool), transportConfig));
   }

   // Should only be used by tests.
   // Resets the factory and destroys any pooled connections
   public static void factoryReset() {
     LOGGER.debug("factory reset");
     SentryGenericServiceClientFactory factory = clientFactory.getAndSet(null);
     if (factory != null) {
       try {
         factory.transportPool.close();
       } catch (Exception e) {
         LOGGER.error("failed to close transport pool", e);
       }
     }
   }

   void close() {
     try {
       transportPool.close();
     } catch (Exception e) {
       LOGGER.error("failed to close transport pool", e);
     }
   }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	* <p>
	* http://www.apache.org/licenses/LICENSE-2.0
	* <p>
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.sentry.provider.db.generic.service.thrift;

	import org.apache.hadoop.conf.Configuration;
	import org.apache.hadoop.security.UserGroupInformation;
	import org.apache.sentry.core.common.transport.RetryClientInvocationHandler;
	import org.apache.sentry.core.common.transport.SentryPolicyClientTransportConfig;
	import org.apache.sentry.core.common.transport.SentryTransportFactory;
	import org.apache.sentry.core.common.transport.SentryTransportPool;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	import javax.annotation.concurrent.ThreadSafe;
	import java.lang.reflect.Proxy;
	import java.util.concurrent.atomic.AtomicReference;

	import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
	import static org.apache.sentry.core.common.utils.SentryConstants.KERBEROS_MODE;

	/**
	* Produces client connection for Sentry clients using Generic model.
	* Factory is [alost] a singleton. Tests can call {@link #factoryReset()} to destroy the
	* existing factory and create a new one. This may be needed because tests modify
	* configuration and start and stop servers.
	*/
	@ThreadSafe
	public final class SentryGenericServiceClientFactory {
	private static final Logger LOGGER = LoggerFactory.getLogger(SentryGenericServiceClientFactory.class);

	// Used to implement a singleton
	private static final AtomicReference<SentryGenericServiceClientFactory> clientFactory =
	new AtomicReference<>();

	private final SentryPolicyClientTransportConfig transportConfig =
	new SentryPolicyClientTransportConfig();
	private final SentryTransportPool transportPool;
	private final Configuration conf;

	/**
	* Obtain an Generic policy client instance.
	* @param conf Configuration that should be used. Configuration is only used for the
	* initial creation and ignored afterwords.
	*/
	public static SentryGenericServiceClient create(Configuration conf) throws Exception {
	SentryGenericServiceClientFactory factory = clientFactory.get();
	if (factory != null) {
	return factory.create();
	}
	factory = new SentryGenericServiceClientFactory(conf);
	boolean ok = clientFactory.compareAndSet(null, factory);
	if (ok) {
	return factory.create();
	}
	factory.close();
	return clientFactory.get().create();
	}

	/**
	* Create a new factory instance and atach it to a connection pool instance.
	* @param conf Configuration
	*/
	private SentryGenericServiceClientFactory(Configuration conf) {
	Configuration clientConf = conf;

	// When kerberos is enabled, UserGroupInformation should have been initialized with
	// HADOOP_SECURITY_AUTHENTICATION property. There are instances where this is not done.
	// Instead of depending on the callers to update this configuration and to be
	// sure that UserGroupInformation is properly initialized, sentry client is explicitly
	// doing it.
	//
	// This whole piece of code is a bit ugly but we want to avoid doing this in the transport
	// code during connection establishment, so we are doing it upfront here instead.
	boolean useKerberos = transportConfig.isKerberosEnabled(conf);

	if (useKerberos) {
	LOGGER.info("Using Kerberos authentication");
	String authMode = conf.get(HADOOP_SECURITY_AUTHENTICATION, "");
	if (authMode != KERBEROS_MODE) {
	// Force auth mode to be Kerberos
	clientConf = new Configuration(conf);
	clientConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_MODE);
	}
	}

	this.conf = clientConf;

	boolean useUGI = transportConfig.useUserGroupInformation(conf);

	if (useUGI) {
	LOGGER.info("Using UserGroupInformation authentication");
	UserGroupInformation.setConfiguration(this.conf);
	}

	transportPool = new SentryTransportPool(conf, transportConfig,
	new SentryTransportFactory(conf, transportConfig));
	}

	/**
	* Create a new client connection to the server for Generic model clients
	* @return client instance
	* @throws Exception if something goes wrong
	*/
	private SentryGenericServiceClient create() throws Exception {
	return (SentryGenericServiceClient) Proxy
	.newProxyInstance(SentryGenericServiceClientDefaultImpl.class.getClassLoader(),
	SentryGenericServiceClientDefaultImpl.class.getInterfaces(),
	new RetryClientInvocationHandler(conf,
	new SentryGenericServiceClientDefaultImpl(conf, transportPool), transportConfig));
	}

	// Should only be used by tests.
	// Resets the factory and destroys any pooled connections
	public static void factoryReset() {
	LOGGER.debug("factory reset");
	SentryGenericServiceClientFactory factory = clientFactory.getAndSet(null);
	if (factory != null) {
	try {
	factory.transportPool.close();
	} catch (Exception e) {
	LOGGER.error("failed to close transport pool", e);
	}
	}
	}

	void close() {
	try {
	transportPool.close();
	} catch (Exception e) {
	LOGGER.error("failed to close transport pool", e);
	}
	}
	}