Uploaded image for project: 'Sentry'
  1. Sentry
  2. SENTRY-872 Uber jira for HMS HA + Sentry HA redesign
  3. SENTRY-1619

Fix the secure HMS connection code in HMSFollower

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.0.0
    • Component/s: Hdfs Plugin
    • Labels:
      None

      Description

      This code in HMSFollower has bugs in implementing logic that's preventing secure HMS connection from taking place.

      String principal, keytab;
      
          //TODO: Is this the right(standard) way to create a HMS client? HiveMetastoreClientFactoryImpl?
          //TODO: Check if HMS is using kerberos instead of relying on Sentry conf
          //TODO: Handle TGT renewals
          kerberos = ServiceConstants.ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase(
              conf.get(ServiceConstants.ServerConfig.SECURITY_MODE, ServiceConstants.ServerConfig.SECURITY_MODE_KERBEROS).trim());
          if (kerberos) {
            LOGGER.info("Making a kerberos connection to HMS");
            //TODO: Is this needed? Use Hadoop libraries to translate the _HOST placeholder with actual hostname
            //Validate principal
            principal = Preconditions.checkNotNull(ServiceConstants.ServerConfig.PRINCIPAL,
                ServiceConstants.ServerConfig.PRINCIPAL + " is required");
            LOGGER.info("Using kerberos principal: " + principal);
            final String[] principalParts = SaslRpcServer.splitKerberosName(principal);
            Preconditions.checkArgument(principalParts.length == 3,
                "Kerberos principal should have 3 parts: " + principal);
      
            keytab = Preconditions.checkNotNull(conf.get(ServiceConstants.ServerConfig.KEY_TAB),
                ServiceConstants.ServerConfig.KEY_TAB + " is required");
            File keytabFile = new File(keytab);
            Preconditions.checkState(keytabFile.isFile() && keytabFile.canRead(),
                "Keytab " + keytab + " does not exist or is not readable.");
            boolean establishedKerberosContext = false;
            int attempt = 1;
            while(establishedKerberosContext) {
              try {
                kerberosContext = new SentryKerberosContext(principal, keytab, true);
                establishedKerberosContext = true;
                LOGGER.info("Established kerberos context, will now connect to HMS");
              } catch (LoginException e) {
                //Kerberos login failed
                if( attempt > maxRetriesForLogin ) {
                  throw e;
                }
                attempt++;
              }
            }
            boolean establishedConnection = false;
            attempt = 1;
            while(establishedConnection) {
              try {
                client = Subject.doAs(kerberosContext.getSubject(), new PrivilegedExceptionAction<HiveMetaStoreClient>() {
                  @Override
                  public HiveMetaStoreClient run() throws Exception {
                    return new HiveMetaStoreClient(hiveConf);
                  }
                });
                LOGGER.info("Secure connection established with HMS");
              } catch (PrivilegedActionException e) {
                if( attempt > maxRetriesForConnection ) {
                  //We should just retry as it is possible that HMS is not ready yet to receive requests
                  //TODO: How do we differentiate between kerberos problem versus HMS not being up?
                  LOGGER.error("Cannot connect to HMS", e);
                }
                attempt++;
              }
            }
          } else {
            //This is only for testing purposes. Sentry strongly recommends strong authentication
            client = new HiveMetaStoreClient(hiveConf);
            LOGGER.info("Non secure connection established with HMS");
          }
          return client;
        }
      

        Attachments

        1. SENTRY-1619.05-sentry-ha-redesign.patch
          7 kB
          Vamsee K. Yarlagadda
        2. SENTRY-1619.04-sentry-ha-redesign.patch
          7 kB
          Vamsee K. Yarlagadda
        3. SENTRY-1619.03-sentry-ha-redesign.patch
          7 kB
          Vamsee K. Yarlagadda
        4. SENTRY-1619.02-sentry-ha-redesign.patch
          6 kB
          Vamsee K. Yarlagadda
        5. SENTRY-1619.01-sentry-ha-redesign.patch
          4 kB
          Vamsee K. Yarlagadda

          Issue Links

            Activity

              People

              • Assignee:
                vamsee Vamsee K. Yarlagadda
                Reporter:
                vamsee Vamsee K. Yarlagadda
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: