Details
-
Sub-task
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
Description
This code in HMSFollower has bugs in implementing logic that's preventing secure HMS connection from taking place.
String principal, keytab; //TODO: Is this the right(standard) way to create a HMS client? HiveMetastoreClientFactoryImpl? //TODO: Check if HMS is using kerberos instead of relying on Sentry conf //TODO: Handle TGT renewals kerberos = ServiceConstants.ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase( conf.get(ServiceConstants.ServerConfig.SECURITY_MODE, ServiceConstants.ServerConfig.SECURITY_MODE_KERBEROS).trim()); if (kerberos) { LOGGER.info("Making a kerberos connection to HMS"); //TODO: Is this needed? Use Hadoop libraries to translate the _HOST placeholder with actual hostname //Validate principal principal = Preconditions.checkNotNull(ServiceConstants.ServerConfig.PRINCIPAL, ServiceConstants.ServerConfig.PRINCIPAL + " is required"); LOGGER.info("Using kerberos principal: " + principal); final String[] principalParts = SaslRpcServer.splitKerberosName(principal); Preconditions.checkArgument(principalParts.length == 3, "Kerberos principal should have 3 parts: " + principal); keytab = Preconditions.checkNotNull(conf.get(ServiceConstants.ServerConfig.KEY_TAB), ServiceConstants.ServerConfig.KEY_TAB + " is required"); File keytabFile = new File(keytab); Preconditions.checkState(keytabFile.isFile() && keytabFile.canRead(), "Keytab " + keytab + " does not exist or is not readable."); boolean establishedKerberosContext = false; int attempt = 1; while(establishedKerberosContext) { try { kerberosContext = new SentryKerberosContext(principal, keytab, true); establishedKerberosContext = true; LOGGER.info("Established kerberos context, will now connect to HMS"); } catch (LoginException e) { //Kerberos login failed if( attempt > maxRetriesForLogin ) { throw e; } attempt++; } } boolean establishedConnection = false; attempt = 1; while(establishedConnection) { try { client = Subject.doAs(kerberosContext.getSubject(), new PrivilegedExceptionAction<HiveMetaStoreClient>() { @Override public HiveMetaStoreClient run() throws Exception { return new HiveMetaStoreClient(hiveConf); } }); LOGGER.info("Secure connection established with HMS"); } catch (PrivilegedActionException e) { if( attempt > maxRetriesForConnection ) { //We should just retry as it is possible that HMS is not ready yet to receive requests //TODO: How do we differentiate between kerberos problem versus HMS not being up? LOGGER.error("Cannot connect to HMS", e); } attempt++; } } } else { //This is only for testing purposes. Sentry strongly recommends strong authentication client = new HiveMetaStoreClient(hiveConf); LOGGER.info("Non secure connection established with HMS"); } return client; }
Attachments
Attachments
Issue Links
- blocks
-
-
- Resolved
-
- is a clone of
-
-
- Resolved
-
- is cloned by
-
-
- Resolved
-
- links to
