[SENTRY-1766] Generic model clients using kerberos can no longer connect to Sentry server - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Resolved
Priority: Blocker
Resolution: Duplicate
Affects Version/s: 2.0.0
Fix Version/s: 2.0.0
Component/s: Sentry
Labels:
None

Description

We noticed that Solr can no longer connect to Sentry when Kerberos is in the picture and we get GSSException: No valid credentials provided.

The old code used to do:

kerberos = ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase(
        conf.get(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS).trim());
    transport = new TSocket(serverAddress.getHostName(),
        serverAddress.getPort(), connectionTimeout);
    if (kerberos) {
      String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required");
      // since the client uses hadoop-auth, we need to set kerberos in
      // hadoop-auth if we plan to use kerberos
      conf.set(HADOOP_SECURITY_AUTHENTICATION, ServerConfig.SECURITY_MODE_KERBEROS);

But ~~SENTRY-1593~~ changed it to

//TODO(kalyan) need to find appropriate place to add it
    // if (kerberos) {
    //  // since the client uses hadoop-auth, we need to set kerberos in
    //  // hadoop-auth if we plan to use kerberos
    //  conf.set(HADOOP_SECURITY_AUTHENTICATION, SentryConstants.KERBEROS_MoODE);
    // }

So the relevant part of the code is commented out.

Attachments

Issue Links

duplicates

SENTRY-1736 Generic service client should support Kerberos

Resolved

is broken by

SENTRY-1593 Implement client failover for Generic and NN clients

Resolved

relates to

SENTRY-1736 Generic service client should support Kerberos

Resolved

Activity

People

Assignee:: Krishna Kalyan

Reporter:: Alex Kolbasov

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 13/May/17 01:01

Updated:: 24/Jul/17 14:51

Resolved:: 18/May/17 03:25