java.lang.SecurityException: class "javax.servlet.FilterRegistration"'s s

LICENSE.txt

@@ -203,7 +203,7 @@
 
 ================================================================================
 
-The Apache Sentry (incubating) distribution includes the following sources/binaries.
+The Apache Sentry distribution includes the following sources/binaries.
 The use of these sources/binaries is subject to the terms and conditions of
 their respective licenses.
 

NOTICE.txt

@@ -1,5 +1,5 @@
 Apache Sentry
-Copyright 2014 The Apache Software Foundation
+Copyright 2017 The Apache Software Foundation
 
 This product includes software developed at
 The Apache Software Foundation (http://www.apache.org/).

pom.xml

@@ -25,7 +25,7 @@ limitations under the License.
 
   <groupId>org.apache.sentry</groupId>
   <artifactId>sentry</artifactId>
-  <version>1.7.0-incubating-SNAPSHOT</version>
+  <version>1.7.1</version>
   <description>Sentry component</description>
   <name>Sentry</name>
   <packaging>pom</packaging>
@@ -43,9 +43,9 @@ limitations under the License.
   </licenses>
 
   <scm>
-    <connection>scm:git:https://git-wip-us.apache.org/repos/asf/incubator-sentry.git</connection>
-    <developerConnection>scm:git:https://git-wip-us.apache.org/repos/asf/incubator-sentry.git</developerConnection>
-    <url>https://git-wip-us.apache.org/repos/asf/incubator-sentry</url>
+    <connection>scm:git:https://git-wip-us.apache.org/repos/asf/sentry.git</connection>
+    <developerConnection>scm:git:https://git-wip-us.apache.org/repos/asf/sentry.git</developerConnection>
+    <url>https://git-wip-us.apache.org/repos/asf/sentry</url>
   </scm>
 
   <properties>
@@ -74,11 +74,11 @@ limitations under the License.
     <hive.version>1.1.0</hive.version>
     <jackson.version>1.8.8</jackson.version>
     <jdo-api.version>3.0.1</jdo-api.version>
-    <jettyVersion>7.6.16.v20140903</jettyVersion>
+    <jettyVersion>8.1.19.v20160209</jettyVersion>
     <joda-time.version>2.5</joda-time.version>
     <junit.version>4.10</junit.version>
-    <libfb303.version>0.9.2</libfb303.version>
-    <libthrift.version>0.9.2</libthrift.version>
+    <libfb303.version>0.9.3</libfb303.version>
+    <libthrift.version>0.9.3</libthrift.version>
     <log4j.version>1.2.16</log4j.version>
     <maven.antrun.plugin.version>1.7</maven.antrun.plugin.version>
     <maven.eclipse.plugin.version>2.9</maven.eclipse.plugin.version>
@@ -888,6 +888,33 @@ limitations under the License.
         <buildtools.dir>${basedir}/../../build-tools</buildtools.dir>
       </properties>
     </profile>
+    <profile>
+      <id>sign-artifacts</id>
+      <activation>
+        <property>
+          <name>sign-artifacts</name>
+          <value>true</value>
+        </property>
+      </activation>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-gpg-plugin</artifactId>
+            <version>1.6</version>
+            <executions>
+              <execution>
+                <id>sign-artifacts</id>
+                <phase>verify</phase>
+                <goals>
+                  <goal>sign</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
 
   </profiles>
 

sentry-binding/pom.xml

@@ -22,7 +22,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry</artifactId>
-    <version>1.7.0-incubating-SNAPSHOT</version>
+    <version>1.7.1</version>
   </parent>
 
   <artifactId>sentry-binding</artifactId>

sentry-binding/sentry-binding-hive-common/pom.xml

@@ -22,7 +22,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-binding</artifactId>
-    <version>1.7.0-incubating-SNAPSHOT</version>
+    <version>1.7.1</version>
   </parent>
 
   <artifactId>sentry-binding-hive-common</artifactId>

sentry-binding/sentry-binding-hive-v2/pom.xml

@@ -22,7 +22,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-binding</artifactId>
-    <version>1.7.0-incubating-SNAPSHOT</version>
+    <version>1.7.1</version>
   </parent>
 
   <artifactId>sentry-binding-hive-v2</artifactId>

sentry-binding/sentry-binding-hive/pom.xml

@@ -22,7 +22,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-binding</artifactId>
-    <version>1.7.0-incubating-SNAPSHOT</version>
+    <version>1.7.1</version>
   </parent>
 
   <artifactId>sentry-binding-hive</artifactId>

sentry-binding/sentry-binding-kafka/pom.xml

@@ -23,7 +23,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-binding</artifactId>
-    <version>1.7.0-incubating-SNAPSHOT</version>
+    <version>1.7.1</version>
   </parent>
 
   <artifactId>sentry-binding-kafka</artifactId>

sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/authorizer/SentryKafkaAuthorizer.java

@@ -117,7 +117,7 @@ public void configure(java.util.Map<String, ?> configs) {
     }
     LOG.info("Configuring Sentry KafkaAuthorizer: " + sentry_site);
     final KafkaAuthBindingSingleton instance = KafkaAuthBindingSingleton.getInstance();
-    instance.configure(this.kafkaServiceInstanceName, this.requestorName, sentry_site);
+    instance.configure(this.kafkaServiceInstanceName, this.requestorName, sentry_site, configs);
     this.binding = instance.getAuthBinding();
   }
 

sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java

@@ -16,6 +16,7 @@
  */
 package org.apache.sentry.kafka.binding;
 
+import java.io.IOException;
 import java.lang.reflect.Constructor;
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -34,6 +35,8 @@
 import kafka.network.RequestChannel;
 import kafka.security.auth.Operation;
 import kafka.security.auth.Resource;
+import org.apache.hadoop.security.SecurityUtil;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.kafka.common.KafkaException;
 import org.apache.kafka.common.security.auth.KafkaPrincipal;
 import org.apache.sentry.SentryUserException;
@@ -55,6 +58,7 @@
 import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
 import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
 import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
+import org.apache.sentry.service.thrift.ServiceConstants;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import scala.Option;
@@ -64,25 +68,31 @@
 import scala.collection.JavaConversions;
 import scala.collection.immutable.Map;
 
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
+
 public class KafkaAuthBinding {
 
     private static final Logger LOG = LoggerFactory.getLogger(KafkaAuthBinding.class);
     private static final String COMPONENT_TYPE = AuthorizationComponent.KAFKA;
     private static final String COMPONENT_NAME = COMPONENT_TYPE;
 
+    private static Boolean kerberosInit;
+
     private final Configuration authConf;
     private final AuthorizationProvider authProvider;
     private final KafkaActionFactory actionFactory = KafkaActionFactory.getInstance();
 
     private ProviderBackend providerBackend;
     private String instanceName;
     private String requestorName;
+    private java.util.Map<String, ?> kafkaConfigs;
 
 
-    public KafkaAuthBinding(String instanceName, String requestorName, Configuration authConf) throws Exception {
+    public KafkaAuthBinding(String instanceName, String requestorName, Configuration authConf, java.util.Map<String, ?> kafkaConfigs) throws Exception {
         this.instanceName = instanceName;
         this.requestorName = requestorName;
         this.authConf = authConf;
+        this.kafkaConfigs = kafkaConfigs;
         this.authProvider = createAuthProvider();
     }
 
@@ -118,6 +128,28 @@ private AuthorizationProvider createAuthProvider() throws Exception {
                 + providerBackendName);
         }
 
+        // Initiate kerberos via UserGroupInformation if required
+        if (ServiceConstants.ServerConfig.SECURITY_MODE_KERBEROS.equals(authConf.get(ServiceConstants.ServerConfig.SECURITY_MODE))
+                && kafkaConfigs != null) {
+            String keytabProp = kafkaConfigs.get(AuthzConfVars.AUTHZ_KEYTAB_FILE_NAME.getVar()).toString();
+            String principalProp = kafkaConfigs.get(AuthzConfVars.AUTHZ_PRINCIPAL_NAME.getVar()).toString();
+            if (keytabProp != null && principalProp != null) {
+                String actualHost = kafkaConfigs.get(AuthzConfVars.AUTHZ_PRINCIPAL_HOSTNAME.getVar()).toString();
+                if (actualHost != null) {
+                    principalProp = SecurityUtil.getServerPrincipal(principalProp, actualHost);
+                }
+                initKerberos(keytabProp, principalProp);
+            } else {
+                LOG.debug("Could not initialize Kerberos.\n" +
+                        AuthzConfVars.AUTHZ_KEYTAB_FILE_NAME.getVar() + " set to " + kafkaConfigs.get(AuthzConfVars.AUTHZ_KEYTAB_FILE_NAME.getVar()).toString() + "\n" +
+                        AuthzConfVars.AUTHZ_PRINCIPAL_NAME.getVar() + " set to " + kafkaConfigs.get(AuthzConfVars.AUTHZ_PRINCIPAL_NAME.getVar()).toString());
+            }
+        } else {
+            LOG.debug("Could not initialize Kerberos as no kafka config provided. " +
+                    AuthzConfVars.AUTHZ_KEYTAB_FILE_NAME.getVar() + " and " + AuthzConfVars.AUTHZ_PRINCIPAL_NAME.getVar() +
+                    " are required configs to be able to initialize Kerberos");
+        }
+
         // Instantiate the configured providerBackend
         Constructor<?> providerBackendConstructor =
             Class.forName(providerBackendName)
@@ -495,4 +527,36 @@ private String getName(RequestChannel.Session session) {
             return principalName;
         }
     }
+
+    /**
+     * Initialize kerberos via UserGroupInformation.  Will only attempt to login
+     * during the first request, subsequent calls will have no effect.
+     */
+    private void initKerberos(String keytabFile, String principal) {
+        if (keytabFile == null || keytabFile.length() == 0) {
+            throw new IllegalArgumentException("keytabFile required because kerberos is enabled");
+        }
+        if (principal == null || principal.length() == 0) {
+            throw new IllegalArgumentException("principal required because kerberos is enabled");
+        }
+        synchronized (KafkaAuthBinding.class) {
+            if (kerberosInit == null) {
+                kerberosInit = new Boolean(true);
+                // let's avoid modifying the supplied configuration, just to be conservative
+                final Configuration ugiConf = new Configuration();
+                ugiConf.set(HADOOP_SECURITY_AUTHENTICATION, ServiceConstants.ServerConfig.SECURITY_MODE_KERBEROS);
+                UserGroupInformation.setConfiguration(ugiConf);
+                LOG.info(
+                        "Attempting to acquire kerberos ticket with keytab: {}, principal: {} ",
+                        keytabFile, principal);
+                try {
+                    UserGroupInformation.loginUserFromKeytab(principal, keytabFile);
+                } catch (IOException ioe) {
+                    throw new RuntimeException("Failed to login user with Principal: " + principal +
+                            " and Keytab file: " + keytabFile, ioe);
+                }
+                LOG.info("Got Kerberos ticket");
+            }
+        }
+    }
 }

sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBindingSingleton.java

@@ -18,6 +18,7 @@
 
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.util.Map;
 
 import org.apache.sentry.kafka.conf.KafkaAuthConf;
 import org.slf4j.Logger;
@@ -56,10 +57,10 @@ private KafkaAuthConf loadAuthzConf(String sentry_site) {
     return kafkaAuthConf;
   }
 
-  public void configure(String instanceName, String requestorName, String sentry_site) {
+  public void configure(String instanceName, String requestorName, String sentry_site, Map<String, ?> kafkaConfigs) {
     try {
       kafkaAuthConf = loadAuthzConf(sentry_site);
-      binding = new KafkaAuthBinding(instanceName, requestorName, kafkaAuthConf);
+      binding = new KafkaAuthBinding(instanceName, requestorName, kafkaAuthConf, kafkaConfigs);
       log.info("KafkaAuthBinding created successfully");
     } catch (Exception ex) {
       log.error("Unable to create KafkaAuthBinding", ex);

sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/conf/KafkaAuthConf.java

@@ -30,6 +30,9 @@ public class KafkaAuthConf extends Configuration {
   public static final String KAFKA_SUPER_USERS = "kafka.superusers";
   public static final String KAFKA_SERVICE_INSTANCE_NAME = "sentry.kafka.service.instance";
   public static final String KAFKA_SERVICE_USER_NAME = "sentry.kafka.service.user.name";
+  public static final String KAFKA_PRINCIPAL_HOSTNAME = "sentry.kafka.principal.hostname";
+  public static final String KAFKA_PRINCIPAL_NAME = "sentry.kafka.kerberos.principal";
+  public static final String KAFKA_KEYTAB_FILE_NAME = "sentry.kafka.keytab.file";
 
   /**
    * Config setting definitions
@@ -40,7 +43,10 @@ public static enum AuthzConfVars {
     AUTHZ_PROVIDER_BACKEND("sentry.kafka.provider.backend", SentryGenericProviderBackend.class.getName()),
     AUTHZ_POLICY_ENGINE("sentry.kafka.policy.engine", SimpleKafkaPolicyEngine.class.getName()),
     AUTHZ_INSTANCE_NAME(KAFKA_SERVICE_INSTANCE_NAME, "kafka"),
-    AUTHZ_SERVICE_USER_NAME(KAFKA_SERVICE_USER_NAME, "kafka");
+    AUTHZ_SERVICE_USER_NAME(KAFKA_SERVICE_USER_NAME, "kafka"),
+    AUTHZ_PRINCIPAL_HOSTNAME(KAFKA_PRINCIPAL_HOSTNAME, null),
+    AUTHZ_PRINCIPAL_NAME(KAFKA_PRINCIPAL_NAME, null),
+    AUTHZ_KEYTAB_FILE_NAME(KAFKA_KEYTAB_FILE_NAME, null);
 
     private final String varName;
     private final String defaultVal;

sentry-binding/sentry-binding-solr/pom.xml

@@ -22,7 +22,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-binding</artifactId>
-    <version>1.7.0-incubating-SNAPSHOT</version>
+    <version>1.7.1</version>
   </parent>
 
   <artifactId>sentry-binding-solr</artifactId>

sentry-binding/sentry-binding-sqoop/pom.xml

@@ -22,7 +22,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-binding</artifactId>
-    <version>1.7.0-incubating-SNAPSHOT</version>
+    <version>1.7.1</version>
   </parent>
 
   <artifactId>sentry-binding-sqoop</artifactId>

sentry-core/pom.xml

@@ -21,7 +21,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry</artifactId>
-    <version>1.7.0-incubating-SNAPSHOT</version>
+    <version>1.7.1</version>
   </parent>
 
   <artifactId>sentry-core</artifactId>

sentry-core/sentry-core-common/pom.xml

@@ -21,7 +21,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-core</artifactId>
-    <version>1.7.0-incubating-SNAPSHOT</version>
+    <version>1.7.1</version>
   </parent>
 
   <artifactId>sentry-core-common</artifactId>

sentry-core/sentry-core-model-db/pom.xml

@@ -21,7 +21,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-core</artifactId>
-    <version>1.7.0-incubating-SNAPSHOT</version>
+    <version>1.7.1</version>
   </parent>
 
   <artifactId>sentry-core-model-db</artifactId>

sentry-core/sentry-core-model-indexer/pom.xml

@@ -21,7 +21,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-core</artifactId>
-    <version>1.7.0-incubating-SNAPSHOT</version>
+    <version>1.7.1</version>
   </parent>
 
   <artifactId>sentry-core-model-indexer</artifactId>

sentry-core/sentry-core-model-kafka/pom.xml

@@ -21,7 +21,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-core</artifactId>
-    <version>1.7.0-incubating-SNAPSHOT</version>
+    <version>1.7.1</version>
   </parent>
 
   <artifactId>sentry-core-model-kafka</artifactId>

sentry-core/sentry-core-model-search/pom.xml

@@ -21,7 +21,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-core</artifactId>
-    <version>1.7.0-incubating-SNAPSHOT</version>
+    <version>1.7.1</version>
   </parent>
 
   <artifactId>sentry-core-model-search</artifactId>