1. 背景
Apache Sentry 是Cloudera公司发布的一个Hadoop开源组件,提供了细粒度级、基于角色的授权以及多租户的管理模式,主要针对存储在Hadoop集群上的数据和元数据。它可以和Hive/Hcatalog、Apache Solr 和Cloudera Impala等集成,未来可以扩展到其他Hadoop生态系统组件,如HDFS和HBase。
Sentry旨在成为可插拔授权引擎的Hadoop组件。允许定义授权规则以验证用户或应用程序对Hadoop资源的访问请求。Sentry是高度模块化的,可以支持Hadoop中各种数据模型的授权。
2. 本文的目标
本文目标人群为初次接触apache sentry的开发人员,帮助其找到代码的入口函数,快速摸清代码的架构,梳理系统的结构,追踪代码的调用路径,为之后的深入阅读打下基础。建议阅读之前,在网上搜索sentry相关的资料,了解其架构,原理,以便更好地了解源代码。写这篇文章时,本人也是刚接触sentry,有些心得,与大家分享。更多深入的理解,请关注下一次的分享
3. sentry简单介绍
权限模型,在很多系统我们都见过,先是资源,然后是权限,权限是对资源的访问规则,然后有角色,角色是一组权限,最后是用户,角色赋予给用户,有时候也会有组的概念,相同属性的用户划成一组,角色赋予给组。sentry的权限模型也是同样的原理。它包括一下元素:
a. Resource:权限的对象,包括server, 库,表,行,uri等
b. Privilege: 权限,可以连接成一组访问规则。比如用户A可以对表T进行读访问,但不能删除。
c. Role:角色是一组权限的集合
d. Group:相当于用户这个概念,sentry不存在用户这个概念。都是以Group来表达。你可以理解成sentry的组就是用户或者账号的概念。角色赋予给Group。
4. 代码初读
4.1 入口函数
阅读源代码,最好的方式是找到入口函数,从入口函数一步步往下阅读,自然能够梳理出代码的整体架构。
Sentry入口函数位于:sentry-tools/src/main/java/org/apache/sentry/SentryMain.java
为什么我知道在这儿,根据启动时采用命令行的方式,带参数。一般都会有main函数,还是经验问题哈。
public static void main(String[] args)
throws Exception {
CommandLineParser parser = new GnuParser();
Options options = new Options();
options.addOption(HELP_SHORT, HELP_LONG, false, "Print this help text");
options.addOption(VERSION_SHORT, VERSION_LONG, false,
"Print Sentry version");
options.addOption(HIVE_CONF, true, "Set hive configuration variables");
options.addOption(null, COMMAND, true, "Command to run. Options: " + COMMANDS);
options.addOption(null, LOG4J_CONF, true, "Location of log4j properties file");
//Ignore unrecognized options: service and config-tool options
CommandLine commandLine = parser.parse(options, args, true);
String log4jconf = commandLine.getOptionValue(LOG4J_CONF);
if (log4jconf != null && log4jconf.length() > 0) {
Properties log4jProperties = new Properties();
// Firstly load log properties from properties file
try (InputStream istream = Files.newInputStream(Paths.get(log4jconf))) {
log4jProperties.load(istream);
}
// Set the log level of DataNucleus.Query to INFO only if it is not set in the
// properties file
if (!log4jProperties.containsKey(LOG4J_DATANUCLEUS)) {
log4jProperties.setProperty(LOG4J_DATANUCLEUS, "INFO");
// Enable debug log for DataNucleus.Query only when log.threshold is TRACE
String logThreshold = log4jProperties.getProperty("log.threshold");
if (logThreshold != null && logThreshold.equalsIgnoreCase("TRACE")) {
log4jProperties.setProperty(LOG4J_DATANUCLEUS, "DEBUG");
}
}
PropertyConfigurator.configure(log4jProperties);
Logger sentryLogger = LoggerFactory.getLogger(SentryMain.class);
sentryLogger.info("Configuring log4j to use [" + log4jconf + "]");
}
//Print sentry help only if commandName was not given,
// otherwise we assume the help is for the sub command
String commandName = commandLine.getOptionValue(COMMAND);
if (commandName == null && (commandLine.hasOption(HELP_SHORT) ||
commandLine.hasOption(HELP_LONG))) {
printHelp(options, "Command name is missing.");
} else if (commandLine.hasOption(VERSION_SHORT) ||
commandLine.hasOption(VERSION_LONG)) {
printVersion();
}
Command command = null;
switch (commandName){
case "service":
command = new SentryService.CommandImpl();
break;
case "config-tool":
command = new SentryConfigTool.CommandImpl();
break;
case "schema-tool":
command = new SentrySchemaTool.CommandImpl();
break;
default:
printHelp(options, "Unknown command " + commandName + "\n");
break;
}
((Command)command).run(commandLine.getArgs());
}
这段代码主要是根据传入的参数,解析参数,读取配置文件,初始化日志。其他的大致看一眼,最主要的是这个函数:command = new SentryService.CommandImpl();
4.2 启动过程:
sentry启动过程主要看这个类:sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/SentryService.java。
public SentryService(Configuration conf) throws Exception {
this.conf = conf;
int port = conf
.getInt(ServerConfig.RPC_PORT, ServerConfig.RPC_PORT_DEFAULT);
if (port == 0) {
port = findFreePort();
conf.setInt(ServerConfig.RPC_PORT, port);
}
this.address = NetUtils.createSocketAddr(
conf.get(ServerConfig.RPC_ADDRESS, ServerConfig.RPC_ADDRESS_DEFAULT),
port);
LOGGER.info("Configured on address {}", address);
kerberos = ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase(
conf.get(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS).trim());
maxThreads = conf.getInt(ServerConfig.RPC_MAX_THREADS,
ServerConfig.RPC_MAX_THREADS_DEFAULT);
minThreads = conf.getInt(ServerConfig.RPC_MIN_THREADS,
ServerConfig.RPC_MIN_THREADS_DEFAULT);
maxMessageSize = conf.getLong(ServerConfig.SENTRY_POLICY_SERVER_THRIFT_MAX_MESSAGE_SIZE,
ServerConfig.SENTRY_POLICY_SERVER_THRIFT_MAX_MESSAGE_SIZE_DEFAULT);
if (kerberos) {
// Use Hadoop libraries to translate the _HOST placeholder with actual hostname
try {
String rawPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required");
principal = SecurityUtil.getServerPrincipal(rawPrincipal, address.getAddress());
} catch(IOException io) {
throw new RuntimeException("Can't translate kerberos principal'", io);
}
LOGGER.info("Using kerberos principal: {}", principal);
principalParts = SaslRpcServer.splitKerberosName(principal);
Preconditions.checkArgument(principalParts.length == 3,
"Kerberos principal should have 3 parts: " + principal);
keytab = Preconditions.checkNotNull(conf.get(ServerConfig.KEY_TAB),
ServerConfig.KEY_TAB + " is required");
File keytabFile = new File(keytab);
Preconditions.checkState(keytabFile.isFile() && keytabFile.canRead(),
"Keytab %s does not exist or is not readable.", keytab);
} else {
principal = null;
principalParts = null;
keytab = null;
}
ThreadFactory sentryServiceThreadFactory = new ThreadFactoryBuilder()
.setNameFormat(SENTRY_SERVICE_THREAD_NAME)
.build();
serviceExecutor = Executors.newSingleThreadExecutor(sentryServiceThreadFactory);
this.sentryStore = getSentryStore(conf);
sentryStore.setPersistUpdateDeltas(SentryServiceUtil.isHDFSSyncEnabled(conf));
this.leaderMonitor = LeaderStatusMonitor.getLeaderStatusMonitor(conf);
status = Status.NOT_STARTED;
// Enable signal handler for HA leader/follower status if configured
String sigName = conf.get(ServerConfig.SERVER_HA_STANDBY_SIG);
if ((sigName != null) && !sigName.isEmpty()) {
LOGGER.info("Registering signal handler {} for HA", sigName);
try {
registerSigListener(sigName, this);
} catch (Exception e) {
LOGGER.error("Failed to register signal", e);
}
}
}
首先看下这个类的构造函数,主要是根据传入的配置文件,确定thrift的端口,最大线程数,最小线程数,最大消息size。还有监控,kerberos验证,可用行HA的配置。最主要的是看: this.sentryStore = getSentryStore(conf);这个函数。由于是采用thrift这种rpc框架,所以要注册processor,以及根据thrift IDL生成实际的处理函数。要想弄懂Sentry,建议先去弄懂Thrift这个RPC框架。
private void runServer() throws Exception {
startSentryStoreCleaner(conf);
startHMSFollower(conf);
Iterable<String> processorFactories = ConfUtilties.CLASS_SPLITTER
.split(conf.get(ServerConfig.PROCESSOR_FACTORIES,
ServerConfig.PROCESSOR_FACTORIES_DEFAULT).trim());
TMultiplexedProcessor processor = new TMultiplexedProcessor();
boolean registeredProcessor = false;
for (String processorFactory : processorFactories) {
Class<?> clazz = conf.getClassByName(processorFactory);
if (!ProcessorFactory.class.isAssignableFrom(clazz)) {
throw new IllegalArgumentException("Processor Factory "
+ processorFactory + " is not a "
+ ProcessorFactory.class.getName());
}
try {
Constructor<?> constructor = clazz
.getConstructor(Configuration.class);
LOGGER.info("ProcessorFactory being used: " + clazz.getCanonicalName());
ProcessorFactory factory = (ProcessorFactory) constructor
.newInstance(conf);
boolean registerStatus = factory.register(processor, sentryStore);
if (!registerStatus) {
LOGGER.error("Failed to register " + clazz.getCanonicalName());
}
registeredProcessor = registerStatus || registeredProcessor;
} catch (Exception e) {
throw new IllegalStateException("Could not create "
+ processorFactory, e);
}
}
if (!registeredProcessor) {
throw new IllegalStateException(
"Failed to register any processors from " + processorFactories);
}
addSentryServiceGauge();
TServerTransport serverTransport = new TServerSocket(address);
TTransportFactory transportFactory = null;
if (kerberos) {
TSaslServerTransport.Factory saslTransportFactory = new TSaslServerTransport.Factory();
saslTransportFactory.addServerDefinition(AuthMethod.KERBEROS
.getMechanismName(), principalParts[0], principalParts[1],
ServerConfig.SASL_PROPERTIES, new GSSCallback(conf));
transportFactory = saslTransportFactory;
} else {
transportFactory = new TTransportFactory();
}
TThreadPoolServer.Args args = new TThreadPoolServer.Args(
serverTransport).processor(processor)
.transportFactory(transportFactory)
.protocolFactory(new TBinaryProtocol.Factory(true, true, maxMessageSize, maxMessageSize))
.minWorkerThreads(minThreads).maxWorkerThreads(maxThreads);
thriftServer = new TThreadPoolServer(args);
LOGGER.info("Serving on {}", address);
startSentryWebServer();
// thriftServer.serve() does not return until thriftServer is stopped. Need to log before
// calling thriftServer.serve()
LOGGER.info("Sentry service is ready to serve client requests");
// Allow clients/users watching the console to know when sentry is ready
System.out.println("Sentry service is ready to serve client requests");
SentryStateBank.enableState(SentryServiceState.COMPONENT, SentryServiceState.SERVICE_RUNNING);
thriftServer.serve();
}
这段代码其他的不太重要,主要的看看,接受到RPC请求后怎么处理。既然采用了Thrift框架,必然对应的有根据IDL生成处理函数。processor就是处理函数,进一步去看看processFactories,从配置文件中可以看到采用的这个processorFactory:org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessorFactory,进去看看里面干了啥?
public SentryPolicyStoreProcessorFactory(Configuration conf) {
super(conf);
}
public boolean register(TMultiplexedProcessor multiplexedProcessor,
SentryStoreInterface sentryStore) throws Exception {
SentryPolicyStoreProcessor sentryServiceHandler =
new SentryPolicyStoreProcessor(SentryPolicyServiceConstants.SENTRY_POLICY_SERVICE_NAME,
conf, sentryStore);
TProcessor processor =
new SentryProcessorWrapper<SentryPolicyService.Iface>(sentryServiceHandler);
multiplexedProcessor.registerProcessor(
SentryPolicyServiceConstants.SENTRY_POLICY_SERVICE_NAME, processor);
return true;
}
这个类在注册时,指定具体的处理类:SentryPolicyStoreProcessor,这个类里面都是thrift生成的每个接口的处理函数,如:drop_sentry_role,这个接口时删除角色的RPC接口。之后的逻辑,大家可以看具体的函数了,再次我不进一步分享了
5. 总结
今天主要时跟大家简单分享了下sentry的背景和原理,以及对读源码进行一件简单的引路。本人能力有限,提出了粗鄙的见解,有不足之处,请大家指出,分享交流!
