CalvinKirs opened a new pull request, #43445:
URL: https://github.com/apache/doris/pull/43445
### What problem does this PR solve?
Support Pre-Execution Authentication for HMS Type Iceberg Catalog Operations
Summary
This PR introduces a new utility class, PreExecutionAuthenticator, which is
designed to ensure pre-execution authentication for HMS (Hive Metastore) type
operations on Iceberg catalogs. This is especially useful in environments where
secure access is required, such as Kerberos-based Hadoop ecosystems. By
integrating PreExecutionAuthenticator, each relevant operation will undergo an
authentication step prior to execution, maintaining security compliance.
### Motivation
In environments utilizing an Iceberg catalog with an HMS backend, many
operations may require authentication to access secure data or perform
privileged tasks. Given that operations on HMS-type catalogs typically run
within a Hadoop environment secured by Kerberos, ensuring each operation is
executed within an authenticated context is essential. Previously, there was no
standardized mechanism to enforce pre-execution authentication, which led to
potential security gaps. This PR aims to address this issue by introducing an
extensible authentication utility.
### Key Changes
Addition of PreExecutionAuthenticator Utility Class
Provides a standard way to perform pre-execution authentication for tasks.
Leverages HadoopAuthenticator (when available) to execute tasks within a
privileged context using doAs. Supports execution with or without
authentication, enabling flexibility for both secure and non-secure
environments. Integration with Iceberg Catalog Operations
All relevant HMS-type catalog operations will now use
PreExecutionAuthenticator to perform pre-execution authentication. Ensures that
operations like createDb, dropDb, and other privileged tasks are executed only
after authentication. Extensible Design
PreExecutionAuthenticator is adaptable to other future authentication
methods, if needed, beyond Hadoop and Kerberos.
CallableToPrivilegedExceptionActionAdapter class allows any Callable task to be
executed within a PrivilegedExceptionAction, making it versatile for various
task types.
### Check List (For Author)
- Test <!-- At least one of them must be included. -->
- [ ] Regression test
- [ ] Unit Test
- [ ] Manual test (add detailed scripts or steps below)
- [ ] No need to test or manual test. Explain why:
- [ ] This is a refactor/code format and no logic has been changed.
- [ ] Previous test can cover this change.
- [ ] No colde files have been changed.
- [ ] Other reason <!-- Add your reason? -->
- Behavior changed:
- [ ] No.
- [ ] Yes. <!-- Explain the behavior change -->
- Does this need documentation?
- [ ] No.
- [ ] Yes. <!-- Add document PR link here. eg:
https://github.com/apache/doris-website/pull/1214 -->
- Release note
<!-- bugfix, feat, behavior changed need a release note -->
<!-- Add one line release note for this PR. -->
None
### Check List (For Reviewer who merge this PR)
- [ ] Confirm the release note
- [ ] Confirm test cases
- [ ] Confirm document
- [ ] Add branch pick label <!-- Add branch pick label that this PR should
merge into -->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
