[
https://issues.apache.org/jira/browse/NIFI-385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14367602#comment-14367602
]
Ryan Blue commented on NIFI-385:
--------------------------------
We recently designed an API for this in Flume. The main commit is
[542b1695|https://github.com/apache/flume/commit/542b1695].
This introduces a method that takes credentials and returns a
{{PrivilegedExecutor}} that will run code with those credentials. You can also
get a "proxy" executor that is a "sudo" like operation that works if the
Kerberos credentials can be used to act on behalf of another user. It all ends
up looking like this:
{code:java}
user = FlumeAuthenticationUtil.getAuthenticator(principal, keytab)
.proxyAs(effectiveUser);
// get a dataset where operations are done as user
dataset = user.execute(
new PrivilegedAction<Dataset<GenericRecord>>() {
@Override
public Dataset<GenericRecord> run() {
return Datasets.load(datasetUri);
}
});
{code}
This is slightly weird because the only operation is to get the dataset with
that user. That's because Hadoop's FS objects do all actions on behalf of the
current user at the time the FS handle was created. Kite maintains a single FS
handle for the Dataset.
> Add Kerberos support in nifi-kite-nar
> -------------------------------------
>
> Key: NIFI-385
> URL: https://issues.apache.org/jira/browse/NIFI-385
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Extensions
> Reporter: Ryan Blue
>
> Kite should be able to connect to a Kerberized Hadoop cluster to store data.
> Kite's Flume connector has working code. The Kite dataset needs to be
> instantiated in a {{doPrivileged}} block and its internal {{FileSystem}}
> object will hold the credentials after that.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
