Peter Turcsanyi created NIFI-13496:
--------------------------------------
Summary: HDFS processors' classloader isolation key should include
Hadoop configuration files
Key: NIFI-13496
URL: https://issues.apache.org/jira/browse/NIFI-13496
Project: Apache NiFi
Issue Type: Bug
Reporter: Peter Turcsanyi
Assignee: Peter Turcsanyi
The HDFS processors implement {{ClassloaderIsolationKeyProvider}} in order to
leverage shared parent classloading (NIFI-9382). The current implementation
considers the Kerberos principal name only as an isolation factor.
However, Hadoop xml configuration resources may also contain parameters that
can lead to initialization of static / singleton resources in the Hadoop
client. E.g. when KMS is used and is accessed via HTTPS, then [SSLFactory in
KMSClientProvider|https://github.com/apache/hadoop/blob/c33d86860606f972f8b743b02f629b14f83d14f2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java#L389]
is initialized only once and globally for all components. Therefore, it is not
possible to use different SSL settings or SSL + no-SSL in different components
in parallel if a shared classloader is used.
The SSL for the Hadoop client in NiFi is configured by specifying the path of
{{ssl-client.xml}} in Additional Classpath Resources property of the HDFS
processors.
In order to provide proper classloader isolation, add the value of Additional
Classpath Resources property to the isolation key. Also add Hadoop
Configuration Resources property because it may contain configurations with
similar effect too.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
