[
https://issues.apache.org/jira/browse/NIFI-13496?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Peter Turcsanyi updated NIFI-13496:
-----------------------------------
Status: Patch Available (was: In Progress)
> HDFS processors' classloader isolation key should include Hadoop
> configuration files
> ------------------------------------------------------------------------------------
>
> Key: NIFI-13496
> URL: https://issues.apache.org/jira/browse/NIFI-13496
> Project: Apache NiFi
> Issue Type: Bug
> Reporter: Peter Turcsanyi
> Assignee: Peter Turcsanyi
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The HDFS processors implement {{ClassloaderIsolationKeyProvider}} in order to
> leverage shared parent classloading (NIFI-9382). The current implementation
> considers the Kerberos principal name only as an isolation factor.
> However, Hadoop xml configuration resources may also contain parameters that
> can lead to initialization of static / singleton resources in the Hadoop
> client. E.g. when KMS is used and is accessed via HTTPS, then [SSLFactory in
> KMSClientProvider|https://github.com/apache/hadoop/blob/c33d86860606f972f8b743b02f629b14f83d14f2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java#L389]
> is initialized only once and globally for all components. Therefore, it is
> not possible to use different SSL settings or SSL + no-SSL in different
> components in parallel if a shared classloader is used.
> The SSL for the Hadoop client in NiFi is configured by specifying the path of
> {{ssl-client.xml}} in Additional Classpath Resources property of the HDFS
> processors.
> In order to provide proper classloader isolation, add the value of Additional
> Classpath Resources property to the isolation key. Also add Hadoop
> Configuration Resources property because it may contain configurations with
> similar effect too.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
