[
https://issues.apache.org/jira/browse/NIFI-3520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15881690#comment-15881690
]
ASF GitHub Bot commented on NIFI-3520:
--------------------------------------
GitHub user jtstorck opened a pull request:
https://github.com/apache/nifi/pull/1539
NIFI-3520 Updates classloading for components annotated with Requires…
…InstanceClassLoading to include dependencies in the InstanceClassLoader
Added RequiresInstanceClassLoading annotation to AbstractHadoopProcessor
and HiveConnectionPool
Removed RequiresInstanceClassLoading from PutHDFS now that the
AbstractHadoopProcessor uses the annotation
UGI relogins are now performed using doAs
Added debug-level logging for UGI relogins in KerberosTicketRenewer and
AbstractHadoopProcessor
Thank you for submitting a contribution to Apache NiFi.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
### For all changes:
- [x] Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
- [x] Does your PR title start with NIFI-XXXX where XXXX is the JIRA number
you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [x] Has your PR been rebased against the latest commit within the target
branch (typically master)?
- [x] Is your initial contribution a single, squashed commit?
### For code changes:
- [x] Have you ensured that the full suite of tests is executed via mvn
-Pcontrib-check clean install at the root nifi folder?
- [ ] Have you written or updated unit tests to verify your changes?
- [ ] If adding new dependencies to the code, are these dependencies
licensed in a way that is compatible for inclusion under [ASF
2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the LICENSE file, including the main
LICENSE file under nifi-assembly?
- [ ] If applicable, have you updated the NOTICE file, including the main
NOTICE file found under nifi-assembly?
- [ ] If adding new Properties, have you added .displayName in addition to
.name (programmatic access) for each of the new properties?
### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in
which it is rendered?
### Note:
Please ensure that once the PR is submitted, you check travis-ci for build
issues and submit an update to your PR as soon as possible.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/jtstorck/nifi NIFI-3520
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/1539.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1539
----
commit 9d91e60641f3ec528786f7add2ec878a8ad56173
Author: Jeff Storck <[email protected]>
Date: 2017-02-24T01:03:40Z
NIFI-3520 Updates classloading for components annotated with
RequiresInstanceClassLoading to include dependencies in the InstanceClassLoader
Added RequiresInstanceClassLoading annotation to AbstractHadoopProcessor
and HiveConnectionPool
Removed RequiresInstanceClassLoading from PutHDFS now that the
AbstractHadoopProcessor uses the annotation
UGI relogins are now performed using doAs
Added debug-level logging for UGI relogins in KerberosTicketRenewer and
AbstractHadoopProcessor
----
> HDFS processors experiencing Kerberos "impersonate" errors
> -----------------------------------------------------------
>
> Key: NIFI-3520
> URL: https://issues.apache.org/jira/browse/NIFI-3520
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.0.0, 1.1.0, 1.1.1, 1.0.1
> Reporter: Jeff Storck
> Assignee: Jeff Storck
>
> When multiple Kerberos principals are used between multiple HDFS processors,
> the processor instances will be able to login to Kerberos with their
> configured principals initially, but will not properly relogin.
> For example, if there are two PutHDFS processors, one configured as
> [email protected], and the other as [email protected], they will both login
> with the KDC correctly and be able to transfer files to HDFS. Once one of
> the PutHDFS processors attempts to relogin, it may end up being logged in as
> the principal from the other PutHDFS processor. The principal contexts end
> up getting switched, and the hadoop client used by the processor will attempt
> to proxy requests from one user through another, resulting in the following
> exception:
> {panel}Failed to write to HDFS due to
> org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException):
> User: [email protected] is not allowed to impersonate
> [email protected]{panel}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
