[jira] [Commented] (NIFI-3534) Add support for impersonating a user with HDFS processors

Mon, 13 Mar 2017 07:17:56 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-3534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15907536#comment-15907536
 ] 

ASF GitHub Bot commented on NIFI-3534:
--------------------------------------

Github user bbende commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/1581#discussion_r105669563
  
    --- Diff: 
nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/src/main/java/org/apache/nifi/processors/hadoop/AbstractHadoopProcessor.java
 ---
    @@ -292,7 +304,11 @@ HdfsResources resetHDFSResources(String 
configResources, ProcessContext context)
                     ugi = SecurityUtil.loginKerberos(config, principal, 
keyTab);
                     fs = getFileSystemAsUser(config, ugi);
                     lastKerberosReloginTime = System.currentTimeMillis() / 
1000;
    -            } else {
    +            } else if (context.getProperty(REMOTE_USER).isSet()){
    --- End diff --
    
    This might be more of a stylistic thing, but we could probably fold these 
together....
    
    ```
    else {
      config.set("ipc.client.fallback-to-simple-auth-allowed", "true");
      config.set("hadoop.security.authentication", "simple");                   
          
      if (context.getProperty(REMOTE_USER).isSet()) {
        ugi = 
UserGroupInformation.createRemoteUser(context.getProperty(REMOTE_USER).evaluateAttributeExpressions().getValue());
      } else {
        ugi = SecurityUtil.loginSimple(config);
      }
      fs = getFileSystemAsUser(config, ugi);
    }
    ```


> Add support for impersonating a user with HDFS processors 
> ----------------------------------------------------------
>
>                 Key: NIFI-3534
>                 URL: https://issues.apache.org/jira/browse/NIFI-3534
>             Project: Apache NiFi
>          Issue Type: Bug
>            Reporter: Andrew Psaltis
>            Assignee: Andrew Psaltis
>
> When using the HDFS processors, specifically PutHDFS there are times when a 
> user wants to impersonate a user so that the files written to HDFS are done 
> as the remote user. In cases where Kerberos is not used, this is not 
> possible. Currently there is the ability for NiFi to change the permissions 
> using the Remote Owner and Remote Group, however, this only works if NiFi is 
> running as a user that has HDFS super user privilege. By providing the 
> ability to set a Remote User, NiFi can then impersonate the user and the 
> permission checks will be done in Hadoop land. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to