[jira] [Commented] (NIFI-3520) HDFS processors experiencing Kerberos "impersonate" errors

Mon, 13 Mar 2017 09:25:08 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-3520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15907760#comment-15907760
 ] 

ASF subversion and git services commented on NIFI-3520:
-------------------------------------------------------

Commit a61f353051cf065f053d7f186fb32b137986e13d in nifi's branch 
refs/heads/master from [~jtstorck]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=a61f353 ]

NIFI-3520 Updated nifi-hdfs-processors POM to depend directly on hadoop-client
- Removed NAR dependency on nifi-hadoop-libraries-nar from nifi-hadoop-nar so 
that hadoop-client dependencies will be included directly in nifi-hadoop-nar
- Added RequiresInstanceClassLoading annotation to AbstractHadoopProcessor and 
HiveConnectionPool
- UGI relogins are now performed using doAs
- Added debug-level logging for UGI relogins in KerberosTicketRenewer and 
AbstractHadoopProcessor

This closes #1539.

Signed-off-by: Bryan Bende <[email protected]>


> HDFS processors experiencing Kerberos "impersonate" errors 
> -----------------------------------------------------------
>
>                 Key: NIFI-3520
>                 URL: https://issues.apache.org/jira/browse/NIFI-3520
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 1.0.0, 1.1.0, 1.1.1, 1.0.1
>            Reporter: Jeff Storck
>            Assignee: Jeff Storck
>
> When multiple Kerberos principals are used between multiple HDFS processors, 
> the processor instances will be able to login to Kerberos with their 
> configured principals initially, but will not properly relogin.  
> For example, if there are two PutHDFS processors, one configured as 
> [email protected], and the other as [email protected], they will both login 
> with the KDC correctly and be able to transfer files to HDFS.  Once one of 
> the PutHDFS processors attempts to relogin, it may end up being logged in as 
> the principal from the other PutHDFS processor.  The principal contexts end 
> up getting switched, and the hadoop client used by the processor will attempt 
> to proxy requests from one user through another, resulting in the following 
> exception:
> {panel}Failed to write to HDFS due to 
> org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException):
>  User: [email protected] is not allowed to impersonate 
> [email protected]{panel}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to