[
https://issues.apache.org/jira/browse/NIFI-3520?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bryan Bende reopened NIFI-3520:
-------------------------------
Assignee: Bryan Bende (was: Jeff Storck)
While running some tests with HDFS and Hive processors using master, I noticed
two issues that appear to have been introduced after we merged this ticket...
The first is that if you use the "Additional Classpath Resources" on an HDFS
processor to specify a JAR with an additional filesystem, the ClassLoader with
the additional JARs can no longer resolve the FileSystem class which used to
come from nifi-hadoop-libraries-nar, but not comes directly from the
nifi-hadoop-bundle.
The second is that Hive processors using the HiveConnectionPool can no longer
correctly reference the controller service. This appears to be related to
adding the @RequiresInstanceClassLoading annotation to the connection pool, and
since Hive processors and CS are in the same NAR, we end up with no common
parent ClassLoader.
I'm planning to address these issues, but I'm likely going to do it as part of
NIFI-3380 or after it has been merged, since both of these require changes to
class loading related code that changed significantly in NIFI-3380.
> HDFS processors experiencing Kerberos "impersonate" errors
> -----------------------------------------------------------
>
> Key: NIFI-3520
> URL: https://issues.apache.org/jira/browse/NIFI-3520
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.0.0, 1.1.0, 1.1.1, 1.0.1
> Reporter: Jeff Storck
> Assignee: Bryan Bende
> Fix For: 1.2.0
>
>
> When multiple Kerberos principals are used between multiple HDFS processors,
> the processor instances will be able to login to Kerberos with their
> configured principals initially, but will not properly relogin.
> For example, if there are two PutHDFS processors, one configured as
> [email protected], and the other as [email protected], they will both login
> with the KDC correctly and be able to transfer files to HDFS. Once one of
> the PutHDFS processors attempts to relogin, it may end up being logged in as
> the principal from the other PutHDFS processor. The principal contexts end
> up getting switched, and the hadoop client used by the processor will attempt
> to proxy requests from one user through another, resulting in the following
> exception:
> {panel}Failed to write to HDFS due to
> org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException):
> User: [email protected] is not allowed to impersonate
> [email protected]{panel}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
