[jira] [Commented] (NIFI-3520) HDFS processors experiencing Kerberos "impersonate" errors

Mon, 03 Apr 2017 06:07:57 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-3520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15953440#comment-15953440
 ] 

ASF GitHub Bot commented on NIFI-3520:
--------------------------------------

Github user mcgilman commented on the issue:

    https://github.com/apache/nifi/pull/1635
  
    I think the proposed solution will offer clear, concise rules for when 
resources are cloned. It also offers further granularity has it puts the 
cloning of the parent resources in control of the extension. The only downside 
is that when specified the entire ancestry will be cloned until a referenced 
service API is encountered. However, this downside is outweighed by the 
benefits of component-based cloning when the flag was previously specified on 
the entire parent nar and would affect all descendent components that required 
instance classloading even if they didn't actually need it.


> HDFS processors experiencing Kerberos "impersonate" errors 
> -----------------------------------------------------------
>
>                 Key: NIFI-3520
>                 URL: https://issues.apache.org/jira/browse/NIFI-3520
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 1.0.0, 1.1.0, 1.1.1, 1.0.1
>            Reporter: Jeff Storck
>            Assignee: Bryan Bende
>             Fix For: 1.2.0
>
>
> When multiple Kerberos principals are used between multiple HDFS processors, 
> the processor instances will be able to login to Kerberos with their 
> configured principals initially, but will not properly relogin.  
> For example, if there are two PutHDFS processors, one configured as 
> [email protected], and the other as [email protected], they will both login 
> with the KDC correctly and be able to transfer files to HDFS.  Once one of 
> the PutHDFS processors attempts to relogin, it may end up being logged in as 
> the principal from the other PutHDFS processor.  The principal contexts end 
> up getting switched, and the hadoop client used by the processor will attempt 
> to proxy requests from one user through another, resulting in the following 
> exception:
> {panel}Failed to write to HDFS due to 
> org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException):
>  User: [email protected] is not allowed to impersonate 
> [email protected]{panel}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to