Github user joewitt commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2360#discussion_r158575760
--- Diff:
nifi-nar-bundles/nifi-extension-utils/nifi-hadoop-utils/src/main/java/org/apache/nifi/hadoop/SecurityUtil.java
---
@@ -51,7 +50,8 @@ public static synchronized UserGroupInformation
loginKerberos(final Configuratio
Validate.notNull(keyTab);
UserGroupInformation.setConfiguration(config);
- return
UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal.trim(),
keyTab.trim());
+ UserGroupInformation.loginUserFromKeytab(principal.trim(),
keyTab.trim());
--- End diff --
And we should also probably in that comment explain why the ticket renewal
threads to attempt to force explicit renewals could be problematic/increase
chances of race conditions. Specifically the subject within the UGI could be
loggedout by our explicit renewal attempts while at the same time a hadoop
operation occurring could kick off the Hadoop client to relogin but the subject
would have been cleared/in an unexpected state. The UGI class passes the
subject to the underlying jdk kerb handling.
---
