[
https://issues.apache.org/jira/browse/NIFI-4323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16302190#comment-16302190
]
ASF GitHub Bot commented on NIFI-4323:
--------------------------------------
Github user joewitt commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2360#discussion_r158575760
--- Diff:
nifi-nar-bundles/nifi-extension-utils/nifi-hadoop-utils/src/main/java/org/apache/nifi/hadoop/SecurityUtil.java
---
@@ -51,7 +50,8 @@ public static synchronized UserGroupInformation
loginKerberos(final Configuratio
Validate.notNull(keyTab);
UserGroupInformation.setConfiguration(config);
- return
UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal.trim(),
keyTab.trim());
+ UserGroupInformation.loginUserFromKeytab(principal.trim(),
keyTab.trim());
--- End diff --
And we should also probably in that comment explain why the ticket renewal
threads to attempt to force explicit renewals could be problematic/increase
chances of race conditions. Specifically the subject within the UGI could be
loggedout by our explicit renewal attempts while at the same time a hadoop
operation occurring could kick off the Hadoop client to relogin but the subject
would have been cleared/in an unexpected state. The UGI class passes the
subject to the underlying jdk kerb handling.
> Get/List/DeleteHDFS processors should use UGI.doAs when invoking HDFS
> operations
> --------------------------------------------------------------------------------
>
> Key: NIFI-4323
> URL: https://issues.apache.org/jira/browse/NIFI-4323
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Extensions
> Affects Versions: 1.3.0
> Reporter: Jeff Storck
> Assignee: Jeff Storck
>
> While the Get/List/DeleteHDFS processors are working without wrapping HDFS
> operations in UGI.doAs calls, for best practice, those operations should be
> performed as PrivilegedExceptionActions supplied to the UGI.doAs method.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
