[jira] [Commented] (NIFI-4323) Get/List/DeleteHDFS processors should use UGI.doAs when invoking HDFS operations

Sat, 23 Dec 2017 12:23:40 -0800 

    [ 
https://issues.apache.org/jira/browse/NIFI-4323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16302568#comment-16302568
 ] 

ASF GitHub Bot commented on NIFI-4323:
--------------------------------------

Github user joshelser commented on the issue:

    https://github.com/apache/nifi/pull/2360
  
    > use UGI.loginUserFromKeytab. This brings those components in line with 
daemon-process-style usage, made possible by NiFi's InstanceClassloader 
isolation. Relogin (on ticket expiry/connection failure) can now be properly 
handled by hadoop-client code implicitly.
    
    Interesting. I'm trying to understand how to state this problem outside the 
context of NiFi (because the fix still confounds me). It seems like what's 
being stated is: when `UserGroupInformation.loginUserFromKeytabAndReturnUGI()` 
is used, the implicit re-login code called inside of the HDFS client code (e.g. 
`Client$Connection#handleSaslConnectionFailure()`) does the wrong thing. 
Looking at this again:
    
    ```java
    if (UserGroupInformation.isLoginKeytabBased()) {
      UserGroupInformation.getLoginUser().reloginFromKeytab();
    } else if (UserGroupInformation.isLoginTicketBased()) {
      UserGroupInformation.getLoginUser().reloginFromTicketCache();
    }
    ```
    
    Seems to paint a pretty clear picture as to why, when the loginUser isn't 
the one we're executing the call as, the relogin fails. Makes me wonder why 
HDFS isn't doing a `getCurrentUser()` instead of the `getLoginUser()`...


> Get/List/DeleteHDFS processors should use UGI.doAs when invoking HDFS 
> operations
> --------------------------------------------------------------------------------
>
>                 Key: NIFI-4323
>                 URL: https://issues.apache.org/jira/browse/NIFI-4323
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Extensions
>    Affects Versions: 1.3.0
>            Reporter: Jeff Storck
>            Assignee: Jeff Storck
>
> While the Get/List/DeleteHDFS processors are working without wrapping HDFS 
> operations in UGI.doAs calls, for best practice, those operations should be 
> performed as PrivilegedExceptionActions supplied to the UGI.doAs method.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to