DeleteHDFS processors should use UGI.doAs when invoking HDFS operations

ASF GitHub Bot (JIRA) Sat, 23 Dec 2017 13:22:31 -0800

    [ 
https://issues.apache.org/jira/browse/NIFI-4323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16302588#comment-16302588
 ]


ASF GitHub Bot commented on NIFI-4323:
--------------------------------------

Github user joewitt commented on the issue:

    https://github.com/apache/nifi/pull/2360
  
    I think the primary observed scenario was that when using 
{code}UserGroupInformation.loginUserFromKeytabAndReturnUGI(){code} the UGI 
static member 'loginUser' was not being set.  The 'user' object's 'login' was 
being set in the created UGI instance (non static).  As a result explicit 
logins were working but implicit (hadoop initiated ones) appeared not be.  We 
could get the lockup in that case to happen within 30 mins or so.  Once we 
switched to using the loginFromKeytab/getCurrentUser the static member variable 
of UGI was set and the flow would work for hours then again lockup.  Now, keep 
in mind here we had created a thread that ran every 60 seconds to do an 
explicit relogin and the hadoop client which would automatically do it when 
necessary. In tracing through that scenario what it appears was happening is a 
race condition on the 'subject' object whereby we'd do a relogin which clears 
out the subject (as a logout is called) and in that time we likely conducted a 
hadoop operation which triggered hadoop subject login but the context was wiped 
and so it ended up in the promptForName.  That is the working theory.
    
    The results so far are very promising.
    
    One should be able to pretty easily replicate what NiFi is/was doing 
outside of NiFi in so far as interaction with HDFS.


> Get/List/DeleteHDFS processors should use UGI.doAs when invoking HDFS 
> operations
> --------------------------------------------------------------------------------
>
>                 Key: NIFI-4323
>                 URL: https://issues.apache.org/jira/browse/NIFI-4323
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Extensions
>    Affects Versions: 1.3.0
>            Reporter: Jeff Storck
>            Assignee: Jeff Storck
>
> While the Get/List/DeleteHDFS processors are working without wrapping HDFS 
> operations in UGI.doAs calls, for best practice, those operations should be 
> performed as PrivilegedExceptionActions supplied to the UGI.doAs method.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4323) Get/List/DeleteHDFS processors should use UGI.doAs when invoking HDFS operations

Reply via email to