[
https://issues.apache.org/jira/browse/NIFI-4323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16308488#comment-16308488
]
ASF GitHub Bot commented on NIFI-4323:
--------------------------------------
Github user jomach commented on the issue:
https://github.com/apache/nifi/pull/2360
So The Fix is removing the Nifi Thread that renews the Kerberos Token ?
From what I noticed until using the UserGroupInformation class is that if I
call the method loginUserFromKeytab it will be set for the complete JVM, not
allowing scenarios where Nifi needs to connect to two different Hadoop clusters
with Kerberos. If we use loginUserFromKeytabAndReturnUGI it will be contained
in that returned Object. I looked at the code verz quickly and it seems that
we removed the Thread that takes care of renewing the token. Could we leverage
something like: UserGroupInformation.checkTGTAndReloginFromKeytab or we could
trigger UserGroupInformation.spawnAutoRenewalThreadForUserCreds using
UserGroupInformation.loginUserFromSubject
> Get/List/DeleteHDFS processors should use UGI.doAs when invoking HDFS
> operations
> --------------------------------------------------------------------------------
>
> Key: NIFI-4323
> URL: https://issues.apache.org/jira/browse/NIFI-4323
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Extensions
> Affects Versions: 1.3.0
> Reporter: Jeff Storck
> Assignee: Jeff Storck
>
> While the Get/List/DeleteHDFS processors are working without wrapping HDFS
> operations in UGI.doAs calls, for best practice, those operations should be
> performed as PrivilegedExceptionActions supplied to the UGI.doAs method.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
