Github user jtstorck commented on the issue:
https://github.com/apache/nifi/pull/2360
@jomach Yes, this PR will remove the explicit relogin attempts from
Hadoop/HBase/Hive components. This will allow the hadoop libraries we use to
handle relogin implicitly, since NiFi's explicit relogin attempts were creating
race conditions in UGI and underlying classes, and not all of the code NiFi
depends on or uses is thread-safe. We lessen this issue by using NiFi's
instance-based classloading, which brings me to the next point.
Regarding UGI.loginUserFromKeytab, NiFi employs classloader isolation on a
per-component basis. This means that each instance of a PutHDFS processor (for
example) has its own classloader by which the hadoop libraries are loaded.
Since the UGI instance maintains the state of the login configuration,
authenticated Subject, etc, due to the classloader isolation, that state will
be separate from instantiations of UGI in other components. Loosely speaking,
they are considered different types since they were loaded by different
classloaders, and their state will not be shared. This allows NiFi to use
UGI.loginUserFromKeytab and the instances of components that use UGI can be
considered "daemon processes".
UGI.spawnAutoRenewalThreadForUserCreds is only started (implicitly by the
UGI class itself) if the login was done from the ticket cache, and NiFi
explicitly wants to use the keytab during authentication, not the ticket cache.
NiFi uses keytabs so that it can function in a multi-tenant environment. With
kinit, only one principal would be able to be authenticated since it's done via
an OS user, and we'd like to avoid that.
---
