[
https://issues.apache.org/jira/browse/NIFI-4323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16309092#comment-16309092
]
ASF GitHub Bot commented on NIFI-4323:
--------------------------------------
Github user joewitt commented on the issue:
https://github.com/apache/nifi/pull/2360
Yeah the docs suggest it will be true by default but in the environment(s)
we were running against it was consistently being set to false which opened us
up to this risk. By explicitly setting it to true for NiFi we're correctly
asserting that under no circumstance should the NiFi app ever be asked to go
grab user supplied input for Kerberos logins.
> Get/List/DeleteHDFS processors should use UGI.doAs when invoking HDFS
> operations
> --------------------------------------------------------------------------------
>
> Key: NIFI-4323
> URL: https://issues.apache.org/jira/browse/NIFI-4323
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Extensions
> Affects Versions: 1.3.0
> Reporter: Jeff Storck
> Assignee: Jeff Storck
>
> While the Get/List/DeleteHDFS processors are working without wrapping HDFS
> operations in UGI.doAs calls, for best practice, those operations should be
> performed as PrivilegedExceptionActions supplied to the UGI.doAs method.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
