Github user jtstorck commented on a diff in the pull request:
https://github.com/apache/nifi/pull/1581#discussion_r159487174
--- Diff:
nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/src/main/java/org/apache/nifi/processors/hadoop/AbstractHadoopProcessor.java
---
@@ -295,7 +320,11 @@ HdfsResources resetHDFSResources(String
configResources, ProcessContext context)
} else {
config.set("ipc.client.fallback-to-simple-auth-allowed",
"true");
config.set("hadoop.security.authentication", "simple");
- ugi = SecurityUtil.loginSimple(config);
+ if (context.getProperty(REMOTE_USER).isSet()) {
+ ugi =
UserGroupInformation.createRemoteUser(context.getProperty(REMOTE_USER).evaluateAttributeExpressions().getValue());
--- End diff --
We're trying to consolidate UGI creation to SecurityUtil. Could you move
this to a method in SecurityUtil? Also, the JIRA for this change references
impersonation, which is different than setting a remote user. Using
UGI.createRemoteUser isn't doing an actual impersonation from what I see in the
UGI code. UGI.createProxyUser will create a UGI that uses the given UGI to
impersonate the given principal. Please take a look at this [code example in
the hadoop
documentation](https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/Superusers.html).
---
