[jira] [Commented] (NIFI-3534) Add support for impersonating a user with HDFS processors

Wed, 03 Jan 2018 09:57:16 -0800 

    [ 
https://issues.apache.org/jira/browse/NIFI-3534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16309994#comment-16309994
 ] 

ASF GitHub Bot commented on NIFI-3534:
--------------------------------------

Github user jtstorck commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/1581#discussion_r159487174
  
    --- Diff: 
nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/src/main/java/org/apache/nifi/processors/hadoop/AbstractHadoopProcessor.java
 ---
    @@ -295,7 +320,11 @@ HdfsResources resetHDFSResources(String 
configResources, ProcessContext context)
                 } else {
                     config.set("ipc.client.fallback-to-simple-auth-allowed", 
"true");
                     config.set("hadoop.security.authentication", "simple");
    -                ugi = SecurityUtil.loginSimple(config);
    +                if (context.getProperty(REMOTE_USER).isSet()) {
    +                    ugi = 
UserGroupInformation.createRemoteUser(context.getProperty(REMOTE_USER).evaluateAttributeExpressions().getValue());
    --- End diff --
    
    We're trying to consolidate UGI creation to SecurityUtil.  Could you move 
this to a method in SecurityUtil?  Also, the JIRA for this change references 
impersonation, which is different than setting a remote user.  Using 
UGI.createRemoteUser isn't doing an actual impersonation from what I see in the 
UGI code.  UGI.createProxyUser will create a UGI that uses the given UGI to 
impersonate the given principal.  Please take a look at this [code example in 
the hadoop 
documentation](https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/Superusers.html).
  


> Add support for impersonating a user with HDFS processors 
> ----------------------------------------------------------
>
>                 Key: NIFI-3534
>                 URL: https://issues.apache.org/jira/browse/NIFI-3534
>             Project: Apache NiFi
>          Issue Type: Bug
>            Reporter: Andrew Psaltis
>            Assignee: Andrew Psaltis
>
> When using the HDFS processors, specifically PutHDFS there are times when a 
> user wants to impersonate a user so that the files written to HDFS are done 
> as the remote user. In cases where Kerberos is not used, this is not 
> possible. Currently there is the ability for NiFi to change the permissions 
> using the Remote Owner and Remote Group, however, this only works if NiFi is 
> running as a user that has HDFS super user privilege. By providing the 
> ability to set a Remote User, NiFi can then impersonate the user and the 
> permission checks will be done in Hadoop land. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to