[
https://issues.apache.org/jira/browse/NIFI-4741?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Koji Kawamura updated NIFI-4741:
--------------------------------
Status: Patch Available (was: In Progress)
> ReportLineageToAtlas stops working after expiration of DelegationToken
> ----------------------------------------------------------------------
>
> Key: NIFI-4741
> URL: https://issues.apache.org/jira/browse/NIFI-4741
> Project: Apache NiFi
> Issue Type: Bug
> Components: Extensions
> Reporter: Koji Kawamura
> Assignee: Koji Kawamura
>
> While I was testing if NiFi Atlas integration implementation regarding to
> Kerberos authentication has to be updated based on the findings with
> NIFI-4323, I encountered different type of issue with Atlas REST API and
> Kerberos authentication.
> If my understanding is correct, Atlas REST API Kerberos authentication works
> as follows:
> # Atlas Client application logs in locally by using specified user principal
> and its keytab, (or this can be done with ticket cache)
> # Atlas Client sends a HTTP request with a DelegationToken. At the 1st
> request, this token is null.
> # Atlas Server receives a HTTP request, if token is not set, it will respond
> with 401, and ask the client to negotiate.
> # Atlas Client serializes current UserGroupInformation credential in base64
> encoding then send it to Atlas Server.
> # Atlas Server verifies the base64 representation of the user credential, if
> it's valid, publish a DelegationToken. Returns it as set cookie.
> # Atlas Client uses the returned DelegationToken with subsequent requests.
> At point 5 above, the newly created DelegationToken has 10h expiration by
> default. DelegationToken expiration is different from Kerberos login
> lifetime. So a use-case using Atlas client with Kerberos has to handle two
> expiration cases.
> Currently, it seems Atlas client does not handle DelegationToken expiration
> automatically. After passing the DeligationToken validity period, Atlas
> server returns [401 Unauthorized
> response|https://github.com/apache/atlas/blob/master/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java#L606],
> and Atlas client used by NiFi reporting task keeps showing following error:
> {code}
> Metadata service API org.apache.atlas.AtlasBaseClient$APIInfo@6604f000 failed
> with status 401 (Unauthorized) Response Body (<html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
> <title>Error 401 AuthenticationToken expired</title>
> </head>
> <body><h2>HTTP ERROR 401</h2>
> <p>Problem accessing /api/atlas/v2/entity/uniqueAttribute/type/nifi_flow.
> Reason:
> <pre> AuthenticationToken expired</pre></p><hr /><i><small>Powered by
> Jetty://</small></i><br/>
> <br/>
> {code}
> NiFi ReportLineageToAtlas reporting task should handle the DelegationToken
> expiration situation correctly. And also it needs to renew Kerberos ticket.
> A simple solution to address both expirations is initializing AtlasClientV2
> instance at every onTrigger execution. Current implementation keeps using the
> same AtlasClientV2 instance.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
