[jira] [Commented] (NIFI-5714) Hive[3]ConnectionPool - Kerberos Authentication issue/misleading

Thu, 18 Oct 2018 06:32:07 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-5714?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16655231#comment-16655231
 ] 

ASF GitHub Bot commented on NIFI-5714:
--------------------------------------

Github user mattyb149 commented on the issue:

    https://github.com/apache/nifi/pull/3086
  
    The krb5.conf from the TestRangerNiFiAuthorizer looks like this:
    
    ```
    [libdefaults]
             default_realm = EXAMPLE.COM
             dns_lookup_kdc = false
             dns_lookup_realm = false
    
    [realms]
             EXAMPLE.COM = {
                 kdc = kerberos.example.com
                 admin_server = kerberos.example.com
             }
    ```
    
    And doesn't have the setting of the `java.security.krb5.realm` or 
`java.security.krb5.kdc` (I assume because they are unnecessary based on the 
dns_lookup_* properties?). Might be worth a try...


> Hive[3]ConnectionPool - Kerberos Authentication issue/misleading
> ----------------------------------------------------------------
>
>                 Key: NIFI-5714
>                 URL: https://issues.apache.org/jira/browse/NIFI-5714
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Extensions
>    Affects Versions: 1.1.0, 1.2.0, 1.1.1, 1.0.1, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 
> 1.7.0, 1.7.1
>            Reporter: Pierre Villard
>            Assignee: Pierre Villard
>            Priority: Major
>
> In {{HiveConnectionPool}} and {{Hive3ConnectionPool}}, in the {{@OnEnabled}} 
> method, we have:
> {code:java}
> log.info("Hive Security Enabled, logging in as principal {} with keytab {}", 
> new Object[] {resolvedPrincipal, resolvedKeytab});
> try {
>     ugi = hiveConfigurator.authenticate(hiveConfig, resolvedPrincipal, 
> resolvedKeytab);
> } catch (AuthenticationFailedException ae) {
>     log.error(ae.getMessage(), ae);
> }
> getLogger().info("Successfully logged in as principal {} with keytab {}", new 
> Object[] {resolvedPrincipal, resolvedKeytab});{code}
> Which causes two issues:
>  * we're logging the successful message even though the authentication failed
>  * the Hive connection is created using the NiFi user identity (this would 
> need to be confirmed but that's what I observed during a test - it could be 
> due to the environment though)
> In my opinion, an {{InitializationException}} should be thrown so that the 
> controller service is not enabled.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to