[GitHub] [nifi] bbende commented on a change in pull request #4095: NIFI-7018: Initial commit of processors extending AbstractHadoopProce…

Thu, 27 Feb 2020 09:42:24 -0800 

bbende commented on a change in pull request #4095: NIFI-7018: Initial commit 
of processors extending AbstractHadoopProce…
URL: https://github.com/apache/nifi/pull/4095#discussion_r385260904
 
 

 ##########
 File path: 
nifi-nar-bundles/nifi-extension-utils/nifi-hadoop-utils/src/main/java/org/apache/nifi/hadoop/SecurityUtil.java
 ##########
 @@ -69,6 +79,37 @@ public static synchronized UserGroupInformation 
loginKerberos(final Configuratio
         return UserGroupInformation.getCurrentUser();
     }
 
+    public static synchronized UserGroupInformation 
loginKerberosWithPassword(final Configuration config, final String principal, 
final String password) throws IOException {
+        Validate.notNull(config);
+        Validate.notNull(principal);
+        Validate.notNull(password);
+
+        KerberosPasswordUser kerberosPasswordUser = new 
KerberosPasswordUser(principal, password);
+        return getUgiForKerberosUser(config, kerberosPasswordUser);
+    }
+
+    public static synchronized UserGroupInformation 
getUgiForKerberosUser(final Configuration config, final KerberosUser 
kerberosUser) throws IOException {
+        UserGroupInformation.setConfiguration(config);
+        try {
+            if (kerberosUser.isLoggedIn()) {
+                kerberosUser.checkTGTAndRelogin();
+            } else {
+                kerberosUser.login();
+            }
+            return 
kerberosUser.doAs((PrivilegedExceptionAction<UserGroupInformation>) () -> {
+                AccessControlContext context = AccessController.getContext();
+                Subject subject = Subject.getSubject(context);
+                Validate.notEmpty(
+                        
subject.getPrincipals(KerberosPrincipal.class).stream().filter(p -> 
p.getName().startsWith(kerberosUser.getPrincipal())).collect(Collectors.toSet()),
+                        "No Subject was found matching the given principal");
+                return UserGroupInformation.getUGIFromSubject(subject);
+            });
+        } catch (PrivilegedActionException | LoginException e) {
+            throw new IOException("Unable to acquire UGI for KerberosUser: " + 
e.getLocalizedMessage(),
 
 Review comment:
   In the case of PrivilegedActionException, the message is always null because 
they expect you to get the message from first calling getException() or 
getCause() and then getting the message from that, so you may want to do that 
first here depending which type of exception.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to