[GitHub] [nifi] jtstorck commented on a change in pull request #4095: NIFI-7018: Initial commit of processors extending AbstractHadoopProce…

Thu, 27 Feb 2020 13:35:24 -0800 

jtstorck commented on a change in pull request #4095: NIFI-7018: Initial commit 
of processors extending AbstractHadoopProce…
URL: https://github.com/apache/nifi/pull/4095#discussion_r385384759
 
 

 ##########
 File path: 
nifi-nar-bundles/nifi-extension-utils/nifi-hadoop-utils/src/main/java/org/apache/nifi/hadoop/SecurityUtil.java
 ##########
 @@ -69,6 +79,37 @@ public static synchronized UserGroupInformation 
loginKerberos(final Configuratio
         return UserGroupInformation.getCurrentUser();
     }
 
+    public static synchronized UserGroupInformation 
loginKerberosWithPassword(final Configuration config, final String principal, 
final String password) throws IOException {
+        Validate.notNull(config);
+        Validate.notNull(principal);
+        Validate.notNull(password);
+
+        KerberosPasswordUser kerberosPasswordUser = new 
KerberosPasswordUser(principal, password);
+        return getUgiForKerberosUser(config, kerberosPasswordUser);
+    }
+
+    public static synchronized UserGroupInformation 
getUgiForKerberosUser(final Configuration config, final KerberosUser 
kerberosUser) throws IOException {
+        UserGroupInformation.setConfiguration(config);
+        try {
+            if (kerberosUser.isLoggedIn()) {
+                kerberosUser.checkTGTAndRelogin();
+            } else {
+                kerberosUser.login();
+            }
+            return 
kerberosUser.doAs((PrivilegedExceptionAction<UserGroupInformation>) () -> {
+                AccessControlContext context = AccessController.getContext();
+                Subject subject = Subject.getSubject(context);
+                Validate.notEmpty(
+                        
subject.getPrincipals(KerberosPrincipal.class).stream().filter(p -> 
p.getName().startsWith(kerberosUser.getPrincipal())).collect(Collectors.toSet()),
+                        "No Subject was found matching the given principal");
+                return UserGroupInformation.getUGIFromSubject(subject);
+            });
+        } catch (PrivilegedActionException | LoginException e) {
+            throw new IOException("Unable to acquire UGI for KerberosUser: " + 
e.getLocalizedMessage(),
 
 Review comment:
   Updated the code to use the message from the wrapped exception, and split 
the unified catch into two distinct catch clauses.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to