NIFI-5134 Explicitly requesting UGI to relogin before attempting to get a DB connection in HiveConnectionPool
Signed-off-by: Matthew Burgess <mattyb...@apache.org> This closes #2667 Project: http://git-wip-us.apache.org/repos/asf/nifi/repo Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/aa4384b5 Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/aa4384b5 Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/aa4384b5 Branch: refs/heads/HDF-3.1-maint Commit: aa4384b5e3632b60e00e1556d3528260a12710c0 Parents: da94eac Author: Jeff Storck <jtsw...@gmail.com> Authored: Mon Apr 30 10:39:12 2018 -0400 Committer: Matt Gilman <matt.c.gil...@gmail.com> Committed: Thu May 10 11:46:23 2018 -0400 ---------------------------------------------------------------------- .../apache/nifi/dbcp/hive/HiveConnectionPool.java | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/nifi/blob/aa4384b5/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-processors/src/main/java/org/apache/nifi/dbcp/hive/HiveConnectionPool.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-processors/src/main/java/org/apache/nifi/dbcp/hive/HiveConnectionPool.java b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-processors/src/main/java/org/apache/nifi/dbcp/hive/HiveConnectionPool.java index 211494e..684f41a 100644 --- a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-processors/src/main/java/org/apache/nifi/dbcp/hive/HiveConnectionPool.java +++ b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-processors/src/main/java/org/apache/nifi/dbcp/hive/HiveConnectionPool.java @@ -208,8 +208,10 @@ public class HiveConnectionPool extends AbstractControllerService implements Hiv * As of Apache NiFi 1.5.0, due to changes made to * {@link SecurityUtil#loginKerberos(Configuration, String, String)}, which is used by this class invoking * {@link HiveConfigurator#authenticate(Configuration, String, String)} - * to authenticate a principal with Kerberos, Hive controller services no longer - * attempt relogins explicitly. For more information, please read the documentation for + * to authenticate a principal with Kerberos, Hive controller services no longer use a separate thread to + * relogin, and instead call {@link UserGroupInformation#checkTGTAndReloginFromKeytab()} from + * {@link HiveConnectionPool#getConnection()}. The relogin request is performed in a synchronized block to prevent + * threads from requesting concurrent relogins. For more information, please read the documentation for * {@link SecurityUtil#loginKerberos(Configuration, String, String)}. * <p/> * In previous versions of NiFi, a {@link org.apache.nifi.hadoop.KerberosTicketRenewer} was started by @@ -297,6 +299,15 @@ public class HiveConnectionPool extends AbstractControllerService implements Hiv public Connection getConnection() throws ProcessException { try { if (ugi != null) { + synchronized(this) { + /* + * Make sure that only one thread can request that the UGI relogin at a time. This + * explicit relogin attempt is necessary due to the Hive client/thrift not implicitly handling + * the acquisition of a new TGT after the current one has expired. + * https://issues.apache.org/jira/browse/NIFI-5134 + */ + ugi.checkTGTAndReloginFromKeytab(); + } try { return ugi.doAs((PrivilegedExceptionAction<Connection>) () -> dataSource.getConnection()); } catch (UndeclaredThrowableException e) {