Jeff Storck created NIFI-3520:
---------------------------------
Summary: HDFS processors experiencing Kerberos "impersonate"
errors
Key: NIFI-3520
URL: https://issues.apache.org/jira/browse/NIFI-3520
Project: Apache NiFi
Issue Type: Bug
Affects Versions: 1.0.1, 1.1.1, 1.1.0, 1.0.0
Reporter: Jeff Storck
Assignee: Jeff Storck
When multiple Kerberos principals are used between multiple HDFS processors,
the processor instances will be able to login to Kerberos with their configured
principals initially, but will not properly relogin.
For example, if there are two PutHDFS processors, one configured as
us...@example.com, and the other as us...@example.com, they will both login
with the KDC correctly and be able to transfer files to HDFS. Once one of the
PutHDFS processors attempts to relogin, it may end up being logged in as the
principal from the other PutHDFS processor. The principal contexts end up
getting switched, and the hadoop client used by the processor will attempt to
proxy requests from one user through another, resulting in the following
exception:
{panel}Failed to write to HDFS due to
org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException):
User: us...@example.com is not allowed to impersonate us...@example.com{panel}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
