Jeff Storck created NIFI-3520: --------------------------------- Summary: HDFS processors experiencing Kerberos "impersonate" errors Key: NIFI-3520 URL: https://issues.apache.org/jira/browse/NIFI-3520 Project: Apache NiFi Issue Type: Bug Affects Versions: 1.0.1, 1.1.1, 1.1.0, 1.0.0 Reporter: Jeff Storck Assignee: Jeff Storck
When multiple Kerberos principals are used between multiple HDFS processors, the processor instances will be able to login to Kerberos with their configured principals initially, but will not properly relogin. For example, if there are two PutHDFS processors, one configured as us...@example.com, and the other as us...@example.com, they will both login with the KDC correctly and be able to transfer files to HDFS. Once one of the PutHDFS processors attempts to relogin, it may end up being logged in as the principal from the other PutHDFS processor. The principal contexts end up getting switched, and the hadoop client used by the processor will attempt to proxy requests from one user through another, resulting in the following exception: {panel}Failed to write to HDFS due to org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): User: us...@example.com is not allowed to impersonate us...@example.com{panel} -- This message was sent by Atlassian JIRA (v6.3.15#6346)