Hmm, so it seems updating the Hadoop version used by my processor from 2.6.0 to 2.7.3 has fixed the problem. Testing a little more just to make sure...
On 14 July 2017 at 14:48, Georg Heiler <[email protected]> wrote: > We just applied the standard fix to enable the JCE extensions i.e. copied > the files into the right place. I was on vacation last week but it looked > like the fix we had been searching for for a while. We were still conducting > some more testing to see if this actually fixed the problem. > > But without the fix we could observe your described problem on other long > running services like HBase as well. > > James Srinivasan <[email protected]> schrieb am Fr., 14. Juli 2017 > um 15:36 Uhr: >> >> Hi Georg, >> >> I am indeed using open-jdk8 on CentOS 7.3, but I'm not sure why my >> standalone app is ok, whereas the same code in NiFi isn't. How did you >> fix the JCE policies? >> >> I'm guessing it is something to do with the shared >> UserGroupInformation class. Which makes me wonder how (if) it will >> work with multiple processors potentially using different keytabs. Am >> wondering if this applies to me: >> >> >> https://github.com/apache/nifi/blob/rel/nifi-1.3.0/nifi-nar-bundles/nifi-extension-utils/nifi-hadoop-utils/src/main/java/org/apache/nifi/hadoop/KerberosProperties.java#L32 >> >> Thanks, >> >> James >> >> On 14 July 2017 at 14:16, Georg Heiler <[email protected]> wrote: >> > Hi Joe, >> > >> > we recently had a similar problem. For us it turned out that we are >> > using >> > the latest open-jdk8 which no longer is providing the JCE policies >> > required >> > for strong cryptography out of the box on cents 7.3. >> > >> > regards, >> > Georg >> > >> > Joe Witt <[email protected]> schrieb am Fr., 14. Juli 2017 um 15:12 >> > Uhr: >> >> >> >> James, >> >> >> >> I know Jeff Storck has recently been doing some work around >> >> Kerberos/TGT renewal. Hopefully he can share some of his >> >> observations/work back on this thread soon. >> >> >> >> Thanks >> >> >> >> On Fri, Jul 14, 2017 at 8:48 AM, James Srinivasan >> >> <[email protected]> wrote: >> >> > Hi all, >> >> > >> >> > I have a NiFi processor which uses Kerberos keytab authentication to >> >> > write data to Accumulo. I have a separate thread which periodically >> >> > runs in order to try renewing my TGT >> >> > (UserGroupInformation.getCurrentUser.checkTGTAndReloginFromKeytab()). >> >> > >> >> > This code works fine outside NiFi, but inside NiFi while the initial >> >> > login is fine, on subsequent attempts to check the TGT, the >> >> > UserGroupInformation class seems to think it is using ticket cache, >> >> > not keytab authentication (i.e. >> >> > UserGroupInformation.getCurrentUser.isFromKeytab is false). >> >> > >> >> > I notice the Hadoop processors support some Kerberos authentication >> >> > options (I'm not yet using any of those processors, but would like to >> >> > in other flows). Could this be interacting badly with my code? >> >> > >> >> > Thanks very much, >> >> > >> >> > James
