You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/03/01 18:10:45 UTC
[jira] [Commented] (NIFI-3520) HDFS processors experiencing
Kerberos "impersonate" errors
[ https://issues.apache.org/jira/browse/NIFI-3520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15890707#comment-15890707 ]
ASF GitHub Bot commented on NIFI-3520:
--------------------------------------
Github user olegz commented on a diff in the pull request:
https://github.com/apache/nifi/pull/1539#discussion_r103750596
--- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-nar-utils/src/main/java/org/apache/nifi/nar/ExtensionManager.java ---
@@ -199,8 +199,20 @@ public static ClassLoader getClassLoader(final String classType, final String in
// then make a new InstanceClassLoader that is a full copy of the NAR Class Loader, otherwise create an empty
// InstanceClassLoader that has the NAR ClassLoader as a parent
if (requiresInstanceClassLoading.contains(classType) && (registeredClassLoader instanceof URLClassLoader)) {
- final URLClassLoader registeredUrlClassLoader = (URLClassLoader) registeredClassLoader;
- instanceClassLoader = new InstanceClassLoader(instanceIdentifier, classType, registeredUrlClassLoader.getURLs(), registeredUrlClassLoader.getParent());
+ final Set<URL> classLoaderResources = new HashSet<>();
+
+ // if the registered class loader is a NAR class loader then walk the chain of class loaders until
+ // finding a non-NAR class loader, and build up a list of all URLs along the way
+ while (registeredClassLoader != null && registeredClassLoader instanceof NarClassLoader) {
+ final NarClassLoader narClassLoader = (NarClassLoader) registeredClassLoader;
+ for (URL classLoaderResource : narClassLoader.getURLs()) {
+ classLoaderResources.add(classLoaderResource);
+ }
+ registeredClassLoader = narClassLoader.getParent();
+ }
--- End diff --
Perhaps this logic belongs in ```org.apache.nifi.util.file.classloader.ClassLoaderUtils```
> HDFS processors experiencing Kerberos "impersonate" errors
> -----------------------------------------------------------
>
> Key: NIFI-3520
> URL: https://issues.apache.org/jira/browse/NIFI-3520
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.0.0, 1.1.0, 1.1.1, 1.0.1
> Reporter: Jeff Storck
> Assignee: Jeff Storck
>
> When multiple Kerberos principals are used between multiple HDFS processors, the processor instances will be able to login to Kerberos with their configured principals initially, but will not properly relogin.
> For example, if there are two PutHDFS processors, one configured as user1@EXAMPLE.COM, and the other as user2@EXAMPLE.COM, they will both login with the KDC correctly and be able to transfer files to HDFS. Once one of the PutHDFS processors attempts to relogin, it may end up being logged in as the principal from the other PutHDFS processor. The principal contexts end up getting switched, and the hadoop client used by the processor will attempt to proxy requests from one user through another, resulting in the following exception:
> {panel}Failed to write to HDFS due to org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): User: user1@EXAMPLE.COM is not allowed to impersonate user2@EXAMPLE.COM{panel}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)