You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by bb...@apache.org on 2019/04/12 19:10:13 UTC
[nifi] branch master updated: NIFI-6210: Applied NIFI-5134 Kerberos
TGT renewal to Hive3ConnectionPool
This is an automated email from the ASF dual-hosted git repository.
bbende pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/master by this push:
new 9769027 NIFI-6210: Applied NIFI-5134 Kerberos TGT renewal to Hive3ConnectionPool
9769027 is described below
commit 97690275acb666c0598896cf0a96273d65cfae7b
Author: Matthew Burgess <ma...@apache.org>
AuthorDate: Fri Apr 12 14:43:50 2019 -0400
NIFI-6210: Applied NIFI-5134 Kerberos TGT renewal to Hive3ConnectionPool
This closes #3432.
Signed-off-by: Bryan Bende <bb...@apache.org>
---
.../org/apache/nifi/dbcp/hive/Hive3ConnectionPool.java | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/src/main/java/org/apache/nifi/dbcp/hive/Hive3ConnectionPool.java b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/src/main/java/org/apache/nifi/dbcp/hive/Hive3ConnectionPool.java
index c2042bb..41849bd 100644
--- a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/src/main/java/org/apache/nifi/dbcp/hive/Hive3ConnectionPool.java
+++ b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/src/main/java/org/apache/nifi/dbcp/hive/Hive3ConnectionPool.java
@@ -251,8 +251,10 @@ public class Hive3ConnectionPool extends AbstractControllerService implements Hi
* As of Apache NiFi 1.5.0, due to changes made to
* {@link SecurityUtil#loginKerberos(Configuration, String, String)}, which is used by this class invoking
* {@link HiveConfigurator#authenticate(Configuration, String, String)}
- * to authenticate a principal with Kerberos, Hive controller services no longer
- * attempt relogins explicitly. For more information, please read the documentation for
+ * to authenticate a principal with Kerberos, Hive controller services no longer use a separate thread to
+ * relogin, and instead call {@link UserGroupInformation#checkTGTAndReloginFromKeytab()} from
+ * {@link Hive3ConnectionPool#getConnection()}. The relogin request is performed in a synchronized block to prevent
+ * threads from requesting concurrent relogins. For more information, please read the documentation for
* {@link SecurityUtil#loginKerberos(Configuration, String, String)}.
* <p/>
* In previous versions of NiFi, a {@link org.apache.nifi.hadoop.KerberosTicketRenewer} was started by
@@ -354,6 +356,15 @@ public class Hive3ConnectionPool extends AbstractControllerService implements Hi
public Connection getConnection() throws ProcessException {
try {
if (ugi != null) {
+ synchronized(this) {
+ /*
+ * Make sure that only one thread can request that the UGI relogin at a time. This
+ * explicit relogin attempt is necessary due to the Hive client/thrift not implicitly handling
+ * the acquisition of a new TGT after the current one has expired.
+ * https://issues.apache.org/jira/browse/NIFI-5134
+ */
+ ugi.checkTGTAndReloginFromKeytab();
+ }
try {
return ugi.doAs((PrivilegedExceptionAction<Connection>) () -> dataSource.getConnection());
} catch (UndeclaredThrowableException e) {