You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by bb...@apache.org on 2019/04/12 19:10:13 UTC

[nifi] branch master updated: NIFI-6210: Applied NIFI-5134 Kerberos TGT renewal to Hive3ConnectionPool

This is an automated email from the ASF dual-hosted git repository.

bbende pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/master by this push:
     new 9769027  NIFI-6210: Applied NIFI-5134 Kerberos TGT renewal to Hive3ConnectionPool
9769027 is described below

commit 97690275acb666c0598896cf0a96273d65cfae7b
Author: Matthew Burgess <ma...@apache.org>
AuthorDate: Fri Apr 12 14:43:50 2019 -0400

    NIFI-6210: Applied NIFI-5134 Kerberos TGT renewal to Hive3ConnectionPool
    
    This closes #3432.
    
    Signed-off-by: Bryan Bende <bb...@apache.org>
---
 .../org/apache/nifi/dbcp/hive/Hive3ConnectionPool.java    | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/src/main/java/org/apache/nifi/dbcp/hive/Hive3ConnectionPool.java b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/src/main/java/org/apache/nifi/dbcp/hive/Hive3ConnectionPool.java
index c2042bb..41849bd 100644
--- a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/src/main/java/org/apache/nifi/dbcp/hive/Hive3ConnectionPool.java
+++ b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/src/main/java/org/apache/nifi/dbcp/hive/Hive3ConnectionPool.java
@@ -251,8 +251,10 @@ public class Hive3ConnectionPool extends AbstractControllerService implements Hi
      * As of Apache NiFi 1.5.0, due to changes made to
      * {@link SecurityUtil#loginKerberos(Configuration, String, String)}, which is used by this class invoking
      * {@link HiveConfigurator#authenticate(Configuration, String, String)}
-     * to authenticate a principal with Kerberos, Hive controller services no longer
-     * attempt relogins explicitly.  For more information, please read the documentation for
+     * to authenticate a principal with Kerberos, Hive controller services no longer use a separate thread to
+     * relogin, and instead call {@link UserGroupInformation#checkTGTAndReloginFromKeytab()} from
+     * {@link Hive3ConnectionPool#getConnection()}.  The relogin request is performed in a synchronized block to prevent
+     * threads from requesting concurrent relogins.  For more information, please read the documentation for
      * {@link SecurityUtil#loginKerberos(Configuration, String, String)}.
      * <p/>
      * In previous versions of NiFi, a {@link org.apache.nifi.hadoop.KerberosTicketRenewer} was started by
@@ -354,6 +356,15 @@ public class Hive3ConnectionPool extends AbstractControllerService implements Hi
     public Connection getConnection() throws ProcessException {
         try {
             if (ugi != null) {
+                synchronized(this) {
+                    /*
+                     * Make sure that only one thread can request that the UGI relogin at a time.  This
+                     * explicit relogin attempt is necessary due to the Hive client/thrift not implicitly handling
+                     * the acquisition of a new TGT after the current one has expired.
+                     * https://issues.apache.org/jira/browse/NIFI-5134
+                     */
+                    ugi.checkTGTAndReloginFromKeytab();
+                }
                 try {
                     return ugi.doAs((PrivilegedExceptionAction<Connection>) () -> dataSource.getConnection());
                 } catch (UndeclaredThrowableException e) {