You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2020/02/27 21:35:07 UTC

[GitHub] [nifi] jtstorck commented on a change in pull request #4095: NIFI-7018: Initial commit of processors extending AbstractHadoopProce…

jtstorck commented on a change in pull request #4095: NIFI-7018: Initial commit of processors extending AbstractHadoopProce…
URL: https://github.com/apache/nifi/pull/4095#discussion_r385384759
 
 

 ##########
 File path: nifi-nar-bundles/nifi-extension-utils/nifi-hadoop-utils/src/main/java/org/apache/nifi/hadoop/SecurityUtil.java
 ##########
 @@ -69,6 +79,37 @@ public static synchronized UserGroupInformation loginKerberos(final Configuratio
         return UserGroupInformation.getCurrentUser();
     }
 
+    public static synchronized UserGroupInformation loginKerberosWithPassword(final Configuration config, final String principal, final String password) throws IOException {
+        Validate.notNull(config);
+        Validate.notNull(principal);
+        Validate.notNull(password);
+
+        KerberosPasswordUser kerberosPasswordUser = new KerberosPasswordUser(principal, password);
+        return getUgiForKerberosUser(config, kerberosPasswordUser);
+    }
+
+    public static synchronized UserGroupInformation getUgiForKerberosUser(final Configuration config, final KerberosUser kerberosUser) throws IOException {
+        UserGroupInformation.setConfiguration(config);
+        try {
+            if (kerberosUser.isLoggedIn()) {
+                kerberosUser.checkTGTAndRelogin();
+            } else {
+                kerberosUser.login();
+            }
+            return kerberosUser.doAs((PrivilegedExceptionAction<UserGroupInformation>) () -> {
+                AccessControlContext context = AccessController.getContext();
+                Subject subject = Subject.getSubject(context);
+                Validate.notEmpty(
+                        subject.getPrincipals(KerberosPrincipal.class).stream().filter(p -> p.getName().startsWith(kerberosUser.getPrincipal())).collect(Collectors.toSet()),
+                        "No Subject was found matching the given principal");
+                return UserGroupInformation.getUGIFromSubject(subject);
+            });
+        } catch (PrivilegedActionException | LoginException e) {
+            throw new IOException("Unable to acquire UGI for KerberosUser: " + e.getLocalizedMessage(),
 
 Review comment:
   Updated the code to use the message from the wrapped exception, and split the unified catch into two distinct catch clauses.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services