You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by jtstorck <gi...@git.apache.org> on 2018/01/03 17:56:04 UTC
[GitHub] nifi pull request #1581: NIFI-3534 Add support for impersonating a user with...
Github user jtstorck commented on a diff in the pull request:
https://github.com/apache/nifi/pull/1581#discussion_r159487174
--- Diff: nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/src/main/java/org/apache/nifi/processors/hadoop/AbstractHadoopProcessor.java ---
@@ -295,7 +320,11 @@ HdfsResources resetHDFSResources(String configResources, ProcessContext context)
} else {
config.set("ipc.client.fallback-to-simple-auth-allowed", "true");
config.set("hadoop.security.authentication", "simple");
- ugi = SecurityUtil.loginSimple(config);
+ if (context.getProperty(REMOTE_USER).isSet()) {
+ ugi = UserGroupInformation.createRemoteUser(context.getProperty(REMOTE_USER).evaluateAttributeExpressions().getValue());
--- End diff --
We're trying to consolidate UGI creation to SecurityUtil. Could you move this to a method in SecurityUtil? Also, the JIRA for this change references impersonation, which is different than setting a remote user. Using UGI.createRemoteUser isn't doing an actual impersonation from what I see in the UGI code. UGI.createProxyUser will create a UGI that uses the given UGI to impersonate the given principal. Please take a look at this [code example in the hadoop documentation](https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/Superusers.html).
---