You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by jtstorck <gi...@git.apache.org> on 2018/01/03 17:56:04 UTC

[GitHub] nifi pull request #1581: NIFI-3534 Add support for impersonating a user with...

Github user jtstorck commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/1581#discussion_r159487174
  
    --- Diff: nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/src/main/java/org/apache/nifi/processors/hadoop/AbstractHadoopProcessor.java ---
    @@ -295,7 +320,11 @@ HdfsResources resetHDFSResources(String configResources, ProcessContext context)
                 } else {
                     config.set("ipc.client.fallback-to-simple-auth-allowed", "true");
                     config.set("hadoop.security.authentication", "simple");
    -                ugi = SecurityUtil.loginSimple(config);
    +                if (context.getProperty(REMOTE_USER).isSet()) {
    +                    ugi = UserGroupInformation.createRemoteUser(context.getProperty(REMOTE_USER).evaluateAttributeExpressions().getValue());
    --- End diff --
    
    We're trying to consolidate UGI creation to SecurityUtil.  Could you move this to a method in SecurityUtil?  Also, the JIRA for this change references impersonation, which is different than setting a remote user.  Using UGI.createRemoteUser isn't doing an actual impersonation from what I see in the UGI code.  UGI.createProxyUser will create a UGI that uses the given UGI to impersonate the given principal.  Please take a look at this [code example in the hadoop documentation](https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/Superusers.html).  


---