You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by apsaltis <gi...@git.apache.org> on 2017/03/09 14:24:05 UTC

[GitHub] nifi pull request #1581: NIFI-3534 Add support for impersonating a user with...

GitHub user apsaltis opened a pull request:

    https://github.com/apache/nifi/pull/1581

    NIFI-3534 Add support for impersonating a user with HDFS processors

    This P/R adds the functionality as described in JIRA NIFI-3534 with one addition. The addition that is not documented, is that it also added EL for the config paths. 

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/apsaltis/nifi NIFI-3534

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/nifi/pull/1581.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1581
    
----
commit d0c2de7aa029c9f2bb5d4a619747a9d93da4c8e3
Author: Andrew Psaltis <ps...@gmail.com>
Date:   2017-03-09T14:15:30Z

    NIFI-3534 Add support for impersonating a user with HDFS processors

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #1581: NIFI-3534 Add support for impersonating a user with...

Posted by bbende <gi...@git.apache.org>.

Github user bbende commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/1581#discussion_r105669563
  
    --- Diff: nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/src/main/java/org/apache/nifi/processors/hadoop/AbstractHadoopProcessor.java ---
    @@ -292,7 +304,11 @@ HdfsResources resetHDFSResources(String configResources, ProcessContext context)
                     ugi = SecurityUtil.loginKerberos(config, principal, keyTab);
                     fs = getFileSystemAsUser(config, ugi);
                     lastKerberosReloginTime = System.currentTimeMillis() / 1000;
    -            } else {
    +            } else if (context.getProperty(REMOTE_USER).isSet()){
    --- End diff --
    
    This might be more of a stylistic thing, but we could probably fold these together....
    
    ```
    else {
      config.set("ipc.client.fallback-to-simple-auth-allowed", "true");
      config.set("hadoop.security.authentication", "simple");		                  
      if (context.getProperty(REMOTE_USER).isSet()) {
        ugi = UserGroupInformation.createRemoteUser(context.getProperty(REMOTE_USER).evaluateAttributeExpressions().getValue());
      } else {
        ugi = SecurityUtil.loginSimple(config);
      }
      fs = getFileSystemAsUser(config, ugi);
    }
    ```


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #1581: NIFI-3534 Add support for impersonating a user with...

Posted by apsaltis <gi...@git.apache.org>.

Github user apsaltis commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/1581#discussion_r105672823
  
    --- Diff: nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/src/main/java/org/apache/nifi/processors/hadoop/AbstractHadoopProcessor.java ---
    @@ -292,7 +304,11 @@ HdfsResources resetHDFSResources(String configResources, ProcessContext context)
                     ugi = SecurityUtil.loginKerberos(config, principal, keyTab);
                     fs = getFileSystemAsUser(config, ugi);
                     lastKerberosReloginTime = System.currentTimeMillis() / 1000;
    -            } else {
    +            } else if (context.getProperty(REMOTE_USER).isSet()){
    --- End diff --
    
    @bbende both points make perfect sense. Will make those changes. 
    
    @trixpan - will look at adding the additional information you mentioned.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #1581: NIFI-3534 Add support for impersonating a user with...

Posted by apsaltis <gi...@git.apache.org>.

Github user apsaltis commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/1581#discussion_r159500278
  
    --- Diff: nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/src/main/java/org/apache/nifi/processors/hadoop/AbstractHadoopProcessor.java ---
    @@ -295,7 +320,11 @@ HdfsResources resetHDFSResources(String configResources, ProcessContext context)
                 } else {
                     config.set("ipc.client.fallback-to-simple-auth-allowed", "true");
                     config.set("hadoop.security.authentication", "simple");
    -                ugi = SecurityUtil.loginSimple(config);
    +                if (context.getProperty(REMOTE_USER).isSet()) {
    +                    ugi = UserGroupInformation.createRemoteUser(context.getProperty(REMOTE_USER).evaluateAttributeExpressions().getValue());
    --- End diff --
    
    I will move the code to the SecurityUtil class. Also, will fix the JIRA -- creating a remote user, not impersonating is the desired effect. 


---

[GitHub] nifi issue #1581: NIFI-3534 Add support for impersonating a user with HDFS p...

Posted by trixpan <gi...@git.apache.org>.

Github user trixpan commented on the issue:

    https://github.com/apache/nifi/pull/1581
  
    @apsaltis LGTM but is there chance of making reference to proxyuser groups/ proxyuser hosts in the description or additional info? HDFS Impersonation is one of those thing people always get wrong the first time they do. 
    
    Cheers


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi issue #1581: NIFI-3534 Add support for impersonating a user with HDFS p...

Posted by apsaltis <gi...@git.apache.org>.

Github user apsaltis commented on the issue:

    https://github.com/apache/nifi/pull/1581
  
    @bbende and @trixpan -- I believe my most recent commit addresses both of your comments / concerns. Please let me know if I missed something or there is anything else you feel needs modification. Thanks again for the feedback.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #1581: NIFI-3534 Add support for impersonating a user with...

Posted by jtstorck <gi...@git.apache.org>.

Github user jtstorck commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/1581#discussion_r159487174
  
    --- Diff: nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/src/main/java/org/apache/nifi/processors/hadoop/AbstractHadoopProcessor.java ---
    @@ -295,7 +320,11 @@ HdfsResources resetHDFSResources(String configResources, ProcessContext context)
                 } else {
                     config.set("ipc.client.fallback-to-simple-auth-allowed", "true");
                     config.set("hadoop.security.authentication", "simple");
    -                ugi = SecurityUtil.loginSimple(config);
    +                if (context.getProperty(REMOTE_USER).isSet()) {
    +                    ugi = UserGroupInformation.createRemoteUser(context.getProperty(REMOTE_USER).evaluateAttributeExpressions().getValue());
    --- End diff --
    
    We're trying to consolidate UGI creation to SecurityUtil.  Could you move this to a method in SecurityUtil?  Also, the JIRA for this change references impersonation, which is different than setting a remote user.  Using UGI.createRemoteUser isn't doing an actual impersonation from what I see in the UGI code.  UGI.createProxyUser will create a UGI that uses the given UGI to impersonate the given principal.  Please take a look at this [code example in the hadoop documentation](https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/Superusers.html).  


---

[GitHub] nifi issue #1581: NIFI-3534 Add support for impersonating a user with HDFS p...

Posted by bbende <gi...@git.apache.org>.

Github user bbende commented on the issue:

    https://github.com/apache/nifi/pull/1581
  
    Should there be any validation that prevents setting remote user and also providing a kerberos principal/keytab since it the remote user would be ignored in that case? or maybe just document in the description of the property that it is only used when not using kerberos?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---