You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Matt Gilman (JIRA)" <ji...@apache.org> on 2017/04/06 17:54:41 UTC
[jira] [Updated] (NIFI-3520) HDFS processors experiencing Kerberos
"impersonate" errors
[ https://issues.apache.org/jira/browse/NIFI-3520?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matt Gilman updated NIFI-3520:
------------------------------
Resolution: Fixed
Status: Resolved (was: Patch Available)
> HDFS processors experiencing Kerberos "impersonate" errors
> -----------------------------------------------------------
>
> Key: NIFI-3520
> URL: https://issues.apache.org/jira/browse/NIFI-3520
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.0.0, 1.1.0, 1.1.1, 1.0.1
> Reporter: Jeff Storck
> Assignee: Bryan Bende
> Fix For: 1.2.0
>
>
> When multiple Kerberos principals are used between multiple HDFS processors, the processor instances will be able to login to Kerberos with their configured principals initially, but will not properly relogin.
> For example, if there are two PutHDFS processors, one configured as user1@EXAMPLE.COM, and the other as user2@EXAMPLE.COM, they will both login with the KDC correctly and be able to transfer files to HDFS. Once one of the PutHDFS processors attempts to relogin, it may end up being logged in as the principal from the other PutHDFS processor. The principal contexts end up getting switched, and the hadoop client used by the processor will attempt to proxy requests from one user through another, resulting in the following exception:
> {panel}Failed to write to HDFS due to org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): User: user1@EXAMPLE.COM is not allowed to impersonate user2@EXAMPLE.COM{panel}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)