[
https://issues.apache.org/jira/browse/NIFI-3520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15947792#comment-15947792
]
ASF GitHub Bot commented on NIFI-3520:
--------------------------------------
GitHub user bbende opened a pull request:
https://github.com/apache/nifi/pull/1635
NIFI-3520 Refactoring instance class loading
This PR addresses the issue mentioned on NIFI-3520 regarding using the
"Additional Resources" property on the HDFS processors. The fix is a
fundamental refactoring of how the instance class loading isolation works.
Changes:
- Fixing FlowController to use appropriate class loader when instantiating
processor
- Updating ExtensionManager to leverage new MANIFEST entry to know when to
stop including resources from parent class loaders
- Adding ReloadComponent interface and refactoring instance class loading
to use it
- Fixing FetchHDFS issue with TDE by using ugi.doAs
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/bbende/nifi NIFI-3520-2
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/1635.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1635
----
commit 330479027d43036750e2ecd523cae084f7f7e13b
Author: Bryan Bende <bbe...@apache.org>
Date: 2017-03-24T21:14:24Z
NIFI-3520 Refactoring instance class loading
- Fixing FlowController to use appropriate class loader when instantiating
processor
- Updating ExtensionManager to leverage new flag in MANIFEST from NAR plugin
- Adding ReloadComponent interface and refactoring instance class loading
to use it
- Fixing FetchHDFS issue with TDE by using ugi.doAs
----
> HDFS processors experiencing Kerberos "impersonate" errors
> -----------------------------------------------------------
>
> Key: NIFI-3520
> URL: https://issues.apache.org/jira/browse/NIFI-3520
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.0.0, 1.1.0, 1.1.1, 1.0.1
> Reporter: Jeff Storck
> Assignee: Bryan Bende
> Fix For: 1.2.0
>
>
> When multiple Kerberos principals are used between multiple HDFS processors,
> the processor instances will be able to login to Kerberos with their
> configured principals initially, but will not properly relogin.
> For example, if there are two PutHDFS processors, one configured as
> us...@example.com, and the other as us...@example.com, they will both login
> with the KDC correctly and be able to transfer files to HDFS. Once one of
> the PutHDFS processors attempts to relogin, it may end up being logged in as
> the principal from the other PutHDFS processor. The principal contexts end
> up getting switched, and the hadoop client used by the processor will attempt
> to proxy requests from one user through another, resulting in the following
> exception:
> {panel}Failed to write to HDFS due to
> org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException):
> User: us...@example.com is not allowed to impersonate
> us...@example.com{panel}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
