[ https://issues.apache.org/jira/browse/NIFI-3520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15947792#comment-15947792 ]
ASF GitHub Bot commented on NIFI-3520: -------------------------------------- GitHub user bbende opened a pull request: https://github.com/apache/nifi/pull/1635 NIFI-3520 Refactoring instance class loading This PR addresses the issue mentioned on NIFI-3520 regarding using the "Additional Resources" property on the HDFS processors. The fix is a fundamental refactoring of how the instance class loading isolation works. Changes: - Fixing FlowController to use appropriate class loader when instantiating processor - Updating ExtensionManager to leverage new MANIFEST entry to know when to stop including resources from parent class loaders - Adding ReloadComponent interface and refactoring instance class loading to use it - Fixing FetchHDFS issue with TDE by using ugi.doAs You can merge this pull request into a Git repository by running: $ git pull https://github.com/bbende/nifi NIFI-3520-2 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi/pull/1635.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1635 ---- commit 330479027d43036750e2ecd523cae084f7f7e13b Author: Bryan Bende <bbe...@apache.org> Date: 2017-03-24T21:14:24Z NIFI-3520 Refactoring instance class loading - Fixing FlowController to use appropriate class loader when instantiating processor - Updating ExtensionManager to leverage new flag in MANIFEST from NAR plugin - Adding ReloadComponent interface and refactoring instance class loading to use it - Fixing FetchHDFS issue with TDE by using ugi.doAs ---- > HDFS processors experiencing Kerberos "impersonate" errors > ----------------------------------------------------------- > > Key: NIFI-3520 > URL: https://issues.apache.org/jira/browse/NIFI-3520 > Project: Apache NiFi > Issue Type: Bug > Affects Versions: 1.0.0, 1.1.0, 1.1.1, 1.0.1 > Reporter: Jeff Storck > Assignee: Bryan Bende > Fix For: 1.2.0 > > > When multiple Kerberos principals are used between multiple HDFS processors, > the processor instances will be able to login to Kerberos with their > configured principals initially, but will not properly relogin. > For example, if there are two PutHDFS processors, one configured as > us...@example.com, and the other as us...@example.com, they will both login > with the KDC correctly and be able to transfer files to HDFS. Once one of > the PutHDFS processors attempts to relogin, it may end up being logged in as > the principal from the other PutHDFS processor. The principal contexts end > up getting switched, and the hadoop client used by the processor will attempt > to proxy requests from one user through another, resulting in the following > exception: > {panel}Failed to write to HDFS due to > org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): > User: us...@example.com is not allowed to impersonate > us...@example.com{panel} -- This message was sent by Atlassian JIRA (v6.3.15#6346)