[jira] [Commented] (NIFI-5714) Hive[3]ConnectionPool - Kerberos Authentication issue/misleading

Wed, 17 Oct 2018 11:31:21 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-5714?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16654006#comment-16654006
 ] 

ASF GitHub Bot commented on NIFI-5714:
--------------------------------------

Github user mattyb149 commented on the issue:

    https://github.com/apache/nifi/pull/3086
  
    Same here, the relevant error in the Travis log is "Cannot locate default 
realm". Looking at other tests that load krb5.conf, one 
(TestHBase_1_1_2_ClientService) has this:
    
    ```
    // needed for calls to UserGroupInformation.setConfiguration() to work when 
passing in
    // config with Kerberos authentication enabled
    System.setProperty("java.security.krb5.realm", "nifi.com");
    System.setProperty("java.security.krb5.kdc", "nifi.kdc");
    ```
    
    and another (TestRangerNiFiAuthorizer) has this:
    
    ```
    // have to initialize this system property before anything else
    File krb5conf = new File("src/test/resources/krb5.conf");
    assertTrue(krb5conf.exists());
    System.setProperty("java.security.krb5.conf", krb5conf.getAbsolutePath());
    ```
    
    Perhaps one or both of these would fix the issue? Not sure how to 
reproduce, I guess you could try one and push the commit to see if Travis 
succeeds...


> Hive[3]ConnectionPool - Kerberos Authentication issue/misleading
> ----------------------------------------------------------------
>
>                 Key: NIFI-5714
>                 URL: https://issues.apache.org/jira/browse/NIFI-5714
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Extensions
>    Affects Versions: 1.1.0, 1.2.0, 1.1.1, 1.0.1, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 
> 1.7.0, 1.7.1
>            Reporter: Pierre Villard
>            Assignee: Pierre Villard
>            Priority: Major
>
> In {{HiveConnectionPool}} and {{Hive3ConnectionPool}}, in the {{@OnEnabled}} 
> method, we have:
> {code:java}
> log.info("Hive Security Enabled, logging in as principal {} with keytab {}", 
> new Object[] {resolvedPrincipal, resolvedKeytab});
> try {
>     ugi = hiveConfigurator.authenticate(hiveConfig, resolvedPrincipal, 
> resolvedKeytab);
> } catch (AuthenticationFailedException ae) {
>     log.error(ae.getMessage(), ae);
> }
> getLogger().info("Successfully logged in as principal {} with keytab {}", new 
> Object[] {resolvedPrincipal, resolvedKeytab});{code}
> Which causes two issues:
>  * we're logging the successful message even though the authentication failed
>  * the Hive connection is created using the NiFi user identity (this would 
> need to be confirmed but that's what I observed during a test - it could be 
> due to the environment though)
> In my opinion, an {{InitializationException}} should be thrown so that the 
> controller service is not enabled.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to