nifi-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan Blue (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (NIFI-385) Add Kerberos support in nifi-kite-nar
Date Wed, 18 Mar 2015 18:16:38 GMT

    [ https://issues.apache.org/jira/browse/NIFI-385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14367602#comment-14367602
] 

Ryan Blue commented on NIFI-385:
--------------------------------

We recently designed an API for this in Flume. The main commit is [542b1695|https://github.com/apache/flume/commit/542b1695].

This introduces a method that takes credentials and returns a {{PrivilegedExecutor}} that
will run code with those credentials. You can also get a "proxy" executor that is a "sudo"
like operation that works if the Kerberos credentials can be used to act on behalf of another
user. It all ends up looking like this:

{code:java}
user = FlumeAuthenticationUtil.getAuthenticator(principal, keytab)
        .proxyAs(effectiveUser);
// get a dataset where operations are done as user
dataset = user.execute(
      new PrivilegedAction<Dataset<GenericRecord>>() {
        @Override
        public Dataset<GenericRecord> run() {
          return Datasets.load(datasetUri);
        }
      });
{code}

This is slightly weird because the only operation is to get the dataset with that user. That's
because Hadoop's FS objects do all actions on behalf of the current user at the time the FS
handle was created. Kite maintains a single FS handle for the Dataset.

> Add Kerberos support in nifi-kite-nar
> -------------------------------------
>
>                 Key: NIFI-385
>                 URL: https://issues.apache.org/jira/browse/NIFI-385
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Extensions
>            Reporter: Ryan Blue
>
> Kite should be able to connect to a Kerberized Hadoop cluster to store data. Kite's Flume
connector has working code. The Kite dataset needs to be instantiated in a {{doPrivileged}}
block and its internal {{FileSystem}} object will hold the credentials after that.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message