nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Srinivasan <james.sriniva...@gmail.com>
Subject Re: Processor using Kerberos keytab auth - can't renew TGT
Date Fri, 14 Jul 2017 13:36:09 GMT
Hi Georg,

I am indeed using open-jdk8 on CentOS 7.3, but I'm not sure why my
standalone app is ok, whereas the same code in NiFi isn't. How did you
fix the JCE policies?

I'm guessing it is something to do with the shared
UserGroupInformation class. Which makes me wonder how (if) it will
work with multiple processors potentially using different keytabs. Am
wondering if this applies to me:

https://github.com/apache/nifi/blob/rel/nifi-1.3.0/nifi-nar-bundles/nifi-extension-utils/nifi-hadoop-utils/src/main/java/org/apache/nifi/hadoop/KerberosProperties.java#L32

Thanks,

James

On 14 July 2017 at 14:16, Georg Heiler <georg.kf.heiler@gmail.com> wrote:
> Hi Joe,
>
> we recently had a similar problem. For us it turned out that we are using
> the latest open-jdk8 which no longer is providing the JCE policies required
> for strong cryptography out of the box on cents 7.3.
>
> regards,
> Georg
>
> Joe Witt <joe.witt@gmail.com> schrieb am Fr., 14. Juli 2017 um 15:12 Uhr:
>>
>> James,
>>
>> I know Jeff Storck has recently been doing some work around
>> Kerberos/TGT renewal.  Hopefully he can share some of his
>> observations/work back on this thread soon.
>>
>> Thanks
>>
>> On Fri, Jul 14, 2017 at 8:48 AM, James Srinivasan
>> <james.srinivasan@gmail.com> wrote:
>> > Hi all,
>> >
>> > I have a NiFi processor which uses Kerberos keytab authentication to
>> > write data to Accumulo. I have a separate thread which periodically
>> > runs in order to try renewing my TGT
>> > (UserGroupInformation.getCurrentUser.checkTGTAndReloginFromKeytab()).
>> >
>> > This code works fine outside NiFi, but inside NiFi while the initial
>> > login is fine, on subsequent attempts to check the TGT, the
>> > UserGroupInformation class seems to think it is using ticket cache,
>> > not keytab authentication (i.e.
>> > UserGroupInformation.getCurrentUser.isFromKeytab is false).
>> >
>> > I notice the Hadoop processors support some Kerberos authentication
>> > options (I'm not yet using any of those processors, but would like to
>> > in other flows). Could this be interacting badly with my code?
>> >
>> > Thanks very much,
>> >
>> > James

Mime
View raw message