nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Srinivasan <james.sriniva...@gmail.com>
Subject Re: Processor using Kerberos keytab auth - can't renew TGT
Date Fri, 14 Jul 2017 19:56:40 GMT
Hmm, so it seems updating the Hadoop version used by my processor from
2.6.0 to 2.7.3 has fixed the problem. Testing a little more just to
make sure...

On 14 July 2017 at 14:48, Georg Heiler <georg.kf.heiler@gmail.com> wrote:
> We just applied the standard fix to enable the JCE extensions i.e. copied
> the files into the right place. I was on vacation last week but it looked
> like the fix we had been searching for for a while. We were still conducting
> some more testing to see if this actually fixed the problem.
>
> But without the fix we could observe your described problem on other long
> running services like HBase as well.
>
> James Srinivasan <james.srinivasan@gmail.com> schrieb am Fr., 14. Juli 2017
> um 15:36 Uhr:
>>
>> Hi Georg,
>>
>> I am indeed using open-jdk8 on CentOS 7.3, but I'm not sure why my
>> standalone app is ok, whereas the same code in NiFi isn't. How did you
>> fix the JCE policies?
>>
>> I'm guessing it is something to do with the shared
>> UserGroupInformation class. Which makes me wonder how (if) it will
>> work with multiple processors potentially using different keytabs. Am
>> wondering if this applies to me:
>>
>>
>> https://github.com/apache/nifi/blob/rel/nifi-1.3.0/nifi-nar-bundles/nifi-extension-utils/nifi-hadoop-utils/src/main/java/org/apache/nifi/hadoop/KerberosProperties.java#L32
>>
>> Thanks,
>>
>> James
>>
>> On 14 July 2017 at 14:16, Georg Heiler <georg.kf.heiler@gmail.com> wrote:
>> > Hi Joe,
>> >
>> > we recently had a similar problem. For us it turned out that we are
>> > using
>> > the latest open-jdk8 which no longer is providing the JCE policies
>> > required
>> > for strong cryptography out of the box on cents 7.3.
>> >
>> > regards,
>> > Georg
>> >
>> > Joe Witt <joe.witt@gmail.com> schrieb am Fr., 14. Juli 2017 um 15:12
>> > Uhr:
>> >>
>> >> James,
>> >>
>> >> I know Jeff Storck has recently been doing some work around
>> >> Kerberos/TGT renewal.  Hopefully he can share some of his
>> >> observations/work back on this thread soon.
>> >>
>> >> Thanks
>> >>
>> >> On Fri, Jul 14, 2017 at 8:48 AM, James Srinivasan
>> >> <james.srinivasan@gmail.com> wrote:
>> >> > Hi all,
>> >> >
>> >> > I have a NiFi processor which uses Kerberos keytab authentication to
>> >> > write data to Accumulo. I have a separate thread which periodically
>> >> > runs in order to try renewing my TGT
>> >> > (UserGroupInformation.getCurrentUser.checkTGTAndReloginFromKeytab()).
>> >> >
>> >> > This code works fine outside NiFi, but inside NiFi while the initial
>> >> > login is fine, on subsequent attempts to check the TGT, the
>> >> > UserGroupInformation class seems to think it is using ticket cache,
>> >> > not keytab authentication (i.e.
>> >> > UserGroupInformation.getCurrentUser.isFromKeytab is false).
>> >> >
>> >> > I notice the Hadoop processors support some Kerberos authentication
>> >> > options (I'm not yet using any of those processors, but would like
to
>> >> > in other flows). Could this be interacting badly with my code?
>> >> >
>> >> > Thanks very much,
>> >> >
>> >> > James

Mime
View raw message