nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Georg Heiler <georg.kf.hei...@gmail.com>
Subject Re: Processor using Kerberos keytab auth - can't renew TGT
Date Fri, 14 Jul 2017 13:48:29 GMT
We just applied the standard fix to enable the JCE extensions i.e. copied
the files into the right place. I was on vacation last week but it looked
like the fix we had been searching for for a while. We were still
conducting some more testing to see if this actually fixed the problem.

But without the fix we could observe your described problem on other long
running services like HBase as well.

James Srinivasan <james.srinivasan@gmail.com> schrieb am Fr., 14. Juli 2017
um 15:36 Uhr:

> Hi Georg,
>
> I am indeed using open-jdk8 on CentOS 7.3, but I'm not sure why my
> standalone app is ok, whereas the same code in NiFi isn't. How did you
> fix the JCE policies?
>
> I'm guessing it is something to do with the shared
> UserGroupInformation class. Which makes me wonder how (if) it will
> work with multiple processors potentially using different keytabs. Am
> wondering if this applies to me:
>
>
> https://github.com/apache/nifi/blob/rel/nifi-1.3.0/nifi-nar-bundles/nifi-extension-utils/nifi-hadoop-utils/src/main/java/org/apache/nifi/hadoop/KerberosProperties.java#L32
>
> Thanks,
>
> James
>
> On 14 July 2017 at 14:16, Georg Heiler <georg.kf.heiler@gmail.com> wrote:
> > Hi Joe,
> >
> > we recently had a similar problem. For us it turned out that we are using
> > the latest open-jdk8 which no longer is providing the JCE policies
> required
> > for strong cryptography out of the box on cents 7.3.
> >
> > regards,
> > Georg
> >
> > Joe Witt <joe.witt@gmail.com> schrieb am Fr., 14. Juli 2017 um 15:12
> Uhr:
> >>
> >> James,
> >>
> >> I know Jeff Storck has recently been doing some work around
> >> Kerberos/TGT renewal.  Hopefully he can share some of his
> >> observations/work back on this thread soon.
> >>
> >> Thanks
> >>
> >> On Fri, Jul 14, 2017 at 8:48 AM, James Srinivasan
> >> <james.srinivasan@gmail.com> wrote:
> >> > Hi all,
> >> >
> >> > I have a NiFi processor which uses Kerberos keytab authentication to
> >> > write data to Accumulo. I have a separate thread which periodically
> >> > runs in order to try renewing my TGT
> >> > (UserGroupInformation.getCurrentUser.checkTGTAndReloginFromKeytab()).
> >> >
> >> > This code works fine outside NiFi, but inside NiFi while the initial
> >> > login is fine, on subsequent attempts to check the TGT, the
> >> > UserGroupInformation class seems to think it is using ticket cache,
> >> > not keytab authentication (i.e.
> >> > UserGroupInformation.getCurrentUser.isFromKeytab is false).
> >> >
> >> > I notice the Hadoop processors support some Kerberos authentication
> >> > options (I'm not yet using any of those processors, but would like to
> >> > in other flows). Could this be interacting badly with my code?
> >> >
> >> > Thanks very much,
> >> >
> >> > James
>

Mime
View raw message