From 957c120343172d96b04e4955049ef621b44b2c86 Mon Sep 17 00:00:00 2001 From: Bryan Bende Date: Thu, 25 Aug 2016 13:57:12 -0400 Subject: [PATCH] NIFI-2664 Moving System.setProperty for krb5.conf to NiFi startup, and removing conflicting property from KerberosProvider config Signed-off-by: Yolanda M. Davis This closes #946 --- .../org/apache/nifi/hadoop/KerberosProperties.java | 4 ---- .../main/resources/conf/login-identity-providers.xml | 2 -- .../src/main/java/org/apache/nifi/NiFi.java | 10 ++++++++++ .../org/apache/nifi/kerberos/KerberosProvider.java | 12 ------------ 4 files changed, 10 insertions(+), 18 deletions(-) diff --git a/nifi-commons/nifi-hadoop-utils/src/main/java/org/apache/nifi/hadoop/KerberosProperties.java b/nifi-commons/nifi-hadoop-utils/src/main/java/org/apache/nifi/hadoop/KerberosProperties.java index c7743f4ef2..af10079472 100644 --- a/nifi-commons/nifi-hadoop-utils/src/main/java/org/apache/nifi/hadoop/KerberosProperties.java +++ b/nifi-commons/nifi-hadoop-utils/src/main/java/org/apache/nifi/hadoop/KerberosProperties.java @@ -55,10 +55,6 @@ public class KerberosProperties { public KerberosProperties(final File kerberosConfigFile) { this.kerberosConfigFile = kerberosConfigFile; - if (this.kerberosConfigFile != null) { - System.setProperty("java.security.krb5.conf", kerberosConfigFile.getAbsolutePath()); - } - this.kerberosConfigValidator = new Validator() { @Override public ValidationResult validate(String subject, String input, ValidationContext context) { diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/login-identity-providers.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/login-identity-providers.xml index 3a57e35640..a2beb4ce81 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/login-identity-providers.xml +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/login-identity-providers.xml @@ -94,7 +94,6 @@ Identity Provider for users logging in with username/password against a Kerberos KDC server. 'Default Realm' - Default realm to provide when user enters incomplete user principal (i.e. NIFI.APACHE.ORG). - 'Kerberos Config File' - Absolute path to Kerberos client configuration file. 'Authentication Expiration' - The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration. --> diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-runtime/src/main/java/org/apache/nifi/NiFi.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-runtime/src/main/java/org/apache/nifi/NiFi.java index 44529d2ee6..b0dea388ce 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-runtime/src/main/java/org/apache/nifi/NiFi.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-runtime/src/main/java/org/apache/nifi/NiFi.java @@ -58,6 +58,16 @@ public class NiFi { public NiFi(final NiFiProperties properties) throws ClassNotFoundException, IOException, NoSuchMethodException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException { + + // There can only be one krb5.conf for the overall Java process so set this globally during + // start up so that processors and our Kerberos authentication code don't have to set this + final File kerberosConfigFile = properties.getKerberosConfigurationFile(); + if (kerberosConfigFile != null) { + final String kerberosConfigFilePath = kerberosConfigFile.getAbsolutePath(); + logger.info("Setting java.security.krb5.conf to {}", new Object[] {kerberosConfigFilePath}); + System.setProperty("java.security.krb5.conf", kerberosConfigFilePath); + } + Thread.setDefaultUncaughtExceptionHandler(new UncaughtExceptionHandler() { @Override public void uncaughtException(final Thread t, final Throwable e) { diff --git a/nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers/src/main/java/org/apache/nifi/kerberos/KerberosProvider.java b/nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers/src/main/java/org/apache/nifi/kerberos/KerberosProvider.java index 1b35514de1..f9856020af 100644 --- a/nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers/src/main/java/org/apache/nifi/kerberos/KerberosProvider.java +++ b/nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers/src/main/java/org/apache/nifi/kerberos/KerberosProvider.java @@ -33,7 +33,6 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider; -import org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig; import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient; import java.util.concurrent.TimeUnit; @@ -67,17 +66,6 @@ public class KerberosProvider implements LoginIdentityProvider { throw new ProviderCreationException(String.format("The Expiration Duration '%s' is not a valid time duration", rawExpiration)); } - try { - final String krb5ConfigFile = configurationContext.getProperty("Kerberos Config File"); - if (StringUtils.isNotEmpty(krb5ConfigFile)) { - final GlobalSunJaasKerberosConfig krb5Config = new GlobalSunJaasKerberosConfig(); - krb5Config.setKrbConfLocation(krb5ConfigFile); - krb5Config.afterPropertiesSet(); - } - } catch (final Exception e) { - throw new ProviderCreationException(e.getMessage(), e); - } - provider = new KerberosAuthenticationProvider(); SunJaasKerberosClient client = new SunJaasKerberosClient(); client.setDebug(true);