Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How can I configure NiFi to PutHDFS as a user other than the user NiFi is running as?

Labels:
avatar
author-rank rgelhausen
Guru

Created ‎08-17-2016 04:59 PM

This is a kerberized instance of HDFS. Is it possible for flowfiles themselves to specify the HDFS user, or only on a per processor basis?

Some of our use cases call for allowing business users to define their own ingest streams and push to varying HDFS directories owned by different users, and generating and distributing keytabs to business users seems less than appealing.

3,930 Views
1 ACCEPTED SOLUTION

avatar
author-rank emaxwell author-rank
Guru

Created ‎08-17-2016 05:22 PM

@Randy Gelhausen

You can set the "Remote Owner" attribute to the user you want to own the files in HDFS. You can set "Remote Group" as well. Both of these are at the processor level and do not support Expression Language, so you'd have to set them for the processor. You could use a RouteOnAttribute processor to determine which user should own the files in HDFS and route the flow to the proper PutHDFS processor, but this will be more cumbersome than distributing keytabs to the users.

In a secure environment, the users would likely need to have their keytab to write to HDFS anyway since you'd have to authenticate somehow and there's not a way presently to pass a Kerberos ticket to NiFi.

View solution in original post

2,171 Views
2 REPLIES 2

avatar
author-rank emaxwell author-rank
Guru

Created ‎08-17-2016 05:22 PM

@Randy Gelhausen

You can set the "Remote Owner" attribute to the user you want to own the files in HDFS. You can set "Remote Group" as well. Both of these are at the processor level and do not support Expression Language, so you'd have to set them for the processor. You could use a RouteOnAttribute processor to determine which user should own the files in HDFS and route the flow to the proper PutHDFS processor, but this will be more cumbersome than distributing keytabs to the users.

In a secure environment, the users would likely need to have their keytab to write to HDFS anyway since you'd have to authenticate somehow and there's not a way presently to pass a Kerberos ticket to NiFi.

2,172 Views

avatar
author-rank rgelhausen
Guru

Created ‎08-17-2016 09:08 PM

Thanks for the suggestions. On further thought, what about using a single PutHDFS with Directory set by flowfiles.

Ranger HDFS permissions are set to allow the NiFi user to write to specific ingest directories, and downstream consumers should have Ranger HDFS read permissions on the ingest directories necessary for their application.

2,171 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
View More Announcements