From b0779545526205c475babc23931e92d177ad556d Mon Sep 17 00:00:00 2001
From: Jeff Storck <jtswork@gmail.com>
Date: Mon, 30 Apr 2018 10:39:12 -0400
Subject: [PATCH] NIFI-5134 Explicitly requesting UGI to relogin before
 attempting to get a DB connection in HiveConnectionPool

---
 .../apache/nifi/dbcp/hive/HiveConnectionPool.java | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-processors/src/main/java/org/apache/nifi/dbcp/hive/HiveConnectionPool.java b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-processors/src/main/java/org/apache/nifi/dbcp/hive/HiveConnectionPool.java
index 648cd42837de..2e40254685a7 100644
--- a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-processors/src/main/java/org/apache/nifi/dbcp/hive/HiveConnectionPool.java
+++ b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-processors/src/main/java/org/apache/nifi/dbcp/hive/HiveConnectionPool.java
@@ -251,8 +251,10 @@ protected Collection<ValidationResult> customValidate(ValidationContext validati
      * As of Apache NiFi 1.5.0, due to changes made to
      * {@link SecurityUtil#loginKerberos(Configuration, String, String)}, which is used by this class invoking
      * {@link HiveConfigurator#authenticate(Configuration, String, String)}
-     * to authenticate a principal with Kerberos, Hive controller services no longer
-     * attempt relogins explicitly.  For more information, please read the documentation for
+     * to authenticate a principal with Kerberos, Hive controller services no longer use a separate thread to
+     * relogin, and instead call {@link UserGroupInformation#checkTGTAndReloginFromKeytab()} from
+     * {@link HiveConnectionPool#getConnection()}.  The relogin request is performed in a synchronized block to prevent
+     * threads from requesting concurrent relogins.  For more information, please read the documentation for
      * {@link SecurityUtil#loginKerberos(Configuration, String, String)}.
      * <p/>
      * In previous versions of NiFi, a {@link org.apache.nifi.hadoop.KerberosTicketRenewer} was started by
@@ -352,6 +354,15 @@ public void shutdown() {
     public Connection getConnection() throws ProcessException {
         try {
             if (ugi != null) {
+                synchronized(this) {
+                    /*
+                     * Make sure that only one thread can request that the UGI relogin at a time.  This
+                     * explicit relogin attempt is necessary due to the Hive client/thrift not implicitly handling
+                     * the acquisition of a new TGT after the current one has expired.
+                     * https://issues.apache.org/jira/browse/NIFI-5134
+                     */
+                    ugi.checkTGTAndReloginFromKeytab();
+                }
                 try {
                     return ugi.doAs((PrivilegedExceptionAction<Connection>) () -> dataSource.getConnection());
                 } catch (UndeclaredThrowableException e) {