[jira] [Commented] (NIFI-866) Kerberos support for Hadoop processors

Tue, 18 Aug 2015 13:07:24 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14701903#comment-14701903
 ] 

Ryan Blue commented on NIFI-866:
--------------------------------

Okay, so things are a little fuzzy with Hadoop and Kerberos...

Hadoop's FileSystem APIs have Kerberos calls as static methods and keep state 
in static fields. But, it appears that each FileSystem instance uses the 
Kerberos login that was active when it was created. So there may be a way to 
have multiple logins interacting as long as you are synchronizing the section 
where you actually log in and get a FileSystem. This needs further testing and 
validation.

The property above may or may not be a necessary global, as the principal is 
effectively but not really global, but it doesn't have anything to do with the 
principal you want to use as far as I know. It is probably setting up the 
Kerberos authentication server and ticket-granting server, which makes some 
sense for a global config.

> Kerberos support for Hadoop processors 
> ---------------------------------------
>
>                 Key: NIFI-866
>                 URL: https://issues.apache.org/jira/browse/NIFI-866
>             Project: Apache NiFi
>          Issue Type: New Feature
>          Components: Extensions
>            Reporter: Ricky Saltzer
>            Assignee: Ricky Saltzer
>         Attachments: NIFI-866.patch
>
>
> Currently the AbstractHadoopProcessor only supports talking to non-kerberos 
> Hadoop clusters. Even though the user might be supplying a Hadoop 
> configuration which indicates the authentication implementation is Kerberos, 
> NiFi will still attempt to connect via SIMPLE authentication. This results in 
> a processor exception. 
> *Goals:*
> *  Minimal configuration for Kerberos support
> *  Shouldn't have to configure individual processors (e.g. user could have 
> tens to hundreds of these processors) 
> *Non-Goals:*
> *  Support more than one kerberos principal at a time
> *  Support both secure and non-secure connections at the same time
> *Basic Usage Proposal:*
> Edit _conf/nifi.properties_ and modify the following values
> {code:title=nifi.properties|borderStyle=solid}
> ..
> # kerberos #
> nifi.kerberos.enabled=true
> nifi.kerberos.krb5.file=/path/to/krb5.conf
> nifi.kerberos.keytab=/path/to/user.keytab
> nifi.kerberos.principal=user@REALM
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to