[jira] [Commented] (NIFI-866) Kerberos support for Hadoop processors

Wed, 19 Aug 2015 07:16:18 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14703076#comment-14703076
 ] 

Ricky Saltzer commented on NIFI-866:
------------------------------------

I see a couple options here:

(1) - We could keep it simple for now, and leave the patch's implementation as 
is. The first iteration supporting only a single principal, and kerberos 
authentication is either on or off, *not both*. Then we can make a follow up 
patch to allow multiple principals. After, we write a patch to allow talking to 
both secure and non-secure clusters at the same time. 

(2) - We extend the patch to support multiple principals. I think we would need 
to use the _loginUserFromKeytabAndReturnUGI_ method and then perform a _doAs_ 
on the UGI to create an HDFS FileSystem as that user (would need to verify 
that's possible). I would propose we add two options to the 
AbstractHadoopProcessor (Kerberos Principal / Kerberos Keytab), and make them 
_optional_, default would be the credentials specified in the _nifi.properties_ 
configuration. That way you have the option to use the use running NiFi by 
default, rather than configuring every processor. 

> Kerberos support for Hadoop processors 
> ---------------------------------------
>
>                 Key: NIFI-866
>                 URL: https://issues.apache.org/jira/browse/NIFI-866
>             Project: Apache NiFi
>          Issue Type: New Feature
>          Components: Extensions
>            Reporter: Ricky Saltzer
>            Assignee: Ricky Saltzer
>         Attachments: NIFI-866.patch
>
>
> Currently the AbstractHadoopProcessor only supports talking to non-kerberos 
> Hadoop clusters. Even though the user might be supplying a Hadoop 
> configuration which indicates the authentication implementation is Kerberos, 
> NiFi will still attempt to connect via SIMPLE authentication. This results in 
> a processor exception. 
> *Goals:*
> *  Minimal configuration for Kerberos support
> *  Shouldn't have to configure individual processors (e.g. user could have 
> tens to hundreds of these processors) 
> *Non-Goals:*
> *  Support more than one kerberos principal at a time
> *  Support both secure and non-secure connections at the same time
> *Basic Usage Proposal:*
> Edit _conf/nifi.properties_ and modify the following values
> {code:title=nifi.properties|borderStyle=solid}
> ..
> # kerberos #
> nifi.kerberos.enabled=true
> nifi.kerberos.krb5.file=/path/to/krb5.conf
> nifi.kerberos.keytab=/path/to/user.keytab
> nifi.kerberos.principal=user@REALM
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to