[jira] [Commented] (NIFI-866) Kerberos support for Hadoop processors

Wed, 19 Aug 2015 13:22:12 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14703682#comment-14703682
 ] 

Ricky Saltzer commented on NIFI-866:
------------------------------------

Good news -

After a bit of head scratching, and help from [[email protected]], I was able 
to get secure, non-secure, and multi-principal functionality to work within the 
same NiFi instance! 

The patch approaches the configuration in the following way :

* only *1 option* was added to nifi.properties (nifi.kerberos.krb5.file). This 
unavoidable since we have to guarantee only one krb5 is used, as it must be set 
on a System property level :/. 

* *2 properties* were added to AbstractHadoopProcessor (principal / keytab). If 
the supplied Hadoop configuration files indicate to use kerberos (e.g. 
hadoop.security.authentication), we'll use the supplied principal/keytab from 
the processor and krb5 file from the global properties. A processor exception 
will be thrown if one of them is missing. 

> Kerberos support for Hadoop processors 
> ---------------------------------------
>
>                 Key: NIFI-866
>                 URL: https://issues.apache.org/jira/browse/NIFI-866
>             Project: Apache NiFi
>          Issue Type: New Feature
>          Components: Extensions
>            Reporter: Ricky Saltzer
>            Assignee: Ricky Saltzer
>         Attachments: NIFI-866.patch
>
>
> Currently the AbstractHadoopProcessor only supports talking to non-kerberos 
> Hadoop clusters. Even though the user might be supplying a Hadoop 
> configuration which indicates the authentication implementation is Kerberos, 
> NiFi will still attempt to connect via SIMPLE authentication. This results in 
> a processor exception. 
> *Goals:*
> *  Minimal configuration for Kerberos support
> *  Shouldn't have to configure individual processors (e.g. user could have 
> tens to hundreds of these processors) 
> *Non-Goals:*
> *  Support more than one kerberos principal at a time
> *  Support both secure and non-secure connections at the same time
> *Basic Usage Proposal:*
> Edit _conf/nifi.properties_ and modify the following values
> {code:title=nifi.properties|borderStyle=solid}
> ..
> # kerberos #
> nifi.kerberos.enabled=true
> nifi.kerberos.krb5.file=/path/to/krb5.conf
> nifi.kerberos.keytab=/path/to/user.keytab
> nifi.kerberos.principal=user@REALM
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to