[
https://issues.apache.org/jira/browse/NIFI-866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14707389#comment-14707389
]
Ricky Saltzer commented on NIFI-866:
------------------------------------
hey [~bende] -
I posted a new commit (https://github.com/apache/nifi/pull/75/commits) which
contains a custom Kerberos validator which should help make things more obvious
if something is incorrectly configured. In addition to making sure both the
keytab/principal are set (when one of them is set), it also checks if the
kerberos file is set, and is readable. I also added a part in the validation
which checks the user's credentials, so the processor is technically invalid
until proper credentials are provided.
This brings me to a question I have, and possibly a problem in the validator
implementation. [~joewitt] might know off hand. How often is the validate()
method being called on a processor's property descriptors? I did some testing
it looks like _quite often_. This concerns me, as I don't know if checking a
user's credentials in the validate command will be a good use of resources. If
you're not careful, this area of the code could potentially introduce leaks, as
[~jackowaya] has found in regards to the encrypt/decrypt processors.
> Kerberos support for Hadoop processors
> ---------------------------------------
>
> Key: NIFI-866
> URL: https://issues.apache.org/jira/browse/NIFI-866
> Project: Apache NiFi
> Issue Type: New Feature
> Components: Extensions
> Reporter: Ricky Saltzer
> Assignee: Ricky Saltzer
> Attachments: NIFI-866.2.patch, NIFI-866.3.patch,
> multiprincipal_secure_nonsecure.png
>
>
> Currently the AbstractHadoopProcessor only supports talking to non-kerberos
> Hadoop clusters. Even though the user might be supplying a Hadoop
> configuration which indicates the authentication implementation is Kerberos,
> NiFi will still attempt to connect via SIMPLE authentication. This results in
> a processor exception.
> *Goals:*
> * Minimal configuration for Kerberos support
> * Talk to both secure and non-secure clusters within the same NiFi instance
> * Support for more than one principal across processors (e.g. process A uses
> User1, processor B uses User2)
> *Non-Goals:*
> * Use of more than one krb5.conf at a time
> *Basic Usage Proposal:*
> Edit _conf/nifi.properties_ and modify the following values
> {code:title=nifi.properties|borderStyle=solid}
> ..
> # kerberos #
> nifi.kerberos.krb5.file=/path/to/krb5.conf
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
