This is an automated email from the ASF dual-hosted git repository.
joewitt pushed a commit to branch support/nifi-1.x
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/support/nifi-1.x by this push:
new 6fd7fd96c7 NIFI-13296 Deprecated Kerberos SPNEGO Authentication This
closes #8878.
6fd7fd96c7 is described below
commit 6fd7fd96c7a3fa9e87746dc7ca48eb97e369bff2
Author: exceptionfactory <[email protected]>
AuthorDate: Fri May 24 16:20:51 2024 -0500
NIFI-13296 Deprecated Kerberos SPNEGO Authentication
This closes #8878.
Signed-off-by: Joseph Witt <[email protected]>
---
nifi-docs/src/main/asciidoc/administration-guide.adoc | 3 +++
.../KerberosAuthenticationSecurityConfiguration.java | 8 ++++++++
2 files changed, 11 insertions(+)
diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc
b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index dc9819aab1..754da60156 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -3308,6 +3308,9 @@ supports different strategies, including *cookie* and
*route* options.
[[kerberos_service]]
== Kerberos Service
+
+NOTE: Support for Kerberos SPNEGO authentication is deprecated for removal in
NiFi 2.
+
NiFi can be configured to use Kerberos SPNEGO (or "Kerberos Service") for
authentication. In this scenario, users will hit the REST endpoint
`/access/kerberos` and the server will respond with a `401` status code and the
challenge response header `WWW-Authenticate: Negotiate`. This communicates to
the browser to use the GSS-API and load the user's Kerberos ticket and provide
it as a Base64-encoded header value in the subsequent request. It will be of
the form `Authorization: Negotiate YI [...]
NiFi will only respond to Kerberos SPNEGO negotiation over an HTTPS
connection, as unsecured requests are never authenticated.
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/KerberosAuthenticationSecurityConfiguration.java
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/KerberosAuthenticationSecurityConfiguration.java
index 5c07df4899..3f8f3f5e47 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/KerberosAuthenticationSecurityConfiguration.java
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/KerberosAuthenticationSecurityConfiguration.java
@@ -16,6 +16,8 @@
*/
package org.apache.nifi.web.security.configuration;
+import org.apache.nifi.deprecation.log.DeprecationLogger;
+import org.apache.nifi.deprecation.log.DeprecationLoggerFactory;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.kerberos.KerberosService;
import org.apache.nifi.web.security.spring.KerberosServiceFactoryBean;
@@ -28,6 +30,8 @@ import org.springframework.context.annotation.Configuration;
*/
@Configuration
public class KerberosAuthenticationSecurityConfiguration {
+ private static final DeprecationLogger deprecationLogger =
DeprecationLoggerFactory.getLogger(KerberosAuthenticationSecurityConfiguration.class);
+
private final NiFiProperties niFiProperties;
@Autowired
@@ -35,6 +39,10 @@ public class KerberosAuthenticationSecurityConfiguration {
final NiFiProperties niFiProperties
) {
this.niFiProperties = niFiProperties;
+
+ if (niFiProperties.isKerberosSpnegoSupportEnabled()) {
+ deprecationLogger.warn("Support for Kerberos SPNEGO authentication
is deprecated for removal in NiFi 2");
+ }
}
@Bean
