Hi, Shawn. This is a corporate mandate in order to migrate to best practice w.r.t. security.
Yahoo runs very large 5000+ node clusters (Primarily HDFS / HBase / Hive / Spark / Storm) that are multi-tenant. The worker processes run as individual headless users per project / application. A given project had been using keytabs on launcher boxes in order to get a TGT into their workers that would allow that headless user to authenticate with services. Keytabs don't expire, and there is no way of tracking who has a copy. We have to depend on our users to set the file permissions up properly to not have them get stolen, etc. Moving to PKinit and X509 certs (which expire after 30 days) gives us a higher level of security in our environment. We have to do this everywhere, not just Nifi. We would prefer to hack up the processors in order to do this work. We'd like to do it in a way that would be acceptable to push back to open source. Any direction you could give us in meeting this objective would be greatly appreciated. Thanks, Paul On Thu, Jan 23, 2020 at 4:52 PM Shawn Weeks <swe...@weeksconsulting.us> wrote: > If you don’t mind, what is the use case where keytabs aren’t working for > you? I’ve always found them easier since I don’t think you can setup > passwords for service principals only user principals. > > > > Thanks > > Shawn > > > > *From: *Pat White <patwh...@verizonmedia.com> > *Date: *Thursday, January 23, 2020 at 4:46 PM > *To: *Shawn Weeks <swe...@weeksconsulting.us> > *Cc: *"dev@nifi.apache.org" <dev@nifi.apache.org>, Paul Poulosky < > ppoul...@verizonmedia.com> > *Subject: *Re: Any work planned for adding Kerberos pkinit support? > > > > Wow, a lot of work on this! Thank you very much Shawn, and my apologies > for completely missing the Jiras, thanks for the help. > > > > patw > > > > > > > > On Thu, Jan 23, 2020 at 4:23 PM Shawn Weeks <swe...@weeksconsulting.us> > wrote: > > Password based Kerberos is in the works and might have made it in 1.11. > I’ve been seeing the pull requests for a while now. > > Thanks > Shawn > > Sent from my iPhone > > > On Jan 23, 2020, at 11:22 AM, Pat White <patwh...@verizonmedia.com.invalid> > wrote: > > > > Hi Folks, > > > > Is there any support for Kerberos authentication using Pkinit versus > > keytabs, now or planned? > > > > Don't believe i saw anything documented, in Jira or in the src yet, but > > wanted to ask in case i've missed something. Specifically looking at use > by > > processors, such as a service like the KeytabCredentialsService, as > > opposed to user or ZK authentication. > > > > If not, any thoughts on an implementation approach? It seemed as though > > creating a peer service, or adding an x509 API to the existing service > was > > reasonable, however it looks like significant work is needed to have > > Kerberos aware processors support both credential schemes. > > > > patw > > -- <http://www.verizonmedia.com> Paul Poulosky Sr Software Dev Engineer Grid Utilities M 217 621 6120 1908 S First Street US - Champaign S. First Street Champaign, IL 61801
