Hi Shawn, Right, as Paul noted, we don't have any problems with keytabs from a technical perspective, the concern put forward is that keytab management exploits are an attack vector, especially at automated production scale. Using x509 certs (pkinit) was proposed as a safer approach, in that the certs can be centrally managed and have short lifetimes, with much better distribution and revocation control.
patw On Fri, Jan 24, 2020 at 9:17 AM Paul Poulosky <ppoul...@verizonmedia.com> wrote: > Hi, Shawn. > > This is a corporate mandate in order to migrate to best practice w.r.t. > security. > > Yahoo runs very large 5000+ node clusters (Primarily HDFS / HBase / Hive / > Spark / Storm) that are multi-tenant. The worker processes run as > individual headless users per project / application. A given project had > been using keytabs on launcher boxes in order to get a TGT into their > workers that would allow that headless user to authenticate with services. > Keytabs don't expire, and there is no way of tracking who has a copy. We > have to depend on our users to set the file permissions up properly to not > have them get stolen, etc. > > Moving to PKinit and X509 certs (which expire after 30 days) gives us a > higher level of security in our environment. We have to do this everywhere, > not just Nifi. > > We would prefer to hack up the processors in order to do this work. We'd > like to do it in a way that would be acceptable to push back to open source. > > Any direction you could give us in meeting this objective would be greatly > appreciated. > > Thanks, > Paul > > On Thu, Jan 23, 2020 at 4:52 PM Shawn Weeks <swe...@weeksconsulting.us> > wrote: > >> If you don’t mind, what is the use case where keytabs aren’t working for >> you? I’ve always found them easier since I don’t think you can setup >> passwords for service principals only user principals. >> >> >> >> Thanks >> >> Shawn >> >> >> >> *From: *Pat White <patwh...@verizonmedia.com> >> *Date: *Thursday, January 23, 2020 at 4:46 PM >> *To: *Shawn Weeks <swe...@weeksconsulting.us> >> *Cc: *"dev@nifi.apache.org" <dev@nifi.apache.org>, Paul Poulosky < >> ppoul...@verizonmedia.com> >> *Subject: *Re: Any work planned for adding Kerberos pkinit support? >> >> >> >> Wow, a lot of work on this! Thank you very much Shawn, and my apologies >> for completely missing the Jiras, thanks for the help. >> >> >> >> patw >> >> >> >> >> >> >> >> On Thu, Jan 23, 2020 at 4:23 PM Shawn Weeks <swe...@weeksconsulting.us> >> wrote: >> >> Password based Kerberos is in the works and might have made it in 1.11. >> I’ve been seeing the pull requests for a while now. >> >> Thanks >> Shawn >> >> Sent from my iPhone >> >> > On Jan 23, 2020, at 11:22 AM, Pat White <patwh...@verizonmedia.com.invalid> >> wrote: >> > >> > Hi Folks, >> > >> > Is there any support for Kerberos authentication using Pkinit versus >> > keytabs, now or planned? >> > >> > Don't believe i saw anything documented, in Jira or in the src yet, but >> > wanted to ask in case i've missed something. Specifically looking at >> use by >> > processors, such as a service like the KeytabCredentialsService, as >> > opposed to user or ZK authentication. >> > >> > If not, any thoughts on an implementation approach? It seemed as though >> > creating a peer service, or adding an x509 API to the existing service >> was >> > reasonable, however it looks like significant work is needed to have >> > Kerberos aware processors support both credential schemes. >> > >> > patw >> >> > > -- > <http://www.verizonmedia.com> > > Paul Poulosky > > Sr Software Dev Engineer > Grid Utilities > M 217 621 6120 > 1908 S First Street > US - Champaign S. First Street > Champaign, IL 61801 > >
