Hello We already have tons of support for PKI/mutual Auth connections. For the kerberos stuff where you'd rather supply username/pword than keytabs we got you there too based on the JIRA highlighted elsewhere in this thread.
Are you seeing/concerned about other gaps? Thanks On Fri, Jan 24, 2020 at 10:37 AM Paul Poulosky <[email protected]> wrote: > Hi, Shawn. > > This is a corporate mandate in order to migrate to best practice w.r.t. > security. > > Yahoo runs very large 5000+ node clusters (Primarily HDFS / HBase / Hive / > Spark / Storm) that are multi-tenant. The worker processes run as > individual headless users per project / application. A given project had > been using keytabs on launcher boxes in order to get a TGT into their > workers that would allow that headless user to authenticate with services. > Keytabs don't expire, and there is no way of tracking who has a copy. We > have to depend on our users to set the file permissions up properly to not > have them get stolen, etc. > > Moving to PKinit and X509 certs (which expire after 30 days) gives us a > higher level of security in our environment. We have to do this everywhere, > not just Nifi. > > We would prefer to hack up the processors in order to do this work. We'd > like to do it in a way that would be acceptable to push back to open > source. > > Any direction you could give us in meeting this objective would be greatly > appreciated. > > Thanks, > Paul > > On Thu, Jan 23, 2020 at 4:52 PM Shawn Weeks <[email protected]> > wrote: > > > If you don’t mind, what is the use case where keytabs aren’t working for > > you? I’ve always found them easier since I don’t think you can setup > > passwords for service principals only user principals. > > > > > > > > Thanks > > > > Shawn > > > > > > > > *From: *Pat White <[email protected]> > > *Date: *Thursday, January 23, 2020 at 4:46 PM > > *To: *Shawn Weeks <[email protected]> > > *Cc: *"[email protected]" <[email protected]>, Paul Poulosky < > > [email protected]> > > *Subject: *Re: Any work planned for adding Kerberos pkinit support? > > > > > > > > Wow, a lot of work on this! Thank you very much Shawn, and my apologies > > for completely missing the Jiras, thanks for the help. > > > > > > > > patw > > > > > > > > > > > > > > > > On Thu, Jan 23, 2020 at 4:23 PM Shawn Weeks <[email protected]> > > wrote: > > > > Password based Kerberos is in the works and might have made it in 1.11. > > I’ve been seeing the pull requests for a while now. > > > > Thanks > > Shawn > > > > Sent from my iPhone > > > > > On Jan 23, 2020, at 11:22 AM, Pat White <[email protected] > .invalid> > > wrote: > > > > > > Hi Folks, > > > > > > Is there any support for Kerberos authentication using Pkinit versus > > > keytabs, now or planned? > > > > > > Don't believe i saw anything documented, in Jira or in the src yet, but > > > wanted to ask in case i've missed something. Specifically looking at > use > > by > > > processors, such as a service like the KeytabCredentialsService, as > > > opposed to user or ZK authentication. > > > > > > If not, any thoughts on an implementation approach? It seemed as though > > > creating a peer service, or adding an x509 API to the existing service > > was > > > reasonable, however it looks like significant work is needed to have > > > Kerberos aware processors support both credential schemes. > > > > > > patw > > > > > > -- > <http://www.verizonmedia.com> > > Paul Poulosky > > Sr Software Dev Engineer > Grid Utilities > M 217 621 6120 > 1908 S First Street > US - Champaign S. First Street > Champaign, IL 61801 >
