GitHub user pvillard31 opened a pull request:
https://github.com/apache/nifi/pull/1606
NIFI-3528 Added support for keytab/principal to Kafka 0.10 processors
Thank you for submitting a contribution to Apache NiFi.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
### For all changes:
- [X] Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
- [X] Does your PR title start with NIFI-XXXX where XXXX is the JIRA number
you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [X] Has your PR been rebased against the latest commit within the target
branch (typically master)?
- [X] Is your initial contribution a single, squashed commit?
### For code changes:
- [X] Have you ensured that the full suite of tests is executed via mvn
-Pcontrib-check clean install at the root nifi folder?
- [X] Have you written or updated unit tests to verify your changes?
### Note:
Please ensure that once the PR is submitted, you check travis-ci for build
issues and submit an update to your PR as soon as possible.
==================================================
At the moment, it is not possible to have multi-tenancy when using Kafka
processors: a single JAAS configuration file must be set in JVM variables to
allow communication with Kerberos enabled Kafka cluster. Since the release of
Kafka client 0.10.2, this has been improved and it gives the possibility to
define a Login Module at processor level.
Here is a summary of the tests performed: on a standalone NiFi instance,
only the ``krb5.conf`` file path has been set in ``nifi.properties``. And the
following workflow has been used:
<img width="1009" alt="screen shot 2017-03-21 at 4 06 44 pm"
src="https://cloud.githubusercontent.com/assets/11541012/24154067/7546606a-0e50-11e7-9502-d6607fd3f3fd.png";>
Each Publish/Consume is using its own pair of user keytab/principal and
consume/publish from/to a queue where correct ACLs have been set for the
corresponding users. By looking at the audit logs, we can confirm that the
authentication on each queue is correctly performed and that we have the
expected behavior.
At the moment, I used the following JAAS input as the standard:
````
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=false
renewTicket=true
serviceName="kafka"
useKeyTab=true
keyTab="/path/to/keytab"
principal="[email protected]";
};
````
and I only exposed the keytab and principal as new properties. The other
properties are not exposed but that's something we could add if
necessary/useful.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/pvillard31/nifi NIFI-3528
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/1606.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1606
----
commit e8571a5be32dc2201973ef491d267e592038b552
Author: Pierre Villard <[email protected]>
Date: 2017-03-21T14:48:53Z
NIFI-3528 Added support for keytab/principal to Kafka 0.10 processors
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
![https://cloud.githubusercontent.com/assets/11541012/24154067/7546606a-0e50-11e7-9502-d6607fd3f3fd.png"](https://cloud.githubusercontent.com/assets/11541012/24154067/7546606a-0e50-11e7-9502-d6607fd3f3fd.png"){kind=link}