[ 
https://issues.apache.org/jira/browse/NIFI-5041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16435377#comment-16435377
 ] 

ASF GitHub Bot commented on NIFI-5041:
--------------------------------------

Github user peter-toth commented on the issue:

    https://github.com/apache/nifi/pull/2630
  
    This improvement of LivySessionController uses the 
KerberosCredentialsService to fetch a principal and a keytab and provide SPNEGO 
authentication towards a Livy server.
    
    In the implementation I switched from HttpURLConnections to HttpClient, 
which can be configured to do an SPNEGO handshake. 


> Add convenient SPNEGO/Kerberos authentication support to LivySessionController
> ------------------------------------------------------------------------------
>
>                 Key: NIFI-5041
>                 URL: https://issues.apache.org/jira/browse/NIFI-5041
>             Project: Apache NiFi
>          Issue Type: Improvement
>    Affects Versions: 1.5.0
>            Reporter: Peter Toth
>            Priority: Minor
>
> Livy requires SPNEGO/Kerberos authentication on a secured cluster. Initiating 
> such an authentication from NiFi is a viable by providing a 
> java.security.auth.login.config system property 
> (https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part6.html),
>  but this is a bit cumbersome and needs kinit running outside of NiFi.
> An alternative and more sophisticated solution would be to do the SPNEGO 
> negotiation programmatically.
>  * This solution would add some new properties to the LivySessionController 
> to fetch kerberos principal and password/keytab
>  * Add the required HTTP Negotiate header (with an SPNEGO token) to the 
> HttpURLConnection to do the authentication programmatically 
> (https://tools.ietf.org/html/rfc4559)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to