[ 
https://issues.apache.org/jira/browse/NIFI-5041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16435528#comment-16435528
 ] 

ASF GitHub Bot commented on NIFI-5041:
--------------------------------------

Github user mattyb149 commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2630#discussion_r181075183
  
    --- Diff: pom.xml ---
    @@ -94,6 +94,7 @@
             <org.slf4j.version>1.7.25</org.slf4j.version>
             <ranger.version>0.7.1</ranger.version>
             <jetty.version>9.4.3.v20170317</jetty.version>
    +        <httpclient.version>4.5.5</httpclient.version>
    --- End diff --
    
    Per [NIFI-4936](https://issues.apache.org/jira/browse/NIFI-4936), this 
needs to be pushed down to each NAR/bundle. In your case since you are using it 
in nifi-hadoop-utils, each NAR that has this as a dependency should declare it. 
If they already bring in httpclient, you'd likely need to reuse that version 
rather than setting it to 4.5.5, to avoid eviction.


> Add convenient SPNEGO/Kerberos authentication support to LivySessionController
> ------------------------------------------------------------------------------
>
>                 Key: NIFI-5041
>                 URL: https://issues.apache.org/jira/browse/NIFI-5041
>             Project: Apache NiFi
>          Issue Type: Improvement
>    Affects Versions: 1.5.0
>            Reporter: Peter Toth
>            Priority: Minor
>
> Livy requires SPNEGO/Kerberos authentication on a secured cluster. Initiating 
> such an authentication from NiFi is a viable by providing a 
> java.security.auth.login.config system property 
> (https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part6.html),
>  but this is a bit cumbersome and needs kinit running outside of NiFi.
> An alternative and more sophisticated solution would be to do the SPNEGO 
> negotiation programmatically.
>  * This solution would add some new properties to the LivySessionController 
> to fetch kerberos principal and password/keytab
>  * Add the required HTTP Negotiate header (with an SPNEGO token) to the 
> HttpURLConnection to do the authentication programmatically 
> (https://tools.ietf.org/html/rfc4559)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to