[ 
https://issues.apache.org/jira/browse/NIFI-5041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16439487#comment-16439487
 ] 

ASF GitHub Bot commented on NIFI-5041:
--------------------------------------

Github user peter-toth commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2630#discussion_r181746461
  
    --- Diff: pom.xml ---
    @@ -94,6 +94,7 @@
             <org.slf4j.version>1.7.25</org.slf4j.version>
             <ranger.version>0.7.1</ranger.version>
             <jetty.version>9.4.3.v20170317</jetty.version>
    +        <httpclient.version>4.5.5</httpclient.version>
    --- End diff --
    
    @mattyb149, could you please review my change and let me know if I did the 
right thing? Any suggestions are welcome.
    
    I changed the httpclient dependency to provided so it won't get into all 
NARs depending on nifi-hadoop-utils. Unfortunately httpclient seems to change a 
lot from version to version and the minimum required version that my changes 
can work with is 4.4.1.
    
    All my additions to hadoop-utils are in new classes, so I believe even a 
hadoop-utils dependent NAR that specifies a lower version of httpclient will be 
fine as long as it doesn't start to use my classes directly.


> Add convenient SPNEGO/Kerberos authentication support to LivySessionController
> ------------------------------------------------------------------------------
>
>                 Key: NIFI-5041
>                 URL: https://issues.apache.org/jira/browse/NIFI-5041
>             Project: Apache NiFi
>          Issue Type: Improvement
>    Affects Versions: 1.5.0
>            Reporter: Peter Toth
>            Priority: Minor
>
> Livy requires SPNEGO/Kerberos authentication on a secured cluster. Initiating 
> such an authentication from NiFi is a viable by providing a 
> java.security.auth.login.config system property 
> (https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part6.html),
>  but this is a bit cumbersome and needs kinit running outside of NiFi.
> An alternative and more sophisticated solution would be to do the SPNEGO 
> negotiation programmatically.
>  * This solution would add some new properties to the LivySessionController 
> to fetch kerberos principal and password/keytab
>  * Add the required HTTP Negotiate header (with an SPNEGO token) to the 
> HttpURLConnection to do the authentication programmatically 
> (https://tools.ietf.org/html/rfc4559)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to