[ https://issues.apache.org/jira/browse/NIFI-5041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16472198#comment-16472198 ]
ASF GitHub Bot commented on NIFI-5041: -------------------------------------- Github user mattyb149 commented on the issue: https://github.com/apache/nifi/pull/2630 The changes LGTM, and I tested on a secure cluster, verifying that I could connect, get a session, and execute some simple Scala/Spark code. However, when I tested with various unhappy paths including no Kerberos Credentials Service and a bad keytab, it seems we could be handling these situations better. In the first case (no credentials), the /sessions endpoint will return HTML not JSON. This causes a bulletin to be issued, but the flow file is not penalized and/or the processor is not yielded, and the LivyControllerService thread to manage the sessions exits, meaning the flow will never proceed until the CS is restarted with the correct credentials. This could be considered a Livy bug (I didn't see an existing Jira), but we need to handle it for now. I believe something similar happens for a bad keytab, but I didn't trace it back to the manageSessions thread or anything. I think we need to ensure that the manageSessions() thread is always running while the CS is enabled, we can pass any exceptions back to the CS so when the processor makes a call to the CS, we can throw the appropriate exception, etc. > Add convenient SPNEGO/Kerberos authentication support to LivySessionController > ------------------------------------------------------------------------------ > > Key: NIFI-5041 > URL: https://issues.apache.org/jira/browse/NIFI-5041 > Project: Apache NiFi > Issue Type: Improvement > Reporter: Peter Toth > Priority: Minor > > Livy requires SPNEGO/Kerberos authentication on a secured cluster. Initiating > such an authentication from NiFi is a viable by providing a > java.security.auth.login.config system property > (https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part6.html), > but this is a bit cumbersome and needs kinit running outside of NiFi. > An alternative and more sophisticated solution would be to do the SPNEGO > negotiation programmatically. > * This solution would add some new properties to the LivySessionController > to fetch kerberos principal and password/keytab > * Add the required HTTP Negotiate header (with an SPNEGO token) to the > HttpURLConnection to do the authentication programmatically > (https://tools.ietf.org/html/rfc4559) -- This message was sent by Atlassian JIRA (v7.6.3#76005)