[jira] [Commented] (NIFI-5041) Add convenient SPNEGO/Kerberos authentication support to LivySessionController

Fri, 11 May 2018 09:19:53 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-5041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16472198#comment-16472198
 ] 

ASF GitHub Bot commented on NIFI-5041:
--------------------------------------

Github user mattyb149 commented on the issue:

    https://github.com/apache/nifi/pull/2630
  
    The changes LGTM, and I tested on a secure cluster, verifying that I could 
connect, get a session, and execute some simple Scala/Spark code. However, when 
I tested with various unhappy paths including no Kerberos Credentials Service 
and a bad keytab, it seems we could be handling these situations better. 
    
    In the first case (no credentials), the /sessions endpoint will return HTML 
not JSON. This causes a bulletin to be issued, but the flow file is not 
penalized and/or the processor is not yielded, and the LivyControllerService 
thread to manage the sessions exits, meaning the flow will never proceed until 
the CS is restarted with the correct credentials. This could be considered a 
Livy bug (I didn't see an existing Jira), but we need to handle it for now.
    
    I believe something similar happens for a bad keytab, but I didn't trace it 
back to the manageSessions thread or anything. I think we need to ensure that 
the manageSessions() thread is always running while the CS is enabled, we can 
pass any exceptions back to the CS so when the processor makes a call to the 
CS, we can throw the appropriate exception, etc.


> Add convenient SPNEGO/Kerberos authentication support to LivySessionController
> ------------------------------------------------------------------------------
>
>                 Key: NIFI-5041
>                 URL: https://issues.apache.org/jira/browse/NIFI-5041
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: Peter Toth
>            Priority: Minor
>
> Livy requires SPNEGO/Kerberos authentication on a secured cluster. Initiating 
> such an authentication from NiFi is a viable by providing a 
> java.security.auth.login.config system property 
> (https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part6.html),
>  but this is a bit cumbersome and needs kinit running outside of NiFi.
> An alternative and more sophisticated solution would be to do the SPNEGO 
> negotiation programmatically.
>  * This solution would add some new properties to the LivySessionController 
> to fetch kerberos principal and password/keytab
>  * Add the required HTTP Negotiate header (with an SPNEGO token) to the 
> HttpURLConnection to do the authentication programmatically 
> (https://tools.ietf.org/html/rfc4559)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to