[jira] [Commented] (NIFI-5041) Add convenient SPNEGO/Kerberos authentication support to LivySessionController

Fri, 18 May 2018 07:31:36 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-5041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16480729#comment-16480729
 ] 

ASF GitHub Bot commented on NIFI-5041:
--------------------------------------

Github user mattyb149 commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2630#discussion_r189287529
  
    --- Diff: 
nifi-nar-bundles/nifi-spark-bundle/nifi-livy-controller-service/src/main/java/org/apache/nifi/controller/livy/LivySessionController.java
 ---
    @@ -551,4 +561,11 @@ private SSLContext 
getSslSocketFactory(SSLContextService sslService)
             return sslContext;
         }
     
    +    private void checkSessionManagerError() throws IOException {
    +        Exception exception = sessionManagerError;
    +        if (exception != null) {
    +            throw new IOException(exception);
    --- End diff --
    
    I'm thinking this should be a custom exception type, probably thrown from 
the manageSession() thread itself and just propagated to the client via this 
method, in order to be able to tell the difference between an IOException that 
occurred from the mgmt thread vs an IOException that occurred from the 
operation the client is trying to perform. Thoughts?


> Add convenient SPNEGO/Kerberos authentication support to LivySessionController
> ------------------------------------------------------------------------------
>
>                 Key: NIFI-5041
>                 URL: https://issues.apache.org/jira/browse/NIFI-5041
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: Peter Toth
>            Priority: Minor
>
> Livy requires SPNEGO/Kerberos authentication on a secured cluster. Initiating 
> such an authentication from NiFi is a viable by providing a 
> java.security.auth.login.config system property 
> (https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part6.html),
>  but this is a bit cumbersome and needs kinit running outside of NiFi.
> An alternative and more sophisticated solution would be to do the SPNEGO 
> negotiation programmatically.
>  * This solution would add some new properties to the LivySessionController 
> to fetch kerberos principal and password/keytab
>  * Add the required HTTP Negotiate header (with an SPNEGO token) to the 
> HttpURLConnection to do the authentication programmatically 
> (https://tools.ietf.org/html/rfc4559)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to