Github user pepov commented on the issue:
https://github.com/apache/nifi/pull/2866
Yes, so I was confused because I supposed single sign on is the default way
we wan't to configure kerberos authentication:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#kerberos_service
But I just realized the most basic setup you provided authenticates the
user against kerberos on behalf of the user:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#kerberos_login_identity_provider
I'm still new to this but I suppose my confusion comes from the fact that
Kerberos is basically designed to provide single sign on authentication where
users authenticate themselves against the KDC and got a ticket that can be used
to authenticate to the service (NiFi in this case) without the need from the
service to communicate with the KDC. But this process requires the service to
have an SPN created in Kerberos and the keytab has to be available. I beleive
this is what NiFi calls the SPNEGO service principal and keytab
(`nifi.kerberos.spnego.principal*`, `nifi.kerberos.spnego.keytab.location*`)
and this is what I was referring to by service principal and keytab:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#kerberos_properties
What you mentioned is the other SPN and keytab, referred to as
`nifi.kerberos.service.principal*`, `nifi.kerberos.service.keytab.location*`
which is used by NiFi to authenticate to other systems as you just mentioned,
but this is not what I was referring to.
---
