David Handermann created NIFI-13296:
---------------------------------------
Summary: Deprecate Kerberos SPNEGO Authentication for Removal
Key: NIFI-13296
URL: https://issues.apache.org/jira/browse/NIFI-13296
Project: Apache NiFi
Issue Type: Improvement
Reporter: David Handermann
Assignee: David Handermann
NiFi 0.6.0 added Kerberos authentication with
[SPNEGO|https://en.wikipedia.org/wiki/SPNEGO] as a framework feature based on
Spring Security Kerberos. Although Spring Security Kerberos continues to be
maintained, SPNEGO authentication is not common, requiring specialized [client
browser
configuration|https://docs.spring.io/spring-security-kerberos/docs/current/reference/html/browserspnegoconfig.html]
for access. As noted in the linked instructions, popular web browsers do not
support SPNEGO in the default configuration, and Google Chrome requires either
a custom policy or launch from the command line with arguments that list
permitted DNS names.
Based on these considerations, and in light of more common Single Sign-On
strategies using OpenID Connect and SAML 2, NiFi framework support for Kerberos
authentication with SPNEGO should be deprecated for subsequent removal in NiFi
2.
This deprecation should not impact the Kerberos Login Identity Provider, which
continues to support username and password authentication based on the
form-based login process.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
