I did this stuff with SAS and OBIEE little outside of the application configuration.
1.) On NIFI server and clusters - modify /etc/krb5.conf to match with your Kerberos enabled Hadoop cluster ( you can change this location using the Kerberos configuration variables) 2.) Get the Keytab file for users who has access to Hadoop cluster – usually provided to you by KDC admin or Hadoop admin 3.) Transfer Keytab to all NiFi cluster nodes 4.) Get the ticket as root user (kinit –kt <Keytab_file_name> principla_name) - you can use the klist –kt <Keytab> to find out the principal name - you can automate this using root crontab or using other schedulers but it needs to be available for root. 5.) Test it out - klist 6.) Now test it out from NiFi From: Bryan Bende [mailto:bbe...@gmail.com] Sent: Monday, October 24, 2016 12:00 PM To: users@nifi.apache.org Cc: Joe Zaher (jzaher); Shrilesh Naik (shrnaik) Subject: Re: Can we configure NiFi to run execute process with specific Kerberos Principal? Hi Ravi, I'm not very familiar with Sqoop, but from quickly reading their documentation and some other forums/blogs, it seems like the script that NiFi is calling should be doing something like the follow: kinit <USER PRINCIPAL> <SQOOP2 DIRECTORY>/bin/sqoop.sh client I would think however you execute the script successfully outside of NiFi, would be the same with NiFI, meaning that NiFi is just calling a shell script and shouldn't really need to know that Kerberos is involved. -Bryan On Mon, Oct 24, 2016 at 11:22 AM, Ravi Papisetti (rpapiset) <rpapi...@cisco.com<mailto:rpapi...@cisco.com>> wrote: Hi, We are planning to use "ExecuteProcess" to run a sqoop script wrapped by shell. As part of this we want NiFi to use its service principal in secure mode while submiting executing the script. Otherwise sqoop script is failed to execute saying "Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)", because it is submitted by NiFi service user (root) that doesn't have any kerberos user principal. Are there any configuration options in NiFi to overcome this issue? Our use case is very similar to what is posted here: https://community.hortonworks.com/questions/18069/how-to-execute-commands-using-executeprocess-proce.html Thanks, Ravi Papisetti Technical Leader Services Technology Incubation Center<http://wwwin.cisco.com/CustAdv/ts/cstg/stic/> rpapi...@cisco.com<mailto:rpapi...@cisco.com> Phone: +1 512 340 3377<tel:%2B1%20512%20340%203377> [stic-logo-email-blue] ************************************************************************* This e-mail may contain confidential or privileged information. If you are not the intended recipient, please notify the sender immediately and then delete it. TIAA *************************************************************************
