James, Sorry it was confusing to get this working.
What you described is correct, the "Kerberos Service Name" should be the serviceName you would put in the JAAS file which is typically "kafka", and then the "Kerberos Principal' and "Kerberos Keytab" would be the prinicpal and keytab from the JAAS file. I believe "Kerberos Principal" and "Keberos Keytab" are optional because you can alternatively set a JAAS file through the system property, but if you provide these properties then NiFi creates one dynamically for you. Feel free to create a JIRA or submit a PR to improve the documentation of these properties. Thanks, Bryan On Tue, Nov 7, 2017 at 3:13 PM, James Srinivasan <[email protected]> wrote: > I've been struggling to get NiFi working with Kerberos authenticated > Kafka. According to the docs, the "Kerberos Service Name" property > specifies: > > "The Kerberos principal name that Kafka runs as. This can be defined > either in Kafka's JAAS config or in Kafka's config. Corresponds to > Kafka's 'security.protocol' property.It is ignored unless one of the > SASL options of the <Security Protocol> are selected." > > First off, it doesn't correspond to Kafka's security.protocol property > - it corresponds to the JAAS serviceName property. Second, I'm not > sure it is a Kerberos principal name - in my (HDP) install, it is set > to "kafka", and using the full Kerberos principal name > ("[email protected]") doesn't work. I would submit a PR, but I'm > not 100% sure about the second bit. > > Long story short, for my install setting this to "kafka" worked, plus > setting "Kerberos Principal" and "Kerberos Keytab" to suitable things, > and "Security Protocol" to "SASL_PLAINTEXT". In our environment, we > enforce explicit topic creation so having done that and granted > producer and consumer access to the correct users, everything works > nicely. > > James
