[jira] [Commented] (NIFI-866) Kerberos support for Hadoop processors

Thu, 20 Aug 2015 14:37:44 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14705803#comment-14705803
 ] 

Bryan Bende commented on NIFI-866:
----------------------------------

Ricky, Nice job putting this together! It took me a while, but I was able to 
"Kerberize" a single node hadoop instance and tested this successfully with 
multiple principals. 

One of my only thoughts is around validation... do you think it would make 
sense to have a customValidate method that checked if the principal and keytab 
properties were provided, and if so then validated that the 
nifi.kerberos.krb5.file property was set and pointed to a valid file? 

The reason I thought of this was because when I was testing I obviously didn't 
follow the instructions and forgot to set nifi.kerberos.krb5.file the first 
time. It threw me off a little that I got the processor to a valid state, but 
then found out I was missing that property when I told the processor to run. I 
realize that at validation time we still don't know if the hadoop configuration 
is set to use kerberos yet, but just trying to see if there is anything more we 
can do up front. Interested to hear what others think as well.

> Kerberos support for Hadoop processors 
> ---------------------------------------
>
>                 Key: NIFI-866
>                 URL: https://issues.apache.org/jira/browse/NIFI-866
>             Project: Apache NiFi
>          Issue Type: New Feature
>          Components: Extensions
>            Reporter: Ricky Saltzer
>            Assignee: Ricky Saltzer
>         Attachments: NIFI-866.2.patch, NIFI-866.3.patch, 
> multiprincipal_secure_nonsecure.png
>
>
> Currently the AbstractHadoopProcessor only supports talking to non-kerberos 
> Hadoop clusters. Even though the user might be supplying a Hadoop 
> configuration which indicates the authentication implementation is Kerberos, 
> NiFi will still attempt to connect via SIMPLE authentication. This results in 
> a processor exception. 
> *Goals:*
> * Minimal configuration for Kerberos support
> * Talk to both secure and non-secure clusters within the same NiFi instance
> * Support for more than one principal across processors (e.g. process A uses 
> User1, processor B uses User2)
> *Non-Goals:*
> * Use of more than one krb5.conf at a time
> *Basic Usage Proposal:*
> Edit _conf/nifi.properties_ and modify the following values
> {code:title=nifi.properties|borderStyle=solid}
> ..
> # kerberos #
> nifi.kerberos.krb5.file=/path/to/krb5.conf
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to