takraj commented on PR #10582: URL: https://github.com/apache/nifi/pull/10582#issuecomment-3612767922
@exceptionfactory I have accidentally came accross with this inconsistency, when I was setting up a Kerberos test environment, and noticed that while NiFi has correctly picked up my custom krb5.conf, and I was able to use it in the components, Registry hasn't, and my authorizer plugin failed to connect to the backend service, because it picked up the wrong config file, and Registry was unable to start because of this. I was able to work it around by adding the extra java arg externally, but since this is a system property, and Registry already has a config option for this, I believe the system property should be set by the application, not the user. And especially not by the plugin, since this is a global option, that can interfere with other components, and can cause difficult to debug errors if done without control. Secondly, the kerberos related properties all have spnego it their names, except for this one, so it sounds legitimate to expect it to have effect even without configuring spnego: ``` # kerberos properties # nifi.registry.kerberos.krb5.file=/path/to/krb5.conf nifi.registry.kerberos.spnego.authentication.expiration=12 hours nifi.registry.kerberos.spnego.principal=HTTP/localhost@LOCALHOST nifi.registry.kerberos.spnego.keytab.location=/path/to/keytab ``` I'd say, let's either explicitly document that this property only has effect in spnego context, or align the behavior to the rest of the product, so there is no ambiguity. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
