[jira] [Commented] (NIFI-5041) Add convenient SPNEGO/Kerberos authentication support to LivySessionController

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/NIFI-5041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16475184#comment-16475184
 ] 

ASF GitHub Bot commented on NIFI-5041:
--------------------------------------

Github user mattyb149 commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2630#discussion_r188147689
  
    --- Diff: 
nifi-nar-bundles/nifi-spark-bundle/nifi-livy-controller-service/src/main/java/org/apache/nifi/controller/livy/LivySessionController.java
 ---
    @@ -241,12 +241,14 @@ public void onConfigured(final ConfigurationContext 
context) {
                 while (enabled) {
                     try {
                         manageSessions();
    +                } catch (Exception e) {
    +                    getLogger().error("Livy Session Manager Thread run 
into an error, but continues to run", e);
    --- End diff --
    
    This keeps the manageSessions() thread alive, but will there be an 
indication on the UI that the error is not recoverable? I'm thinking 
specifically about the 401 Authorization Required error where the Livy API 
returns HTML rather than JSON when you try to log in without Kerberos when the 
server has been Kerberized. Should we set an AtomicReference<Exception> or 
something on the LivySessionController and throw a checked exception when any 
API call is made (such as isEmpty() which is called from 
ExecuteSparkInteractive)? I think we need to make it obvious (at least in that 
case) that the processor and/or CS is suffering from a non-recoverable error 
and needs manual intervention.


> Add convenient SPNEGO/Kerberos authentication support to LivySessionController
> ------------------------------------------------------------------------------
>
>                 Key: NIFI-5041
>                 URL: https://issues.apache.org/jira/browse/NIFI-5041
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: Peter Toth
>            Priority: Minor
>
> Livy requires SPNEGO/Kerberos authentication on a secured cluster. Initiating 
> such an authentication from NiFi is a viable by providing a 
> java.security.auth.login.config system property 
> (https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part6.html),
>  but this is a bit cumbersome and needs kinit running outside of NiFi.
> An alternative and more sophisticated solution would be to do the SPNEGO 
> negotiation programmatically.
>  * This solution would add some new properties to the LivySessionController 
> to fetch kerberos principal and password/keytab
>  * Add the required HTTP Negotiate header (with an SPNEGO token) to the 
> HttpURLConnection to do the authentication programmatically 
> (https://tools.ietf.org/html/rfc4559)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)