This content originally appeared on HackerNoon and was authored by Temirlan Amanbayev
Configuring Kerberos in nifi.properties
The following key parameters for Kerberos are added to nifi.properties
:
\ Kerberos client authentication.
If you want NiFi to use Kerberos for user authentication:
nifi.kerberos.service.principal=nifi/_HOST@YOUR_REALM
nifi.kerberos.service.keytab.location=/path/to/nifi.keytab
nifi.kerberos.service.principal
is the Kerberos principal to be used by NiFi. Typically this isnifi/hostname@REALM
._HOST
is replaced by the name of the host on which NiFi is running.nifi.kerberos.service.keytab.location
is the path to the keytab file that contains the credentials for the principal.
\ Kerberos for LDAP/Active Directory Authentication
If you are using Kerberos in conjunction with LDAP or Active Directory for authentication:
nifi.kerberos.spnego.principal=nifi/_HOST@YOUR_REALM
nifi.kerberos.spnego.keytab.location=/path/to/spnego.keytab
nifi.kerberos.spnego.principal
- SPNEGO principal used for authentication via Kerberos.nifi.kerberos.spnego.keytab.location
- path to the keytab file for SPNEGO.
Kerberos for Inter-Node Communication
If NiFi nodes in your cluster must also authenticate with each other using Kerberos:
nifi.cluster.node.kerberos.principal=nifi/_HOST@YOUR_REALM
nifi.cluster.node.kerberos.keytab.location=/path/to/cluster.keytab
nifi.cluster.nuster.node.kerberos.principal
- the principal used by the cluster nodes to authenticate with each other.nifi.cluster.node.node.kerberos.keytab.location
- the path to the keytab file for the cluster nodes.
Customize the JVM Environment for Kerberos
krb5.conf
You must make sure that the krb5.conf
file (usually found in /etc/krb5.conf
) is configured correctly and contains all the necessary parameters for your Kerberos realm.
\ JVM Options
Add JVM options to point to krb5.conf
if required:
java.arg.kerberos=-Djava.security.krb5.conf=/etc/krb5.conf
\
This parameter can be added to the NiFi startup scripts (nifi-env.sh
).
Verify Kerberos Configuration
Verify that Keytab files are available and contain the correct credentials.
\
Verify that all nodes in the NiFi cluster can obtain Kerberos tickets using the
kinit
command.\
Verify that NiFi is successfully using Kerberos for authentication by running it and checking the logs for Kerberos-related errors.
\ In a nutshell, these settings are needed if you need to consider
- Authentication: Kerberos provides a strong mechanism for authenticating users and nodes in the cluster. This means that each component, be it a user or another node, must prove its authenticity before accessing NiFi resources. In this way, the risk of unauthorized access is reduced.
\
- Security of inter-node communication: In a NiFi cluster where multiple nodes need to interact with each other, Kerberos ensures that all these interactions are secured. Each node must receive a ticket from the key distribution center (KDC) to prove its identity to other nodes.
\
- Encryption: Kerberos can be used in conjunction with SSL/TLS to provide encryption for data transmitted between cluster nodes and between users and NiFi. This protects data from interception and other attacks during transmission.
\
This content originally appeared on HackerNoon and was authored by Temirlan Amanbayev
Temirlan Amanbayev | Sciencx (2024-09-11T01:56:32+00:00) Kerberos + Ni-Fi = Secure. Retrieved from https://www.scien.cx/2024/09/11/kerberos-ni-fi-secure/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.