Configuring Kerberos in nifi.properties The following key parameters for Kerberos are added to nifi.properties: Kerberos client authentication. If you want NiFi to use Kerberos for user authentication: nifi.kerberos.service.principal=nifi/_HOST@YOUR_REALM
nifi.kerberos.service.keytab.location=/path/to/nifi.keytab nifi.kerberos.service.principal is the Kerberos principal to be used by NiFi. Typically this is nifi/hostname@REALM.
_HOST is replaced by the name of the host on which NiFi is running.
nifi.kerberos.service.keytab.location is the path to the keytab file that contains the credentials for the principal. Kerberos for LDAP/Active Directory Authentication If you are using Kerberos in conjunction with LDAP or Active Directory for authentication: nifi.kerberos.spnego.principal=nifi/_HOST@YOUR_REALM
nifi.kerberos.spnego.keytab.location=/path/to/spnego.keytab nifi.kerberos.spnego.principal - SPNEGO principal used for authentication via Kerberos.
nifi.kerberos.spnego.keytab.location - path to the keytab file for SPNEGO. Kerberos for Inter-Node Communication If NiFi nodes in your cluster must also authenticate with each other using Kerberos: nifi.cluster.node.kerberos.principal=nifi/_HOST@YOUR_REALM
nifi.cluster.node.kerberos.keytab.location=/path/to/cluster.keytab nifi.cluster.nuster.node.kerberos.principal - the principal used by the cluster nodes to authenticate with each other.
nifi.cluster.node.node.kerberos.keytab.location - the path to the keytab file for the cluster nodes. Customize the JVM Environment for Kerberos krb5.conf You must make sure that the krb5.conf file (usually found in /etc/krb5.conf) is configured correctly and contains all the necessary parameters for your Kerberos realm. JVM Options Add JVM options to point to krb5.conf if required: java.arg.kerberos=-Djava.security.krb5.conf=/etc/krb5.conf This parameter can be added to the NiFi startup scripts (nifi-env.sh). Verify Kerberos Configuration Verify that Keytab files are available and contain the correct credentials.


Verify that all nodes in the NiFi cluster can obtain Kerberos tickets using the kinit command.


Verify that NiFi is successfully using Kerberos for authentication by running it and checking the logs for Kerberos-related errors. In a nutshell, these settings are needed if you need to consider Authentication: Kerberos provides a strong mechanism for authenticating users and nodes in the cluster. This means that each component, be it a user or another node, must prove its authenticity before accessing NiFi resources. In this way, the risk of unauthorized access is reduced. Security of inter-node communication: In a NiFi cluster where multiple nodes need to interact with each other, Kerberos ensures that all these interactions are secured. Each node must receive a ticket from the key distribution center (KDC) to prove its identity to other nodes. Encryption: Kerberos can be used in conjunction with SSL/TLS to provide encryption for data transmitted between cluster nodes and between users and NiFi. This protects data from interception and other attacks during transmission. Configuring Kerberos in nifi.properties Configuring Kerberos in nifi.properties The following key parameters for Kerberos are added to nifi.properties : nifi.properties Kerberos client authentication . Kerberos client authentication If you want NiFi to use Kerberos for user authentication: nifi.kerberos.service.principal=nifi/_HOST@YOUR_REALM
nifi.kerberos.service.keytab.location=/path/to/nifi.keytab nifi.kerberos.service.principal=nifi/_HOST@YOUR_REALM
nifi.kerberos.service.keytab.location=/path/to/nifi.keytab nifi.kerberos.service.principal is the Kerberos principal to be used by NiFi. Typically this is nifi/hostname@REALM. _HOST is replaced by the name of the host on which NiFi is running. nifi.kerberos.service.keytab.location is the path to the keytab file that contains the credentials for the principal. nifi.kerberos.service.principal is the Kerberos principal to be used by NiFi. Typically this is nifi/hostname@REALM . nifi.kerberos.service.principal nifi/hostname@REALM _HOST is replaced by the name of the host on which NiFi is running. _HOST nifi.kerberos.service.keytab.location is the path to the keytab file that contains the credentials for the principal. nifi.kerberos.service.keytab.location Kerberos for LDAP/Active Directory Authentication Kerberos for LDAP/Active Directory Authentication If you are using Kerberos in conjunction with LDAP or Active Directory for authentication: nifi.kerberos.spnego.principal=nifi/_HOST@YOUR_REALM
nifi.kerberos.spnego.keytab.location=/path/to/spnego.keytab nifi.kerberos.spnego.principal=nifi/_HOST@YOUR_REALM
nifi.kerberos.spnego.keytab.location=/path/to/spnego.keytab nifi.kerberos.spnego.principal - SPNEGO principal used for authentication via Kerberos. nifi.kerberos.spnego.keytab.location - path to the keytab file for SPNEGO. nifi.kerberos.spnego.principal - SPNEGO principal used for authentication via Kerberos. nifi.kerberos.spnego.principal nifi.kerberos.spnego.keytab.location - path to the keytab file for SPNEGO. nifi.kerberos.spnego.keytab.location Kerberos for Inter-Node Communication Kerberos If NiFi nodes in your cluster must also authenticate with each other using Kerberos: nifi.cluster.node.kerberos.principal=nifi/_HOST@YOUR_REALM
nifi.cluster.node.kerberos.keytab.location=/path/to/cluster.keytab nifi.cluster.node.kerberos.principal=nifi/_HOST@YOUR_REALM
nifi.cluster.node.kerberos.keytab.location=/path/to/cluster.keytab nifi.cluster.nuster.node.kerberos.principal - the principal used by the cluster nodes to authenticate with each other. nifi.cluster.node.node.kerberos.keytab.location - the path to the keytab file for the cluster nodes. nifi.cluster.nuster.node.kerberos.principal - the principal used by the cluster nodes to authenticate with each other. nifi.cluster.nuster.node.kerberos.principal nifi.cluster.node.node.kerberos.keytab.location - the path to the keytab file for the cluster nodes. nifi.cluster.node.node.kerberos.keytab.location Customize the JVM Environment for Kerberos Customize the JVM Environment for Kerberos krb5.conf krb5.conf You must make sure that the krb5.conf file (usually found in /etc/krb5.conf ) is configured correctly and contains all the necessary parameters for your Kerberos realm. krb5.conf /etc/krb5.conf JVM Options JVM Options Add JVM options to point to krb5.conf if required: krb5.conf java.arg.kerberos=-Djava.security.krb5.conf=/etc/krb5.conf java.arg.kerberos=-Djava.security.krb5.conf=/etc/krb5.conf This parameter can be added to the NiFi startup scripts ( nifi-env.sh ). nifi-env.sh Verify Kerberos Configuration Verify Kerberos Configuration Verify that Keytab files are available and contain the correct credentials. Verify that all nodes in the NiFi cluster can obtain Kerberos tickets using the kinit command. Verify that NiFi is successfully using Kerberos for authentication by running it and checking the logs for Kerberos-related errors. Verify that Keytab files are available and contain the correct credentials. Verify that Keytab files are available and contain the correct credentials. Verify that all nodes in the NiFi cluster can obtain Kerberos tickets using the kinit command. Verify that all nodes in the NiFi cluster can obtain Kerberos tickets using the kinit command. kinit Verify that NiFi is successfully using Kerberos for authentication by running it and checking the logs for Kerberos-related errors. Verify that NiFi is successfully using Kerberos for authentication by running it and checking the logs for Kerberos-related errors. In a nutshell, these settings are needed if you need to consider Authentication: Kerberos provides a strong mechanism for authenticating users and nodes in the cluster. This means that each component, be it a user or another node, must prove its authenticity before accessing NiFi resources. In this way, the risk of unauthorized access is reduced. Authentication : Kerberos provides a strong mechanism for authenticating users and nodes in the cluster. This means that each component, be it a user or another node, must prove its authenticity before accessing NiFi resources. In this way, the risk of unauthorized access is reduced. Authentication Security of inter-node communication: In a NiFi cluster where multiple nodes need to interact with each other, Kerberos ensures that all these interactions are secured. Each node must receive a ticket from the key distribution center (KDC) to prove its identity to other nodes. Security of inter-node communication : In a NiFi cluster where multiple nodes need to interact with each other, Kerberos ensures that all these interactions are secured. Each node must receive a ticket from the key distribution center (KDC) to prove its identity to other nodes. Security of inter-node communication Encryption: Kerberos can be used in conjunction with SSL/TLS to provide encryption for data transmitted between cluster nodes and between users and NiFi. This protects data from interception and other attacks during transmission. Encryption : Kerberos can be used in conjunction with SSL/TLS to provide encryption for data transmitted between cluster nodes and between users and NiFi. This protects data from interception and other attacks during transmission. Encryption

Kerberos + Ni-Fi = Secure

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Building a Simple Custom Processor With Apache Ni-Fi

Setting up Data Streams Using NiPyAPI: UI-Free Guide

Building a Simple Custom Processor With Apache Ni-Fi

Is Your Apache Ni-Fi Ready for Production?

DolphinScheduler and SeaTunnel VS. AirFlow and NiFi

Data Warehouse vs Data Lake

Building a Simple Custom Processor With Apache Ni-Fi

Setting up Data Streams Using NiPyAPI: UI-Free Guide

Building a Simple Custom Processor With Apache Ni-Fi

Is Your Apache Ni-Fi Ready for Production?

DolphinScheduler and SeaTunnel VS. AirFlow and NiFi

Data Warehouse vs Data Lake

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps