Configuring Kerberos in nifi.properties The following key parameters for Kerberos are added to nifi.properties: Kerberos client authentication. If you want NiFi to use Kerberos for user authentication: nifi.kerberos.service.principal=nifi/_HOST@YOUR_REALM nifi.kerberos.service.keytab.location=/path/to/nifi.keytab nifi.kerberos.service.principal is the Kerberos principal to be used by NiFi. Typically this is nifi/hostname@REALM. _HOST is replaced by the name of the host on which NiFi is running. nifi.kerberos.service.keytab.location is the path to the keytab file that contains the credentials for the principal. Kerberos for LDAP/Active Directory Authentication If you are using Kerberos in conjunction with LDAP or Active Directory for authentication: nifi.kerberos.spnego.principal=nifi/_HOST@YOUR_REALM nifi.kerberos.spnego.keytab.location=/path/to/spnego.keytab nifi.kerberos.spnego.principal - SPNEGO principal used for authentication via Kerberos. nifi.kerberos.spnego.keytab.location - path to the keytab file for SPNEGO. Kerberos for Inter-Node Communication If NiFi nodes in your cluster must also authenticate with each other using Kerberos: nifi.cluster.node.kerberos.principal=nifi/_HOST@YOUR_REALM nifi.cluster.node.kerberos.keytab.location=/path/to/cluster.keytab nifi.cluster.nuster.node.kerberos.principal - the principal used by the cluster nodes to authenticate with each other. nifi.cluster.node.node.kerberos.keytab.location - the path to the keytab file for the cluster nodes. Customize the JVM Environment for Kerberos krb5.conf You must make sure that the krb5.conf file (usually found in /etc/krb5.conf) is configured correctly and contains all the necessary parameters for your Kerberos realm. JVM Options Add JVM options to point to krb5.conf if required: java.arg.kerberos=-Djava.security.krb5.conf=/etc/krb5.conf This parameter can be added to the NiFi startup scripts (nifi-env.sh). Verify Kerberos Configuration Verify that Keytab files are available and contain the correct credentials. Verify that all nodes in the NiFi cluster can obtain Kerberos tickets using the kinit command. Verify that NiFi is successfully using Kerberos for authentication by running it and checking the logs for Kerberos-related errors. In a nutshell, these settings are needed if you need to consider Authentication: Kerberos provides a strong mechanism for authenticating users and nodes in the cluster. This means that each component, be it a user or another node, must prove its authenticity before accessing NiFi resources. In this way, the risk of unauthorized access is reduced. Security of inter-node communication: In a NiFi cluster where multiple nodes need to interact with each other, Kerberos ensures that all these interactions are secured. Each node must receive a ticket from the key distribution center (KDC) to prove its identity to other nodes. Encryption: Kerberos can be used in conjunction with SSL/TLS to provide encryption for data transmitted between cluster nodes and between users and NiFi. This protects data from interception and other attacks during transmission. Configuring Kerberos in nifi.properties Configuring Kerberos in nifi.properties The following key parameters for Kerberos are added to nifi.properties : nifi.properties Kerberos client authentication . Kerberos client authentication If you want NiFi to use Kerberos for user authentication: nifi.kerberos.service.principal=nifi/_HOST@YOUR_REALM nifi.kerberos.service.keytab.location=/path/to/nifi.keytab nifi.kerberos.service.principal=nifi/_HOST@YOUR_REALM nifi.kerberos.service.keytab.location=/path/to/nifi.keytab nifi.kerberos.service.principal is the Kerberos principal to be used by NiFi. Typically this is nifi/hostname@REALM. _HOST is replaced by the name of the host on which NiFi is running. nifi.kerberos.service.keytab.location is the path to the keytab file that contains the credentials for the principal. nifi.kerberos.service.principal is the Kerberos principal to be used by NiFi. Typically this is nifi/hostname@REALM . nifi.kerberos.service.principal nifi/hostname@REALM _HOST is replaced by the name of the host on which NiFi is running. _HOST nifi.kerberos.service.keytab.location is the path to the keytab file that contains the credentials for the principal. nifi.kerberos.service.keytab.location Kerberos for LDAP/Active Directory Authentication Kerberos for LDAP/Active Directory Authentication If you are using Kerberos in conjunction with LDAP or Active Directory for authentication: nifi.kerberos.spnego.principal=nifi/_HOST@YOUR_REALM nifi.kerberos.spnego.keytab.location=/path/to/spnego.keytab nifi.kerberos.spnego.principal=nifi/_HOST@YOUR_REALM nifi.kerberos.spnego.keytab.location=/path/to/spnego.keytab nifi.kerberos.spnego.principal - SPNEGO principal used for authentication via Kerberos. nifi.kerberos.spnego.keytab.location - path to the keytab file for SPNEGO. nifi.kerberos.spnego.principal - SPNEGO principal used for authentication via Kerberos. nifi.kerberos.spnego.principal nifi.kerberos.spnego.keytab.location - path to the keytab file for SPNEGO. nifi.kerberos.spnego.keytab.location Kerberos for Inter-Node Communication Kerberos If NiFi nodes in your cluster must also authenticate with each other using Kerberos: nifi.cluster.node.kerberos.principal=nifi/_HOST@YOUR_REALM nifi.cluster.node.kerberos.keytab.location=/path/to/cluster.keytab nifi.cluster.node.kerberos.principal=nifi/_HOST@YOUR_REALM nifi.cluster.node.kerberos.keytab.location=/path/to/cluster.keytab nifi.cluster.nuster.node.kerberos.principal - the principal used by the cluster nodes to authenticate with each other. nifi.cluster.node.node.kerberos.keytab.location - the path to the keytab file for the cluster nodes. nifi.cluster.nuster.node.kerberos.principal - the principal used by the cluster nodes to authenticate with each other. nifi.cluster.nuster.node.kerberos.principal nifi.cluster.node.node.kerberos.keytab.location - the path to the keytab file for the cluster nodes. nifi.cluster.node.node.kerberos.keytab.location Customize the JVM Environment for Kerberos Customize the JVM Environment for Kerberos krb5.conf krb5.conf You must make sure that the krb5.conf file (usually found in /etc/krb5.conf ) is configured correctly and contains all the necessary parameters for your Kerberos realm. krb5.conf /etc/krb5.conf JVM Options JVM Options Add JVM options to point to krb5.conf if required: krb5.conf java.arg.kerberos=-Djava.security.krb5.conf=/etc/krb5.conf java.arg.kerberos=-Djava.security.krb5.conf=/etc/krb5.conf This parameter can be added to the NiFi startup scripts ( nifi-env.sh ). nifi-env.sh Verify Kerberos Configuration Verify Kerberos Configuration Verify that Keytab files are available and contain the correct credentials. Verify that all nodes in the NiFi cluster can obtain Kerberos tickets using the kinit command. Verify that NiFi is successfully using Kerberos for authentication by running it and checking the logs for Kerberos-related errors. Verify that Keytab files are available and contain the correct credentials. Verify that Keytab files are available and contain the correct credentials. Verify that all nodes in the NiFi cluster can obtain Kerberos tickets using the kinit command. Verify that all nodes in the NiFi cluster can obtain Kerberos tickets using the kinit command. kinit Verify that NiFi is successfully using Kerberos for authentication by running it and checking the logs for Kerberos-related errors. Verify that NiFi is successfully using Kerberos for authentication by running it and checking the logs for Kerberos-related errors. In a nutshell, these settings are needed if you need to consider Authentication: Kerberos provides a strong mechanism for authenticating users and nodes in the cluster. This means that each component, be it a user or another node, must prove its authenticity before accessing NiFi resources. In this way, the risk of unauthorized access is reduced. Authentication : Kerberos provides a strong mechanism for authenticating users and nodes in the cluster. This means that each component, be it a user or another node, must prove its authenticity before accessing NiFi resources. In this way, the risk of unauthorized access is reduced. Authentication Security of inter-node communication: In a NiFi cluster where multiple nodes need to interact with each other, Kerberos ensures that all these interactions are secured. Each node must receive a ticket from the key distribution center (KDC) to prove its identity to other nodes. Security of inter-node communication : In a NiFi cluster where multiple nodes need to interact with each other, Kerberos ensures that all these interactions are secured. Each node must receive a ticket from the key distribution center (KDC) to prove its identity to other nodes. Security of inter-node communication Encryption: Kerberos can be used in conjunction with SSL/TLS to provide encryption for data transmitted between cluster nodes and between users and NiFi. This protects data from interception and other attacks during transmission. Encryption : Kerberos can be used in conjunction with SSL/TLS to provide encryption for data transmitted between cluster nodes and between users and NiFi. This protects data from interception and other attacks during transmission. Encryption