0

I am ussing Apache Nifi 1.7 and I'm trying to use a RecordWritter that uses Hortonwors Schema Registry service controller to read schema metadata.

However, this controller service doesn't have any KErberos configuration properties like "KErberos Credential Service" that other Nifi processor have, so I am getting a 401 Error: Authentication required when I try to read schema from Hortonworks Schema Registry.

The intriguing thing here is that this workflow was working before, and after stopping nifi flow, moving the cluster to a different LAN and relaunching the flow again, it started to fail. I discarded any networks issues here since kerberos and schema registry keep the same URI's as before and I can make a query to registry service from the command line with curl as before.

Is there a way to make Hortonworks schema registry Controler working with Kerberos?

SecretAgentMan
  • 2,856
  • 7
  • 21
  • 41
dhalfageme
  • 1,444
  • 4
  • 21
  • 42

1 Answers1

1

In 1.7.0 the only way to do is through a JAAS file with an entry for RegistryClient like:

RegistryClient {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="REPLACE_WITH_KEYTAB"
    storeKey=true
    useTicketCache=false
    principal="REPLACE_WITH_PRINCIPAL";
};

Then in nifi's bootstrap.conf you need to specify the system property:

java.arg.16=-Djava.security.auth.login.config=/path/to/jaas.conf

In 1.10.0 there are new properties in the service to make it easier to configure.

Bryan Bende
  • 18,320
  • 1
  • 28
  • 39
  • Hi, thank you for your answer. It seems I have already configured it. I can see this on configs inside ambari: java.arg.0=-Djava.security.auth.login.config={{nifi_jaas_conf}}. And I can find NifiClient and RegistryClient sections inside jaas config file. What I don't know is the templating mechanism {{nifi_jaas_conf}}, but I can say that the file is present and also Advanced nifi-jaas-conf section in ambari is properly filled with valid principal and keytab parameters. This configuration was working before relaunching the Nifi flow. How can I check if Nifi es properly reading this config?Tx – dhalfageme Jan 20 '20 at 07:56
  • Find the nifi bootstrap.conf that is written out to disk instead of looking at the one through ambari, the only way nifi wouldn't use that property is if you set another one later in the bootstrap.conf that pointed at a different jaas file and overrode the first one – Bryan Bende Jan 21 '20 at 14:38
  • Yes, the file was on thisk. After restarting Nifi (several times) it started to work without changing anything. It is very weird... Thank you for helping, I will vote up you since the information yo provided is very useful – dhalfageme Jan 21 '20 at 14:48