Keytab Configuration for Nifi processor

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Keytab Configuration for Nifi processor

Shashi Vishwakarma
Hi
 
I have Nifi 3 node cluster (Installed Via Hortonworks Data Flow - HDF ) in Kerborized environment. As part of installation Ambari has created nifi service keytab .

Can I use this nifi.service.keytab for configuring processors like PutHDFS who talks to Hadoop services ?

The nifi.service.keytab is machine specific and always expect principal names with machine information. ex nifi/HOSTNAME@REALM 

If I configure my Processor with nfii/NODE1_Hostname@REALM information then I see kerberos authentication exception in other two nodes. 

How do I dynamically resolve hostname to use nifi service  keytab  ?

Thanks 
Shashi
Reply | Threaded
Open this post in threaded view
|

Re: Keytab Configuration for Nifi processor

Pierre Villard
Hi,

Using nifi/_HOST@REALM
should resolve your problem.

Hope this helps.


2017-06-08 22:00 GMT+02:00 Shashi Vishwakarma <[hidden email]>:
Hi
 
I have Nifi 3 node cluster (Installed Via Hortonworks Data Flow - HDF ) in Kerborized environment. As part of installation Ambari has created nifi service keytab .

Can I use this nifi.service.keytab for configuring processors like PutHDFS who talks to Hadoop services ?

The nifi.service.keytab is machine specific and always expect principal names with machine information. ex nifi/HOSTNAME@REALM 

If I configure my Processor with nfii/NODE1_Hostname@REALM information then I see kerberos authentication exception in other two nodes. 

How do I dynamically resolve hostname to use nifi service  keytab  ?

Thanks 
Shashi

Reply | Threaded
Open this post in threaded view
|

Re: Keytab Configuration for Nifi processor

Shashi Vishwakarma
Hi

Above solution did not worked. In log I can see that Kerberos error as "Unable to obtain password".  Nifi is not able to resolve _HOST value .

Thanks
Shashi

On Thu, Jun 8, 2017 at 9:10 PM, Pierre Villard <[hidden email]> wrote:
Hi,

Using nifi/_HOST@REALM
should resolve your problem.

Hope this helps.


2017-06-08 22:00 GMT+02:00 Shashi Vishwakarma <[hidden email]>:
Hi
 
I have Nifi 3 node cluster (Installed Via Hortonworks Data Flow - HDF ) in Kerborized environment. As part of installation Ambari has created nifi service keytab .

Can I use this nifi.service.keytab for configuring processors like PutHDFS who talks to Hadoop services ?

The nifi.service.keytab is machine specific and always expect principal names with machine information. ex nifi/HOSTNAME@REALM 

If I configure my Processor with nfii/NODE1_Hostname@REALM information then I see kerberos authentication exception in other two nodes. 

How do I dynamically resolve hostname to use nifi service  keytab  ?

Thanks 
Shashi


Reply | Threaded
Open this post in threaded view
|

Re: Keytab Configuration for Nifi processor

Shashi Vishwakarma
PutHDFS processor does not resolves hostname when I pass nifi/_HOST@REALM. Anyone way to configure it ?

On Fri, Jun 9, 2017 at 10:52 AM, Shashi Vishwakarma <[hidden email]> wrote:
Hi

Above solution did not worked. In log I can see that Kerberos error as "Unable to obtain password".  Nifi is not able to resolve _HOST value .

Thanks
Shashi

On Thu, Jun 8, 2017 at 9:10 PM, Pierre Villard <[hidden email]> wrote:
Hi,

Using nifi/_HOST@REALM
should resolve your problem.

Hope this helps.


2017-06-08 22:00 GMT+02:00 Shashi Vishwakarma <[hidden email]>:
Hi
 
I have Nifi 3 node cluster (Installed Via Hortonworks Data Flow - HDF ) in Kerborized environment. As part of installation Ambari has created nifi service keytab .

Can I use this nifi.service.keytab for configuring processors like PutHDFS who talks to Hadoop services ?

The nifi.service.keytab is machine specific and always expect principal names with machine information. ex nifi/HOSTNAME@REALM 

If I configure my Processor with nfii/NODE1_Hostname@REALM information then I see kerberos authentication exception in other two nodes. 

How do I dynamically resolve hostname to use nifi service  keytab  ?

Thanks 
Shashi



Reply | Threaded
Open this post in threaded view
|

Re: Keytab Configuration for Nifi processor

Pierre Villard
You're right, I thought I already did it this way but just tried again and it does not work. My bad.
Your best option is to use a dedicated keytab (not a service keytab), that's the best practice to manage authorizations properly.
But NiFi could certainly be improved to accept _HOST pattern as it's done in other tools.

2017-06-09 12:49 GMT+02:00 Shashi Vishwakarma <[hidden email]>:
PutHDFS processor does not resolves hostname when I pass nifi/_HOST@REALM. Anyone way to configure it ?

On Fri, Jun 9, 2017 at 10:52 AM, Shashi Vishwakarma <[hidden email]> wrote:
Hi

Above solution did not worked. In log I can see that Kerberos error as "Unable to obtain password".  Nifi is not able to resolve _HOST value .

Thanks
Shashi

On Thu, Jun 8, 2017 at 9:10 PM, Pierre Villard <[hidden email]> wrote:
Hi,

Using nifi/_HOST@REALM
should resolve your problem.

Hope this helps.


2017-06-08 22:00 GMT+02:00 Shashi Vishwakarma <[hidden email]>:
Hi
 
I have Nifi 3 node cluster (Installed Via Hortonworks Data Flow - HDF ) in Kerborized environment. As part of installation Ambari has created nifi service keytab .

Can I use this nifi.service.keytab for configuring processors like PutHDFS who talks to Hadoop services ?

The nifi.service.keytab is machine specific and always expect principal names with machine information. ex nifi/HOSTNAME@REALM 

If I configure my Processor with nfii/NODE1_Hostname@REALM information then I see kerberos authentication exception in other two nodes. 

How do I dynamically resolve hostname to use nifi service  keytab  ?

Thanks 
Shashi