nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Bende <bbe...@gmail.com>
Subject Re: Incorrect PublishKafka_0_10 documentation?
Date Wed, 08 Nov 2017 14:48:21 GMT
James,

Sorry it was confusing to get this working.

What you described is correct, the "Kerberos Service Name" should be
the serviceName you would put in the JAAS file which is typically
"kafka", and then the "Kerberos Principal' and "Kerberos Keytab" would
be the prinicpal and keytab from the JAAS file.

I believe "Kerberos Principal" and "Keberos Keytab" are optional
because you can alternatively set a JAAS file through the system
property, but if you provide these properties then NiFi creates one
dynamically for you.

Feel free to create a JIRA or submit a PR to improve the documentation
of these properties.

Thanks,

Bryan


On Tue, Nov 7, 2017 at 3:13 PM, James Srinivasan
<james.srinivasan@gmail.com> wrote:
> I've been struggling to get NiFi working with Kerberos authenticated
> Kafka. According to the docs, the "Kerberos Service Name" property
> specifies:
>
> "The Kerberos principal name that Kafka runs as. This can be defined
> either in Kafka's JAAS config or in Kafka's config. Corresponds to
> Kafka's 'security.protocol' property.It is ignored unless one of the
> SASL options of the <Security Protocol> are selected."
>
> First off, it doesn't correspond to Kafka's security.protocol property
> - it corresponds to the JAAS serviceName property. Second, I'm not
> sure it is a Kerberos principal name - in my (HDP) install, it is set
> to "kafka", and using the full Kerberos principal name
> ("kafka@MYDOMAIN.LOCAL") doesn't work. I would submit a PR, but I'm
> not 100% sure about the second bit.
>
> Long story short, for my install setting this to "kafka" worked, plus
> setting "Kerberos Principal" and "Kerberos Keytab" to suitable things,
> and "Security Protocol" to "SASL_PLAINTEXT". In our environment, we
> enforce explicit topic creation so having done that and granted
> producer and consumer access to the correct users, everything works
> nicely.
>
> James

Mime
View raw message