nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Bende <bbe...@gmail.com>
Subject Re: Kerberos - Ticket Cache and JAAS config
Date Tue, 16 Jun 2020 19:50:58 GMT
Hello,

Using the JAAS config file is not great for multi-tenancy, many client
libraries have hard-coded rules that make an assumption that there is only
one client entry of the given type, like "KafkaClient", meaning you can't
have multiple Kafka clients using different entries from the JAAS config.

This is the reason many processors allow directly specifying a principal +
keytab, or a principal + password where keytabs are not preferred. The
processors will then do an in-memory JAAS config and login behind the
scenes.

Thanks,

Bryan



On Tue, Jun 16, 2020 at 2:43 PM Darren Govoni <darren@ontrenet.com> wrote:

> I would use some kind of SSO type proxy service and have your Nifi
> processors request an authorization from that whereby the proxy service
> performs the authentication to the backend service you are protecting and
> only returns to Nifi the needed token to interact with it.
>
> Probably for this approach you'll need a single JAAS implementation to the
> proxy and the token payloads can be any underlying implementation that the
> remote service requires.
>
> Not sure off hand which SSO proxy might just drop into your scenario but a
> custom JAAS impl will probably be needed in Nifi regardless.
>
> What you don't want Nifi to do is juggle and manage white box awareness of
> all these different remote services. Rather just request authorization and
> pass session tokens onward.
>
> As they say, though, the devil is in the details.
>
> Darren
>
> Sent from my Verizon, Samsung Galaxy smartphone
>
>

Mime
View raw message