You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/03/21 15:13:41 UTC

[jira] [Commented] (NIFI-3528) Include dynamic JAAS configuration for Kafka processors 0.10+

    [ https://issues.apache.org/jira/browse/NIFI-3528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15934756#comment-15934756 ] 

ASF GitHub Bot commented on NIFI-3528:
--------------------------------------

GitHub user pvillard31 opened a pull request:

    https://github.com/apache/nifi/pull/1606

    NIFI-3528 Added support for keytab/principal to Kafka 0.10 processors

    Thank you for submitting a contribution to Apache NiFi.
    
    In order to streamline the review of the contribution we ask you
    to ensure the following steps have been taken:
    
    ### For all changes:
    - [X] Is there a JIRA ticket associated with this PR? Is it referenced 
         in the commit message?
    
    - [X] Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
    
    - [X] Has your PR been rebased against the latest commit within the target branch (typically master)?
    
    - [X] Is your initial contribution a single, squashed commit?
    
    ### For code changes:
    - [X] Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder?
    - [X] Have you written or updated unit tests to verify your changes?
    
    ### Note:
    Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
    
    ==================================================
    
    At the moment, it is not possible to have multi-tenancy when using Kafka processors: a single JAAS configuration file must be set in JVM variables to allow communication with Kerberos enabled Kafka cluster. Since the release of Kafka client 0.10.2, this has been improved and it gives the possibility to define a Login Module at processor level.
    
    Here is a summary of the tests performed: on a standalone NiFi instance, only the ``krb5.conf`` file path has been set in ``nifi.properties``. And the following workflow has been used:
    
    <img width="1009" alt="screen shot 2017-03-21 at 4 06 44 pm" src="https://cloud.githubusercontent.com/assets/11541012/24154067/7546606a-0e50-11e7-9502-d6607fd3f3fd.png">
    
    Each Publish/Consume is using its own pair of user keytab/principal and consume/publish from/to a queue where correct ACLs have been set for the corresponding users. By looking at the audit logs, we can confirm that the authentication on each queue is correctly performed and that we have the expected behavior.
    
    At the moment, I used the following JAAS input as the standard:
    ````
        KafkaClient {
           com.sun.security.auth.module.Krb5LoginModule required
           useTicketCache=false
           renewTicket=true
           serviceName="kafka"
           useKeyTab=true
           keyTab="/path/to/keytab"
           principal="principal@EXAMPLE.COM";
        };
    ````
    and I only exposed the keytab and principal as new properties. The other properties are not exposed but that's something we could add if necessary/useful.


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/pvillard31/nifi NIFI-3528

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/nifi/pull/1606.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1606
    
----
commit e8571a5be32dc2201973ef491d267e592038b552
Author: Pierre Villard <pi...@gmail.com>
Date:   2017-03-21T14:48:53Z

    NIFI-3528 Added support for keytab/principal to Kafka 0.10 processors

----


> Include dynamic JAAS configuration for Kafka processors 0.10+
> -------------------------------------------------------------
>
>                 Key: NIFI-3528
>                 URL: https://issues.apache.org/jira/browse/NIFI-3528
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Extensions
>            Reporter: Pierre Villard
>            Assignee: Pierre Villard
>             Fix For: 1.2.0
>
>
> Kafka 0.10.2.0 has been released few days ago and introduced KAFKA-4259.
> It should now be possible to dynamically specify the client when using Kafka client library. Consequently, in a multi-tenant context, it won't be necessary anymore to write as a single user (defined in JAAS configuration file and loaded by the JVM) in all running Kafka processors.
> More details here:
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-85%3A+Dynamic+JAAS+configuration+for+Kafka+clients



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)