You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by ex...@apache.org on 2021/08/19 00:56:21 UTC
[nifi] branch main updated: NIFI-8973 Implement KerberosUserService
API and keytab, password, and ticket cache implementations
This is an automated email from the ASF dual-hosted git repository.
exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new 21c2fb9 NIFI-8973 Implement KerberosUserService API and keytab, password, and ticket cache implementations
21c2fb9 is described below
commit 21c2fb95d3c73f6fb512bca3ddd0adfa02b388e5
Author: Bryan Bende <bb...@gmail.com>
AuthorDate: Fri Jul 30 10:51:16 2021 -0400
NIFI-8973 Implement KerberosUserService API and keytab, password, and ticket cache implementations
NIFI-8974 Integrate KerberosUserService with HDFS processors
NIFI-8980 Integrate KerberosUserService with Kafka 2.6 processors
- Introduced SelfContainerKerberosUserService to restrict which impls can be used with Kafka
- Add variations of KerberosUser doAs that allow setting the context ClassLoader
- Add additional unit tests for configurations
This closes #5277
Signed-off-by: David Handermann <ex...@apache.org>
---
NOTICE | 7 +
.../apache/nifi/components/RequiredPermission.java | 1 +
nifi-assembly/pom.xml | 6 +
.../pom.xml | 24 +-
.../org/apache/nifi/security/krb/KerberosUser.java | 46 ++++
nifi-commons/nifi-security-kerberos/pom.xml | 5 +
.../nifi/security/krb/AbstractKerberosUser.java | 82 +++++--
.../apache/nifi/security/krb/KerberosAction.java | 15 +-
.../nifi/security/krb/KerberosKeytabUser.java | 21 +-
.../nifi/security/krb/KerberosPasswordUser.java | 17 +-
.../nifi/security/krb/KerberosTicketCacheUser.java | 22 +-
.../nifi/security/krb/PasswordConfiguration.java | 2 +-
.../security/krb/TicketCacheConfiguration.java | 14 ++
.../nifi/security/krb/TestKerberosKeytabUser.java} | 44 ++--
.../security/krb/TestKerberosPasswordUser.java | 41 ++--
.../security/krb/TestKerberosTicketCacheUser.java | 63 ++++++
nifi-commons/pom.xml | 1 +
.../nifi-extension-utils/nifi-hadoop-utils/pom.xml | 5 +
.../processors/hadoop/AbstractHadoopProcessor.java | 100 +++++++--
.../nifi-hdfs-processors/pom.xml | 4 +
.../nifi/processors/hadoop/AbstractHadoopTest.java | 88 ++++++++
.../nifi-hive-bundle/nifi-hive3-processors/pom.xml | 5 +-
.../nifi-kafka-2-6-processors/pom.xml | 10 +-
.../kafka/pubsub/CustomKerberosLogin.java | 248 +++++++++++++++++++++
.../kafka/pubsub/KafkaProcessorUtils.java | 102 ++++++++-
.../kafka/pubsub/KafkaProcessorUtilsTest.java | 37 ++-
.../kafka/pubsub/TestConsumeKafkaRecord_2_6.java | 2 +-
.../kafka/pubsub/TestConsumeKafka_2_6.java | 44 +++-
.../apache/nifi/processors/kudu/MockPutKudu.java | 21 ++
.../nifi-parquet-processors/pom.xml | 4 +
.../nifi-kerberos-user-service-api/pom.xml | 35 +++
.../apache/nifi/kerberos/KerberosUserService.java | 40 ++++
.../SelfContainedKerberosUserService.java} | 34 +--
.../nifi-kerberos-user-service-nar/pom.xml | 37 +++
.../src/main/resources/META-INF/LICENSE | 209 +++++++++++++++++
.../src/main/resources/META-INF/NOTICE | 20 ++
.../nifi-kerberos-user-service/pom.xml | 41 ++++
.../nifi/kerberos/AbstractKerberosUserService.java | 114 ++++++++++
.../nifi/kerberos/KerberosKeytabUserService.java | 70 ++++++
.../nifi/kerberos/KerberosPasswordUserService.java | 60 +++++
.../kerberos/KerberosTicketCacheUserService.java | 71 ++++++
.../org.apache.nifi.controller.ControllerService | 17 ++
.../nifi-kerberos-user-service-bundle/pom.xml | 28 +++
.../nifi-standard-services-api-nar/pom.xml | 10 +
nifi-nar-bundles/nifi-standard-services/pom.xml | 2 +
nifi-nar-bundles/pom.xml | 12 +
46 files changed, 1710 insertions(+), 171 deletions(-)
diff --git a/NOTICE b/NOTICE
index 9eb9a10..41b0c94 100644
--- a/NOTICE
+++ b/NOTICE
@@ -126,3 +126,10 @@ This includes derived works from Cloudera Schema Registry available under Apache
Cloudera Schema Registry
Copyright 2016-2019 Cloudera, Inc.
The code can be found in nifi-nar-bundles/nifi-standard-services/nifi-hwx-schema-registry-bundle/nifi-hwx-schema-registry-service/src/main/java/com/hortonworks/registries/schemaregistry/client/SchemaRegistryClient.java
+
+This includes derived works from Apache Kafka available under Apache Software License V2
+ Copyright 2021 The Apache Software Foundation.
+ The derived work is adapted from
+ https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/kerberos/KerberosLogin.java
+ and can be found in
+ nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/main/java/org/apache/nifi/processors/kafka/pubsub/CustomKerberosLogin.java
\ No newline at end of file
diff --git a/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java b/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java
index 10e5f95..a7cdec8 100644
--- a/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java
+++ b/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java
@@ -28,6 +28,7 @@ public enum RequiredPermission {
WRITE_DISTRIBUTED_FILESYSTEM("write-distributed-filesystem", "write distributed filesystem"),
EXECUTE_CODE("execute-code", "execute code"),
ACCESS_KEYTAB("access-keytab", "access keytab"),
+ ACCESS_TICKET_CACHE("access-ticket-cache", "access ticket cache"),
EXPORT_NIFI_DETAILS("export-nifi-details", "export nifi details");
private String permissionIdentifier;
diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml
index 651acf8..7f94d7f 100644
--- a/nifi-assembly/pom.xml
+++ b/nifi-assembly/pom.xml
@@ -742,6 +742,12 @@ language governing permissions and limitations under the License. -->
<version>1.15.0-SNAPSHOT</version>
<type>nar</type>
</dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-kerberos-user-service-nar</artifactId>
+ <version>1.15.0-SNAPSHOT</version>
+ <type>nar</type>
+ </dependency>
<dependency>
<groupId>org.apache.nifi</groupId>
<artifactId>nifi-proxy-configuration-nar</artifactId>
diff --git a/nifi-commons/nifi-security-kerberos/pom.xml b/nifi-commons/nifi-security-kerberos-api/pom.xml
similarity index 60%
copy from nifi-commons/nifi-security-kerberos/pom.xml
copy to nifi-commons/nifi-security-kerberos-api/pom.xml
index 32bfa01..cb23fc4 100644
--- a/nifi-commons/nifi-security-kerberos/pom.xml
+++ b/nifi-commons/nifi-security-kerberos-api/pom.xml
@@ -20,27 +20,5 @@
<artifactId>nifi-commons</artifactId>
<version>1.15.0-SNAPSHOT</version>
</parent>
- <artifactId>nifi-security-kerberos</artifactId>
- <dependencies>
- <dependency>
- <groupId>org.apache.nifi</groupId>
- <artifactId>nifi-api</artifactId>
- <version>1.15.0-SNAPSHOT</version>
- </dependency>
- <dependency>
- <groupId>org.apache.commons</groupId>
- <artifactId>commons-lang3</artifactId>
- <version>3.11</version>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-api</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-minikdc</artifactId>
- <version>3.1.0</version>
- <scope>test</scope>
- </dependency>
- </dependencies>
+ <artifactId>nifi-security-kerberos-api</artifactId>
</project>
diff --git a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosUser.java b/nifi-commons/nifi-security-kerberos-api/src/main/java/org/apache/nifi/security/krb/KerberosUser.java
similarity index 57%
rename from nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosUser.java
rename to nifi-commons/nifi-security-kerberos-api/src/main/java/org/apache/nifi/security/krb/KerberosUser.java
index 16e4fd2..631f445 100644
--- a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosUser.java
+++ b/nifi-commons/nifi-security-kerberos-api/src/main/java/org/apache/nifi/security/krb/KerberosUser.java
@@ -16,6 +16,7 @@
*/
package org.apache.nifi.security.krb;
+import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.LoginException;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
@@ -54,6 +55,25 @@ public interface KerberosUser {
* Executes the given action as the given user.
*
* @param action the action to execute
+ * @param contextClassLoader the class loader to set as the current thread's context class loader
+ * @param <T> the type of response
+ * @return the result of the action
+ * @throws IllegalStateException if attempting to execute an action before performing a login
+ */
+ default <T> T doAs(PrivilegedAction<T> action, ClassLoader contextClassLoader) throws IllegalStateException {
+ final ClassLoader originalContextClassLoader = Thread.currentThread().getContextClassLoader();
+ Thread.currentThread().setContextClassLoader(contextClassLoader);
+ try {
+ return doAs(action);
+ } finally {
+ Thread.currentThread().setContextClassLoader(originalContextClassLoader);
+ }
+ }
+
+ /**
+ * Executes the given action as the given user.
+ *
+ * @param action the action to execute
* @param <T> the type of response
* @return the result of the action
* @throws IllegalStateException if attempting to execute an action before performing a login
@@ -63,6 +83,27 @@ public interface KerberosUser {
throws IllegalStateException, PrivilegedActionException;
/**
+ * Executes the given action as the given user.
+ *
+ * @param action the action to execute
+ * @param contextClassLoader the class loader to set as the current thread's context class loader
+ * @param <T> the type of response
+ * @return the result of the action
+ * @throws IllegalStateException if attempting to execute an action before performing a login
+ * @throws PrivilegedActionException if the action itself threw an exception
+ */
+ default <T> T doAs(PrivilegedExceptionAction<T> action, ClassLoader contextClassLoader)
+ throws IllegalStateException, PrivilegedActionException {
+ final ClassLoader originalContextClassLoader = Thread.currentThread().getContextClassLoader();
+ Thread.currentThread().setContextClassLoader(contextClassLoader);
+ try {
+ return doAs(action);
+ } finally {
+ Thread.currentThread().setContextClassLoader(originalContextClassLoader);
+ }
+ }
+
+ /**
* Performs a re-login if the TGT is close to expiration.
*
* @return true if a relogin was performed, false otherwise
@@ -80,4 +121,9 @@ public interface KerberosUser {
*/
String getPrincipal();
+ /**
+ * @return the configuration entry used to perform the login
+ */
+ AppConfigurationEntry getConfigurationEntry();
+
}
diff --git a/nifi-commons/nifi-security-kerberos/pom.xml b/nifi-commons/nifi-security-kerberos/pom.xml
index 32bfa01..37afd13 100644
--- a/nifi-commons/nifi-security-kerberos/pom.xml
+++ b/nifi-commons/nifi-security-kerberos/pom.xml
@@ -28,6 +28,11 @@
<version>1.15.0-SNAPSHOT</version>
</dependency>
<dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-security-kerberos-api</artifactId>
+ <version>1.15.0-SNAPSHOT</version>
+ </dependency>
+ <dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.11</version>
diff --git a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/AbstractKerberosUser.java b/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/AbstractKerberosUser.java
index 5278618..3d7c96c 100644
--- a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/AbstractKerberosUser.java
+++ b/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/AbstractKerberosUser.java
@@ -20,9 +20,13 @@ import org.apache.commons.lang3.Validate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import javax.security.auth.RefreshFailedException;
import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import java.security.PrivilegedAction;
@@ -33,6 +37,14 @@ import java.util.Date;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
+/**
+ * Base class for implementations of KerberosUser.
+ *
+ * Generally implementations must provide the specific Configuration instance for performing the login,
+ * along with an optional CallbackHandler.
+ *
+ * Some functionality in this class is adapted from Hadoop's UserGroupInformation.
+ */
public abstract class AbstractKerberosUser implements KerberosUser {
private static final Logger LOGGER = LoggerFactory.getLogger(AbstractKerberosUser.class);
@@ -44,6 +56,11 @@ public abstract class AbstractKerberosUser implements KerberosUser {
*/
static final float TICKET_RENEW_WINDOW = 0.80f;
+ /**
+ * The name of the configuration entry to use from the Configuration instance.
+ */
+ static final String KERBEROS_USER_CONFIG_ENTRY = "KerberosUser";
+
protected final String principal;
protected final AtomicBoolean loggedIn = new AtomicBoolean(false);
@@ -75,7 +92,9 @@ public abstract class AbstractKerberosUser implements KerberosUser {
// other classes may be referencing an existing subject and replacing it may break functionality of those other classes after relogin
this.subject = new Subject();
}
- this.loginContext = createLoginContext(subject);
+
+ // the Configuration implementations have only one config entry and always return it regardless of the passed in name
+ this.loginContext = new LoginContext(KERBEROS_USER_CONFIG_ENTRY, subject, createCallbackHandler(), createConfiguration());
}
loginContext.login();
@@ -88,7 +107,29 @@ public abstract class AbstractKerberosUser implements KerberosUser {
}
}
- protected abstract LoginContext createLoginContext(final Subject subject) throws LoginException;
+ /**
+ * Allow sub-classes to provide the Configuration instance.
+ *
+ * @return the Configuration instance
+ */
+ protected abstract Configuration createConfiguration();
+
+ /**
+ * Allow sub-classes to provide an optional CallbackHandler.
+ *
+ * @return the CallbackHandler instance, or null
+ */
+ protected abstract CallbackHandler createCallbackHandler();
+
+ @Override
+ public AppConfigurationEntry getConfigurationEntry() {
+ final Configuration configuration = createConfiguration();
+ final AppConfigurationEntry[] configurationEntries = configuration.getAppConfigurationEntry("KerberosUser");
+ if (configurationEntries == null || configurationEntries.length != 1) {
+ throw new IllegalStateException("Configuration must return one entry");
+ }
+ return configurationEntries[0];
+ }
/**
* Performs a logout of the current user.
@@ -157,18 +198,30 @@ public abstract class AbstractKerberosUser implements KerberosUser {
public synchronized boolean checkTGTAndRelogin() throws LoginException {
final KerberosTicket tgt = getTGT();
if (tgt == null) {
- LOGGER.debug("TGT was not found");
+ LOGGER.debug("TGT for {} was not found, performing logout/login", principal);
+ logout();
+ login();
+ return true;
}
if (tgt != null && System.currentTimeMillis() < getRefreshTime(tgt)) {
- LOGGER.debug("TGT was found, but has not reached expiration window");
+ LOGGER.debug("TGT for {} was found, but has not reached expiration window", principal);
return false;
}
- LOGGER.debug("Performing relogin for {}", new Object[]{principal});
- logout();
- login();
- return true;
+ try {
+ tgt.refresh();
+ LOGGER.debug("TGT for {} was refreshed", principal);
+ return true;
+ } catch (final RefreshFailedException e) {
+ LOGGER.debug("TGT for {} could not be refreshed", principal);
+ LOGGER.trace("", e);
+ LOGGER.debug("Performing logout/login for {}", principal);
+ logout();
+ login();
+ return true;
+ }
+
}
/**
@@ -201,7 +254,7 @@ public abstract class AbstractKerberosUser implements KerberosUser {
if (principal.getName().equals("krbtgt/" + principal.getRealm() + "@" + principal.getRealm())) {
if (LOGGER.isTraceEnabled()) {
- LOGGER.trace("Found TGT principal: " + principal.getName());
+ LOGGER.trace("Found TGS principal: " + principal.getName());
}
return true;
}
@@ -210,15 +263,18 @@ public abstract class AbstractKerberosUser implements KerberosUser {
}
private long getRefreshTime(final KerberosTicket tgt) {
- long start = tgt.getStartTime().getTime();
- long end = tgt.getEndTime().getTime();
+ final long start = tgt.getStartTime().getTime();
+ final long end = tgt.getEndTime().getTime();
+ final long renewUntil = tgt.getRenewTill().getTime();
if (LOGGER.isTraceEnabled()) {
final SimpleDateFormat dateFormat = new SimpleDateFormat(DATE_FORMAT);
final String startDate = dateFormat.format(new Date(start));
final String endDate = dateFormat.format(new Date(end));
- LOGGER.trace("TGT valid starting at: " + startDate);
- LOGGER.trace("TGT expires at: " + endDate);
+ final String renewUntilDate = dateFormat.format(new Date(renewUntil));
+ LOGGER.trace("TGT for {} is valid starting at [{}]", principal, startDate);
+ LOGGER.trace("TGT for {} expires at [{}]", principal, endDate);
+ LOGGER.trace("TGT for {} renews until [{}]", principal, renewUntilDate);
}
return start + (long) ((end - start) * TICKET_RENEW_WINDOW);
diff --git a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosAction.java b/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosAction.java
index 3ba4420..dce2e06 100644
--- a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosAction.java
+++ b/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosAction.java
@@ -32,13 +32,22 @@ public class KerberosAction<T> {
private final KerberosUser kerberosUser;
private final PrivilegedExceptionAction<T> action;
private final ComponentLog logger;
+ private final ClassLoader contextClassLoader;
public KerberosAction(final KerberosUser kerberosUser,
final PrivilegedExceptionAction<T> action,
final ComponentLog logger) {
+ this(kerberosUser, action, logger, null);
+ }
+
+ public KerberosAction(final KerberosUser kerberosUser,
+ final PrivilegedExceptionAction<T> action,
+ final ComponentLog logger,
+ final ClassLoader contextClassLoader) {
this.kerberosUser = kerberosUser;
this.action = action;
this.logger = logger;
+ this.contextClassLoader = contextClassLoader;
Validate.notNull(this.kerberosUser);
Validate.notNull(this.action);
Validate.notNull(this.logger);
@@ -65,7 +74,11 @@ public class KerberosAction<T> {
// attempt to execute the action, if an exception is caught attempt to logout/login and retry
try {
- result = kerberosUser.doAs(action);
+ if (contextClassLoader == null) {
+ result = kerberosUser.doAs(action);
+ } else {
+ result = kerberosUser.doAs(action, contextClassLoader);
+ }
} catch (SecurityException se) {
logger.info("Privileged action failed, attempting relogin and retrying...");
logger.debug("", se);
diff --git a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosKeytabUser.java b/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosKeytabUser.java
index a2af82e..f5da1aa 100644
--- a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosKeytabUser.java
+++ b/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosKeytabUser.java
@@ -18,15 +18,11 @@ package org.apache.nifi.security.krb;
import org.apache.commons.lang3.Validate;
-import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.Configuration;
-import javax.security.auth.login.LoginContext;
-import javax.security.auth.login.LoginException;
/**
* Used to authenticate and execute actions when Kerberos is enabled and a keytab is being used.
- *
- * Some of the functionality in this class is adapted from Hadoop's UserGroupInformation.
*/
public class KerberosKeytabUser extends AbstractKerberosUser {
@@ -39,9 +35,13 @@ public class KerberosKeytabUser extends AbstractKerberosUser {
}
@Override
- protected LoginContext createLoginContext(Subject subject) throws LoginException {
- final Configuration config = new KeytabConfiguration(principal, keytabFile);
- return new LoginContext("KeytabConf", subject, null, config);
+ protected Configuration createConfiguration() {
+ return new KeytabConfiguration(principal, keytabFile);
+ }
+
+ @Override
+ protected CallbackHandler createCallbackHandler() {
+ return null;
}
/**
@@ -51,9 +51,4 @@ public class KerberosKeytabUser extends AbstractKerberosUser {
return keytabFile;
}
- // Visible for testing
- Subject getSubject() {
- return this.subject;
- }
-
}
diff --git a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosPasswordUser.java b/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosPasswordUser.java
index 8f9a22a..59c289d 100644
--- a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosPasswordUser.java
+++ b/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosPasswordUser.java
@@ -18,11 +18,8 @@ package org.apache.nifi.security.krb;
import org.apache.commons.lang3.Validate;
-import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.Configuration;
-import javax.security.auth.login.LoginContext;
-import javax.security.auth.login.LoginException;
/**
* KerberosUser that authenticates via username and password instead of keytab.
@@ -33,15 +30,17 @@ public class KerberosPasswordUser extends AbstractKerberosUser {
public KerberosPasswordUser(final String principal, final String password) {
super(principal);
- this.password = password;
- Validate.notBlank(this.password);
+ this.password = Validate.notBlank(password);
}
@Override
- protected LoginContext createLoginContext(final Subject subject) throws LoginException {
- final Configuration configuration = new PasswordConfiguration();
- final CallbackHandler callbackHandler = new UsernamePasswordCallbackHandler(principal, password);
- return new LoginContext("PasswordConf", subject, callbackHandler, configuration);
+ protected Configuration createConfiguration() {
+ return new PasswordConfiguration();
+ }
+
+ @Override
+ protected CallbackHandler createCallbackHandler() {
+ return new UsernamePasswordCallbackHandler(principal, password);
}
}
diff --git a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosTicketCacheUser.java b/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosTicketCacheUser.java
index adcb046..fa7e47e 100644
--- a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosTicketCacheUser.java
+++ b/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/KerberosTicketCacheUser.java
@@ -16,28 +16,32 @@
*/
package org.apache.nifi.security.krb;
-import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.Configuration;
-import javax.security.auth.login.LoginContext;
-import javax.security.auth.login.LoginException;
/**
* Used to perform actions as a Subject that already has a ticket in the ticket cache.
*/
public class KerberosTicketCacheUser extends AbstractKerberosUser {
+ private final String ticketCache;
+
public KerberosTicketCacheUser(final String principal) {
+ this(principal, null);
+ }
+
+ public KerberosTicketCacheUser(final String principal, final String ticketCache) {
super(principal);
+ this.ticketCache = ticketCache;
}
@Override
- protected LoginContext createLoginContext(Subject subject) throws LoginException {
- final Configuration config = new TicketCacheConfiguration(principal);
- return new LoginContext("TicketCacheConf", subject, null, config);
+ protected Configuration createConfiguration() {
+ return new TicketCacheConfiguration(principal, ticketCache);
}
- // Visible for testing
- Subject getSubject() {
- return this.subject;
+ @Override
+ protected CallbackHandler createCallbackHandler() {
+ return null;
}
}
diff --git a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/PasswordConfiguration.java b/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/PasswordConfiguration.java
index 04ec7d6..d41ab93 100644
--- a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/PasswordConfiguration.java
+++ b/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/PasswordConfiguration.java
@@ -27,7 +27,7 @@ public class PasswordConfiguration extends Configuration {
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
- HashMap<String, String> options = new HashMap<String, String>();
+ HashMap<String, String> options = new HashMap<>();
options.put("storeKey", "true");
options.put("refreshKrb5Config", "true");
diff --git a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/TicketCacheConfiguration.java b/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/TicketCacheConfiguration.java
index 3336b80..58e249c 100644
--- a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/TicketCacheConfiguration.java
+++ b/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/TicketCacheConfiguration.java
@@ -33,21 +33,31 @@ public class TicketCacheConfiguration extends Configuration {
private static final Logger LOGGER = LoggerFactory.getLogger(TicketCacheConfiguration.class);
private final String principal;
+ private final String ticketCache;
private final AppConfigurationEntry ticketCacheConfigEntry;
public TicketCacheConfiguration(final String principal) {
+ this(principal, null);
+ }
+
+ public TicketCacheConfiguration(final String principal, final String ticketCache) {
if (StringUtils.isBlank(principal)) {
throw new IllegalArgumentException("Principal cannot be null");
}
this.principal = principal;
+ this.ticketCache = ticketCache;
final Map<String, String> options = new HashMap<>();
options.put("principal", principal);
options.put("refreshKrb5Config", "true");
options.put("useTicketCache", "true");
+ if (StringUtils.isNotBlank(ticketCache)) {
+ options.put("ticketCache", ticketCache);
+ }
+
final String krbLoginModuleName = ConfigurationUtil.IS_IBM
? ConfigurationUtil.IBM_KRB5_LOGIN_MODULE : ConfigurationUtil.SUN_KRB5_LOGIN_MODULE;
@@ -65,4 +75,8 @@ public class TicketCacheConfiguration extends Configuration {
return principal;
}
+ public String getTicketCache() {
+ return ticketCache;
+ }
+
}
diff --git a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/PasswordConfiguration.java b/nifi-commons/nifi-security-kerberos/src/test/java/org/apache/nifi/security/krb/TestKerberosKeytabUser.java
similarity index 50%
copy from nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/PasswordConfiguration.java
copy to nifi-commons/nifi-security-kerberos/src/test/java/org/apache/nifi/security/krb/TestKerberosKeytabUser.java
index 04ec7d6..5d7c7ff 100644
--- a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/PasswordConfiguration.java
+++ b/nifi-commons/nifi-security-kerberos/src/test/java/org/apache/nifi/security/krb/TestKerberosKeytabUser.java
@@ -16,31 +16,29 @@
*/
package org.apache.nifi.security.krb;
+import org.junit.Test;
+
import javax.security.auth.login.AppConfigurationEntry;
-import javax.security.auth.login.Configuration;
-import java.util.HashMap;
-/**
- * JAAS Configuration to use when logging in with username/password.
- */
-public class PasswordConfiguration extends Configuration {
-
- @Override
- public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
- HashMap<String, String> options = new HashMap<String, String>();
- options.put("storeKey", "true");
- options.put("refreshKrb5Config", "true");
-
- final String krbLoginModuleName = ConfigurationUtil.IS_IBM
- ? ConfigurationUtil.IBM_KRB5_LOGIN_MODULE : ConfigurationUtil.SUN_KRB5_LOGIN_MODULE;
-
- return new AppConfigurationEntry[] {
- new AppConfigurationEntry(
- krbLoginModuleName,
- AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
- options
- )
- };
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+
+public class TestKerberosKeytabUser {
+
+ @Test
+ public void testGetConfigurationEntry() {
+ final String principal = "foo@NIFI.COM";
+ final String keytab = "src/test/resources/foo.keytab";
+
+ final KerberosUser kerberosUser = new KerberosKeytabUser(principal, keytab);
+ assertEquals(principal, kerberosUser.getPrincipal());
+
+ final AppConfigurationEntry entry = kerberosUser.getConfigurationEntry();
+ assertNotNull(entry);
+ assertEquals(ConfigurationUtil.SUN_KRB5_LOGIN_MODULE, entry.getLoginModuleName());
+ assertEquals(AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, entry.getControlFlag());
+ assertEquals(principal, entry.getOptions().get("principal"));
+ assertEquals(keytab, entry.getOptions().get("keyTab"));
}
}
diff --git a/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/test/java/org/apache/nifi/processors/kafka/pubsub/KafkaProcessorUtilsTest.java b/nifi-commons/nifi-security-kerberos/src/test/java/org/apache/nifi/security/krb/TestKerberosPasswordUser.java
similarity index 52%
copy from nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/test/java/org/apache/nifi/processors/kafka/pubsub/KafkaProcessorUtilsTest.java
copy to nifi-commons/nifi-security-kerberos/src/test/java/org/apache/nifi/security/krb/TestKerberosPasswordUser.java
index 1a20d2d..422adc2 100644
--- a/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/test/java/org/apache/nifi/processors/kafka/pubsub/KafkaProcessorUtilsTest.java
+++ b/nifi-commons/nifi-security-kerberos/src/test/java/org/apache/nifi/security/krb/TestKerberosPasswordUser.java
@@ -14,28 +14,29 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package org.apache.nifi.processors.kafka.pubsub;
+package org.apache.nifi.security.krb;
+
+import org.junit.Test;
+
+import javax.security.auth.login.AppConfigurationEntry;
import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertNotNull;
-import java.util.function.Supplier;
+public class TestKerberosPasswordUser {
-import org.junit.Test;
+ @Test
+ public void testCreateKerberosPasswordUser() {
+ final String principal = "foo@NIFI.COM";
+ final String password = "password";
+
+ final KerberosUser kerberosUser = new KerberosPasswordUser(principal, password);
+ assertEquals(principal, kerberosUser.getPrincipal());
+
+ final AppConfigurationEntry entry = kerberosUser.getConfigurationEntry();
+ assertNotNull(entry);
+ assertEquals(ConfigurationUtil.SUN_KRB5_LOGIN_MODULE, entry.getLoginModuleName());
+ assertEquals(AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, entry.getControlFlag());
+ }
-public class KafkaProcessorUtilsTest {
-
- @Test
- public void getTransactionalIdSupplierWithPrefix() {
- Supplier<String> prefix = KafkaProcessorUtils.getTransactionalIdSupplier("prefix");
- String id = prefix.get();
- assertTrue(id.startsWith("prefix"));
- assertEquals(42, id.length());
- }
-
- @Test
- public void getTransactionalIdSupplierWithEmptyPrefix() {
- Supplier<String> prefix = KafkaProcessorUtils.getTransactionalIdSupplier(null);
- assertEquals(36, prefix.get().length() );
- }
-}
\ No newline at end of file
+}
diff --git a/nifi-commons/nifi-security-kerberos/src/test/java/org/apache/nifi/security/krb/TestKerberosTicketCacheUser.java b/nifi-commons/nifi-security-kerberos/src/test/java/org/apache/nifi/security/krb/TestKerberosTicketCacheUser.java
new file mode 100644
index 0000000..381a60b
--- /dev/null
+++ b/nifi-commons/nifi-security-kerberos/src/test/java/org/apache/nifi/security/krb/TestKerberosTicketCacheUser.java
@@ -0,0 +1,63 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.security.krb;
+
+import org.junit.Test;
+
+import javax.security.auth.login.AppConfigurationEntry;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+
+public class TestKerberosTicketCacheUser {
+
+ @Test
+ public void testGetConfigurationEntry() {
+ final String principal = "foo@NIFI.COM";
+
+ final KerberosUser kerberosUser = new KerberosTicketCacheUser(principal);
+ assertEquals(principal, kerberosUser.getPrincipal());
+
+ final AppConfigurationEntry entry = kerberosUser.getConfigurationEntry();
+ assertNotNull(entry);
+ assertEquals(ConfigurationUtil.SUN_KRB5_LOGIN_MODULE, entry.getLoginModuleName());
+ assertEquals(AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, entry.getControlFlag());
+ assertEquals(principal, entry.getOptions().get("principal"));
+ assertEquals("true", entry.getOptions().get("useTicketCache"));
+ assertNull(entry.getOptions().get("ticketCache"));
+ }
+
+ @Test
+ public void testGetConfigurationEntryWithSpecificTicketCache() {
+ final String principal = "foo@NIFI.COM";
+ final String ticketCache = "/tmp/cache";
+
+ final KerberosUser kerberosUser = new KerberosTicketCacheUser(principal, ticketCache);
+ assertEquals(principal, kerberosUser.getPrincipal());
+
+ final AppConfigurationEntry entry = kerberosUser.getConfigurationEntry();
+ assertNotNull(entry);
+ assertEquals(ConfigurationUtil.SUN_KRB5_LOGIN_MODULE, entry.getLoginModuleName());
+ assertEquals(AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, entry.getControlFlag());
+ assertEquals(principal, entry.getOptions().get("principal"));
+ assertEquals(ticketCache, entry.getOptions().get("ticketCache"));
+ assertEquals("true", entry.getOptions().get("useTicketCache"));
+
+ }
+
+}
diff --git a/nifi-commons/pom.xml b/nifi-commons/pom.xml
index 30b13a3..d4e1a09 100644
--- a/nifi-commons/pom.xml
+++ b/nifi-commons/pom.xml
@@ -42,6 +42,7 @@
<module>nifi-record-path</module>
<module>nifi-rocksdb-utils</module>
<module>nifi-schema-utils</module>
+ <module>nifi-security-kerberos-api</module>
<module>nifi-security-kerberos</module>
<module>nifi-security-kms</module>
<module>nifi-security-socket-ssl</module>
diff --git a/nifi-nar-bundles/nifi-extension-utils/nifi-hadoop-utils/pom.xml b/nifi-nar-bundles/nifi-extension-utils/nifi-hadoop-utils/pom.xml
index 486aac3..c5ae812 100644
--- a/nifi-nar-bundles/nifi-extension-utils/nifi-hadoop-utils/pom.xml
+++ b/nifi-nar-bundles/nifi-extension-utils/nifi-hadoop-utils/pom.xml
@@ -44,6 +44,10 @@
<artifactId>nifi-kerberos-credentials-service-api</artifactId>
</dependency>
<dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-kerberos-user-service-api</artifactId>
+ </dependency>
+ <dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.9</version>
@@ -67,6 +71,7 @@
<version>4.5.5</version>
<scope>provided</scope>
</dependency>
+ <!-- Test dependencies -->
<dependency>
<groupId>org.apache.nifi</groupId>
<artifactId>nifi-mock</artifactId>
diff --git a/nifi-nar-bundles/nifi-extension-utils/nifi-hadoop-utils/src/main/java/org/apache/nifi/processors/hadoop/AbstractHadoopProcessor.java b/nifi-nar-bundles/nifi-extension-utils/nifi-hadoop-utils/src/main/java/org/apache/nifi/processors/hadoop/AbstractHadoopProcessor.java
index 57c57cf..2aebf83 100644
--- a/nifi-nar-bundles/nifi-extension-utils/nifi-hadoop-utils/src/main/java/org/apache/nifi/processors/hadoop/AbstractHadoopProcessor.java
+++ b/nifi-nar-bundles/nifi-extension-utils/nifi-hadoop-utils/src/main/java/org/apache/nifi/processors/hadoop/AbstractHadoopProcessor.java
@@ -39,6 +39,7 @@ import org.apache.nifi.flowfile.FlowFile;
import org.apache.nifi.hadoop.KerberosProperties;
import org.apache.nifi.hadoop.SecurityUtil;
import org.apache.nifi.kerberos.KerberosCredentialsService;
+import org.apache.nifi.kerberos.KerberosUserService;
import org.apache.nifi.processor.AbstractProcessor;
import org.apache.nifi.processor.ProcessContext;
import org.apache.nifi.processor.ProcessorInitializationContext;
@@ -143,6 +144,15 @@ public abstract class AbstractHadoopProcessor extends AbstractProcessor {
.required(false)
.build();
+ static final PropertyDescriptor KERBEROS_USER_SERVICE = new PropertyDescriptor.Builder()
+ .name("kerberos-user-service")
+ .displayName("Kerberos User Service")
+ .description("Specifies the Kerberos User Controller Service that should be used for authenticating with Kerberos")
+ .identifiesControllerService(KerberosUserService.class)
+ .required(false)
+ .build();
+
+
public static final String ABSOLUTE_HDFS_PATH_ATTRIBUTE = "absolute.hdfs.path";
private static final Object RESOURCES_LOCK = new Object();
@@ -169,6 +179,7 @@ public abstract class AbstractHadoopProcessor extends AbstractProcessor {
List<PropertyDescriptor> props = new ArrayList<>();
props.add(HADOOP_CONFIGURATION_RESOURCES);
props.add(KERBEROS_CREDENTIALS_SERVICE);
+ props.add(KERBEROS_USER_SERVICE);
props.add(kerberosProperties.getKerberosPrincipal());
props.add(kerberosProperties.getKerberosKeytab());
props.add(kerberosProperties.getKerberosPassword());
@@ -192,6 +203,7 @@ public abstract class AbstractHadoopProcessor extends AbstractProcessor {
final String explicitKeytab = validationContext.getProperty(kerberosProperties.getKerberosKeytab()).evaluateAttributeExpressions().getValue();
final String explicitPassword = validationContext.getProperty(kerberosProperties.getKerberosPassword()).getValue();
final KerberosCredentialsService credentialsService = validationContext.getProperty(KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class);
+ final KerberosUserService kerberosUserService = validationContext.getProperty(KERBEROS_USER_SERVICE).asControllerService(KerberosUserService.class);
final String resolvedPrincipal;
final String resolvedKeytab;
@@ -212,8 +224,15 @@ public abstract class AbstractHadoopProcessor extends AbstractProcessor {
try {
final Configuration conf = getHadoopConfigurationForValidation(locations);
- results.addAll(KerberosProperties.validatePrincipalWithKeytabOrPassword(
- this.getClass().getSimpleName(), conf, resolvedPrincipal, resolvedKeytab, explicitPassword, getLogger()));
+ if (kerberosUserService == null) {
+ results.addAll(KerberosProperties.validatePrincipalWithKeytabOrPassword(
+ this.getClass().getSimpleName(), conf, resolvedPrincipal, resolvedKeytab, explicitPassword, getLogger()));
+ } else {
+ final boolean securityEnabled = SecurityUtil.isSecurityEnabled(conf);
+ if (!securityEnabled) {
+ getLogger().warn("Hadoop Configuration does not have security enabled, KerberosUserService will be ignored");
+ }
+ }
results.addAll(validateFileSystem(conf));
} catch (final IOException e) {
@@ -232,6 +251,22 @@ public abstract class AbstractHadoopProcessor extends AbstractProcessor {
.build());
}
+ if (kerberosUserService != null && (explicitPrincipal != null || explicitKeytab != null || explicitPassword != null)) {
+ results.add(new ValidationResult.Builder()
+ .subject("Kerberos User")
+ .valid(false)
+ .explanation("Cannot specify a Kerberos User Service while also specifying a Kerberos Principal, Kerberos Keytab, or Kerberos Password")
+ .build());
+ }
+
+ if (kerberosUserService != null && credentialsService != null) {
+ results.add(new ValidationResult.Builder()
+ .subject("Kerberos User")
+ .valid(false)
+ .explanation("Cannot specify a Kerberos User Service while also specifying a Kerberos Credentials Service")
+ .build());
+ }
+
if (!isAllowExplicitKeytab() && explicitKeytab != null) {
results.add(new ValidationResult.Builder()
.subject("Kerberos Credentials")
@@ -321,6 +356,15 @@ public abstract class AbstractHadoopProcessor extends AbstractProcessor {
}
}
+ final KerberosUser kerberosUser = resources.getKerberosUser();
+ if (kerberosUser != null) {
+ try {
+ kerberosUser.logout();
+ } catch (LoginException e) {
+ getLogger().warn("Error logging out KerberosUser: {}", e.getMessage(), e);
+ }
+ }
+
// Clean-up the static reference to the Configuration instance
UserGroupInformation.setConfiguration(new Configuration());
@@ -389,7 +433,7 @@ public abstract class AbstractHadoopProcessor extends AbstractProcessor {
/*
* Reset Hadoop Configuration and FileSystem based on the supplied configuration resources.
*/
- HdfsResources resetHDFSResources(final List<String> resourceLocations, ProcessContext context) throws IOException {
+ HdfsResources resetHDFSResources(final List<String> resourceLocations, final ProcessContext context) throws IOException {
Configuration config = new ExtendedConfiguration(getLogger());
config.setClassLoader(Thread.currentThread().getContextClassLoader());
@@ -413,25 +457,7 @@ public abstract class AbstractHadoopProcessor extends AbstractProcessor {
KerberosUser kerberosUser;
synchronized (RESOURCES_LOCK) {
if (SecurityUtil.isSecurityEnabled(config)) {
- String principal = context.getProperty(kerberosProperties.getKerberosPrincipal()).evaluateAttributeExpressions().getValue();
- String keyTab = context.getProperty(kerberosProperties.getKerberosKeytab()).evaluateAttributeExpressions().getValue();
- String password = context.getProperty(kerberosProperties.getKerberosPassword()).getValue();
-
- // If the Kerberos Credentials Service is specified, we need to use its configuration, not the explicit properties for principal/keytab.
- // The customValidate method ensures that only one can be set, so we know that the principal & keytab above are null.
- final KerberosCredentialsService credentialsService = context.getProperty(KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class);
- if (credentialsService != null) {
- principal = credentialsService.getPrincipal();
- keyTab = credentialsService.getKeytab();
- }
-
- if (keyTab != null) {
- kerberosUser = new KerberosKeytabUser(principal, keyTab);
- } else if (password != null) {
- kerberosUser = new KerberosPasswordUser(principal, password);
- } else {
- throw new IOException("Unable to authenticate with Kerberos, no keytab or password was provided");
- }
+ kerberosUser = getKerberosUser(context);
ugi = SecurityUtil.getUgiForKerberosUser(config, kerberosUser);
} else {
config.set("ipc.client.fallback-to-simple-auth-allowed", "true");
@@ -450,6 +476,36 @@ public abstract class AbstractHadoopProcessor extends AbstractProcessor {
return new HdfsResources(config, fs, ugi, kerberosUser);
}
+ private KerberosUser getKerberosUser(final ProcessContext context) {
+ // Check Kerberos User Service first, if present then get the KerberosUser from the service
+ // The customValidate method ensures that KerberosUserService can't be set at the same time as the credentials service or explicit properties
+ final KerberosUserService kerberosUserService = context.getProperty(KERBEROS_USER_SERVICE).asControllerService(KerberosUserService.class);
+ if (kerberosUserService != null) {
+ return kerberosUserService.createKerberosUser();
+ }
+
+ // Kerberos User Service wasn't set, so create KerberosUser based on credentials service or explicit properties...
+ String principal = context.getProperty(kerberosProperties.getKerberosPrincipal()).evaluateAttributeExpressions().getValue();
+ String keyTab = context.getProperty(kerberosProperties.getKerberosKeytab()).evaluateAttributeExpressions().getValue();
+ String password = context.getProperty(kerberosProperties.getKerberosPassword()).getValue();
+
+ // If the Kerberos Credentials Service is specified, we need to use its configuration, not the explicit properties for principal/keytab.
+ // The customValidate method ensures that only one can be set, so we know that the principal & keytab above are null.
+ final KerberosCredentialsService credentialsService = context.getProperty(KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class);
+ if (credentialsService != null) {
+ principal = credentialsService.getPrincipal();
+ keyTab = credentialsService.getKeytab();
+ }
+
+ if (keyTab != null) {
+ return new KerberosKeytabUser(principal, keyTab);
+ } else if (password != null) {
+ return new KerberosPasswordUser(principal, password);
+ } else {
+ throw new IllegalStateException("Unable to authenticate with Kerberos, no keytab or password was provided");
+ }
+ }
+
/**
* This method will be called after the Configuration has been created, but before the FileSystem is created,
* allowing sub-classes to take further action on the Configuration before creating the FileSystem.
diff --git a/nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/pom.xml b/nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/pom.xml
index b2a0017..e143bc2 100644
--- a/nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/pom.xml
@@ -70,6 +70,10 @@
</dependency>
<dependency>
<groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-kerberos-user-service-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
<artifactId>nifi-mock</artifactId>
<version>1.15.0-SNAPSHOT</version>
<scope>test</scope>
diff --git a/nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/src/test/java/org/apache/nifi/processors/hadoop/AbstractHadoopTest.java b/nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/src/test/java/org/apache/nifi/processors/hadoop/AbstractHadoopTest.java
index 342c71b..2b77eb9 100644
--- a/nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/src/test/java/org/apache/nifi/processors/hadoop/AbstractHadoopTest.java
+++ b/nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/src/test/java/org/apache/nifi/processors/hadoop/AbstractHadoopTest.java
@@ -25,7 +25,10 @@ import org.apache.nifi.components.resource.ResourceReference;
import org.apache.nifi.components.resource.ResourceReferences;
import org.apache.nifi.components.resource.StandardResourceReferences;
import org.apache.nifi.hadoop.KerberosProperties;
+import org.apache.nifi.kerberos.KerberosCredentialsService;
+import org.apache.nifi.kerberos.KerberosUserService;
import org.apache.nifi.processor.ProcessContext;
+import org.apache.nifi.reporting.InitializationException;
import org.apache.nifi.util.MockProcessContext;
import org.apache.nifi.util.MockValidationContext;
import org.apache.nifi.util.NiFiProperties;
@@ -185,7 +188,62 @@ public class AbstractHadoopTest {
runner.setProperty(kerberosProperties.getKerberosPrincipal(), "principal");
runner.setProperty(kerberosProperties.getKerberosKeytab(), temporaryFile.getAbsolutePath());
runner.assertNotValid();
+ }
+
+ @Test
+ public void testCustomValidateWhenKerberosUserServiceProvided() throws InitializationException {
+ final TestRunner runner = createTestRunnerWithKerberosEnabled();
+ final KerberosUserService kerberosUserService = enableKerberosUserService(runner);
+ runner.setProperty(AbstractHadoopProcessor.KERBEROS_USER_SERVICE, kerberosUserService.getIdentifier());
+ runner.assertValid();
+ }
+
+ @Test
+ public void testCustomValidateWhenKerberosUserServiceAndKerberosCredentialsService() throws InitializationException {
+ final TestRunner runner = createTestRunnerWithKerberosEnabled();
+
+ final KerberosUserService kerberosUserService = enableKerberosUserService(runner);
+ runner.setProperty(AbstractHadoopProcessor.KERBEROS_USER_SERVICE, kerberosUserService.getIdentifier());
+ runner.assertValid();
+ final KerberosCredentialsService credentialsService = enabledKerberosCredentialsService(runner);
+ runner.setProperty(AbstractHadoopProcessor.KERBEROS_CREDENTIALS_SERVICE, credentialsService.getIdentifier());
+ runner.assertNotValid();
+
+ runner.removeProperty(AbstractHadoopProcessor.KERBEROS_USER_SERVICE);
+ runner.assertValid();
+ }
+
+ @Test
+ public void testCustomValidateWhenKerberosUserServiceAndPrincipalAndKeytab() throws InitializationException {
+ final TestRunner runner = createTestRunnerWithKerberosEnabled();
+
+ final KerberosUserService kerberosUserService = enableKerberosUserService(runner);
+ runner.setProperty(AbstractHadoopProcessor.KERBEROS_USER_SERVICE, kerberosUserService.getIdentifier());
+ runner.assertValid();
+
+ runner.setProperty(kerberosProperties.getKerberosPrincipal(), "principal1");
+ runner.setProperty(kerberosProperties.getKerberosKeytab(), temporaryFile.getAbsolutePath());
+ runner.assertNotValid();
+
+ runner.removeProperty(AbstractHadoopProcessor.KERBEROS_USER_SERVICE);
+ runner.assertValid();
+ }
+
+ @Test
+ public void testCustomValidateWhenKerberosUserServiceAndPrincipalAndPassword() throws InitializationException {
+ final TestRunner runner = createTestRunnerWithKerberosEnabled();
+
+ final KerberosUserService kerberosUserService = enableKerberosUserService(runner);
+ runner.setProperty(AbstractHadoopProcessor.KERBEROS_USER_SERVICE, kerberosUserService.getIdentifier());
+ runner.assertValid();
+
+ runner.setProperty(kerberosProperties.getKerberosPrincipal(), "principal1");
+ runner.setProperty(kerberosProperties.getKerberosPassword(), "password");
+ runner.assertNotValid();
+
+ runner.removeProperty(AbstractHadoopProcessor.KERBEROS_USER_SERVICE);
+ runner.assertValid();
}
@Test
@@ -268,4 +326,34 @@ public class AbstractHadoopTest {
return runner;
}
+
+ private KerberosUserService enableKerberosUserService(final TestRunner runner) throws InitializationException {
+ final KerberosUserService kerberosUserService = mock(KerberosUserService.class);
+ when(kerberosUserService.getIdentifier()).thenReturn("userService1");
+ runner.addControllerService(kerberosUserService.getIdentifier(), kerberosUserService);
+ runner.enableControllerService(kerberosUserService);
+ return kerberosUserService;
+ }
+
+ private KerberosCredentialsService enabledKerberosCredentialsService(final TestRunner runner) throws InitializationException {
+ final KerberosCredentialsService credentialsService = mock(KerberosCredentialsService.class);
+ when(credentialsService.getIdentifier()).thenReturn("credsService1");
+ when(credentialsService.getPrincipal()).thenReturn("principal1");
+ when(credentialsService.getKeytab()).thenReturn("keytab1");
+
+ runner.addControllerService(credentialsService.getIdentifier(), credentialsService);
+ runner.enableControllerService(credentialsService);
+ return credentialsService;
+ }
+
+ private TestRunner createTestRunnerWithKerberosEnabled() {
+ final SimpleHadoopProcessor processor = new SimpleHadoopProcessor(kerberosProperties);
+ final TestRunner runner = TestRunners.newTestRunner(processor);
+ runner.assertValid();
+
+ runner.setProperty(AbstractHadoopProcessor.HADOOP_CONFIGURATION_RESOURCES, "src/test/resources/core-site-security.xml");
+ runner.assertNotValid();
+ return runner;
+ }
+
}
diff --git a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
index b53bc89..e4f62c0 100644
--- a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
@@ -69,7 +69,10 @@
<dependency>
<groupId>org.apache.nifi</groupId>
<artifactId>nifi-kerberos-credentials-service-api</artifactId>
- <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-kerberos-user-service-api</artifactId>
</dependency>
<dependency>
<groupId>org.apache.hive</groupId>
diff --git a/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/pom.xml b/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/pom.xml
index 36de276..ce58244 100644
--- a/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/pom.xml
@@ -57,7 +57,15 @@
<groupId>org.apache.nifi</groupId>
<artifactId>nifi-kerberos-credentials-service-api</artifactId>
</dependency>
-
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-kerberos-user-service-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-security-kerberos</artifactId>
+ <version>1.15.0-SNAPSHOT</version>
+ </dependency>
<dependency>
<groupId>org.apache.kafka</groupId>
<artifactId>kafka-clients</artifactId>
diff --git a/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/main/java/org/apache/nifi/processors/kafka/pubsub/CustomKerberosLogin.java b/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/main/java/org/apache/nifi/processors/kafka/pubsub/CustomKerberosLogin.java
new file mode 100644
index 0000000..aef1c70
--- /dev/null
+++ b/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/main/java/org/apache/nifi/processors/kafka/pubsub/CustomKerberosLogin.java
@@ -0,0 +1,248 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.processors.kafka.pubsub;
+
+import org.apache.kafka.common.config.SaslConfigs;
+import org.apache.kafka.common.security.JaasContext;
+import org.apache.kafka.common.security.JaasUtils;
+import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
+import org.apache.kafka.common.security.authenticator.AbstractLogin;
+import org.apache.kafka.common.security.kerberos.KerberosLogin;
+import org.apache.kafka.common.utils.KafkaThread;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.security.auth.RefreshFailedException;
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.kerberos.KerberosTicket;
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.Configuration;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * Customized version of {@link org.apache.kafka.common.security.kerberos.KerberosLogin} which improves the re-login logic
+ * to avoid making system calls to kinit when the ticket cache is being used, and to avoid exiting the refresh thread so that
+ * it may recover if the ticket cache is externally refreshed.
+ *
+ * The re-login thread follows a similar approach used by NiFi's KerberosUser which attempts to call tgt.refresh()
+ * and falls back to a logout/login.
+ *
+ * The Kafka client is configured to use this login by setting SaslConfigs.SASL_LOGIN_CLASS in {@link KafkaProcessorUtils}
+ * when the SASL mechanism is GSSAPI.
+ */
+public class CustomKerberosLogin extends AbstractLogin {
+ private static final Logger log = LoggerFactory.getLogger(CustomKerberosLogin.class);
+
+ private Thread refreshThread;
+ private boolean isKrbTicket;
+
+ private String principal;
+
+ private double ticketRenewWindowFactor;
+ private long minTimeBeforeRelogin;
+
+ private volatile Subject subject;
+
+ private LoginContext loginContext;
+ private String serviceName;
+
+ @Override
+ public void configure(Map<String, ?> configs, String contextName, Configuration configuration,
+ AuthenticateCallbackHandler callbackHandler) {
+ super.configure(configs, contextName, configuration, callbackHandler);
+ this.ticketRenewWindowFactor = (Double) configs.get(SaslConfigs.SASL_KERBEROS_TICKET_RENEW_WINDOW_FACTOR);
+ this.minTimeBeforeRelogin = (Long) configs.get(SaslConfigs.SASL_KERBEROS_MIN_TIME_BEFORE_RELOGIN);
+ this.serviceName = getServiceName(configs, contextName, configuration);
+ }
+
+ /**
+ * Performs login for each login module specified for the login context of this instance and starts the thread used
+ * to periodically re-login to the Kerberos Ticket Granting Server.
+ */
+ @Override
+ public LoginContext login() throws LoginException {
+ loginContext = super.login();
+ subject = loginContext.getSubject();
+ isKrbTicket = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
+
+ AppConfigurationEntry[] entries = configuration().getAppConfigurationEntry(contextName());
+ if (entries.length == 0) {
+ principal = null;
+ } else {
+ // there will only be a single entry
+ AppConfigurationEntry entry = entries[0];
+ if (entry.getOptions().get("principal") != null)
+ principal = (String) entry.getOptions().get("principal");
+ else
+ principal = null;
+ }
+
+ if (!isKrbTicket) {
+ log.debug("[Principal={}]: It is not a Kerberos ticket", principal);
+ refreshThread = null;
+ // if no TGT, do not bother with ticket management.
+ return loginContext;
+ }
+ log.debug("[Principal={}]: It is a Kerberos ticket", principal);
+
+ refreshThread = KafkaThread.daemon(String.format("kafka-kerberos-refresh-thread-%s", principal), () -> {
+ log.info("[Principal={}]: TGT refresh thread started, minTimeBeforeRelogin = {}", principal, minTimeBeforeRelogin);
+ while (true) {
+ try {
+ Thread.sleep(minTimeBeforeRelogin);
+ } catch (InterruptedException ie) {
+ log.warn("[Principal={}]: TGT renewal thread has been interrupted and will exit.", principal);
+ return;
+ }
+ try {
+ checkTGTAndReLogin();
+ } catch (Throwable t) {
+ log.error("[Principal={}]: Error from TGT refresh thread", principal, t);
+ }
+ }
+ });
+ refreshThread.start();
+ return loginContext;
+ }
+
+ @Override
+ public void close() {
+ if ((refreshThread != null) && (refreshThread.isAlive())) {
+ refreshThread.interrupt();
+ try {
+ refreshThread.join();
+ } catch (InterruptedException e) {
+ log.warn("[Principal={}]: Error while waiting for Login thread to shutdown.", principal, e);
+ Thread.currentThread().interrupt();
+ }
+ }
+ }
+
+ @Override
+ public Subject subject() {
+ return subject;
+ }
+
+ @Override
+ public String serviceName() {
+ return serviceName;
+ }
+
+ private synchronized void checkTGTAndReLogin() throws LoginException {
+ final KerberosTicket tgt = getTGT();
+ if (tgt == null) {
+ log.info("[Principal={}]: TGT was not found, performing login", principal);
+ reLogin();
+ return;
+ }
+
+ if (System.currentTimeMillis() < getRefreshTime(tgt)) {
+ log.debug("[Principal={}]: TGT was found, but has not reached expiration window", principal);
+ return;
+ }
+
+ try {
+ tgt.refresh();
+ log.info("[Principal={}]: TGT refreshed", principal);
+ getRefreshTime(tgt);
+ } catch (RefreshFailedException rfe) {
+ log.warn("[Principal={}]: TGT refresh failed, will attempt relogin", principal);
+ log.debug("", rfe);
+ reLogin();
+ }
+ }
+
+ private static String getServiceName(Map<String, ?> configs, String contextName, Configuration configuration) {
+ List<AppConfigurationEntry> configEntries = Arrays.asList(configuration.getAppConfigurationEntry(contextName));
+ String jaasServiceName = JaasContext.configEntryOption(configEntries, JaasUtils.SERVICE_NAME, null);
+ String configServiceName = (String) configs.get(SaslConfigs.SASL_KERBEROS_SERVICE_NAME);
+ if (jaasServiceName != null && configServiceName != null && !jaasServiceName.equals(configServiceName)) {
+ String message = String.format("Conflicting serviceName values found in JAAS and Kafka configs " +
+ "value in JAAS file %s, value in Kafka config %s", jaasServiceName, configServiceName);
+ throw new IllegalArgumentException(message);
+ }
+
+ if (jaasServiceName != null) {
+ return jaasServiceName;
+ }
+ if (configServiceName != null) {
+ return configServiceName;
+ }
+
+ throw new IllegalArgumentException("No serviceName defined in either JAAS or Kafka config");
+ }
+
+
+ private long getRefreshTime(final KerberosTicket tgt) {
+ long start = tgt.getStartTime().getTime();
+ long expires = tgt.getEndTime().getTime();
+
+ log.debug("[Principal={}]: TGT valid starting at: {}", principal, tgt.getStartTime());
+ log.debug("[Principal={}]: TGT expires: {}", principal, tgt.getEndTime());
+ log.debug("[Principal={}]: TGT renew until: {}", principal, tgt.getRenewTill());
+
+ return start + (long) ((expires - start) * ticketRenewWindowFactor);
+ }
+
+ private KerberosTicket getTGT() {
+ Set<KerberosTicket> tickets = subject.getPrivateCredentials(KerberosTicket.class);
+ for (KerberosTicket ticket : tickets) {
+ KerberosPrincipal server = ticket.getServer();
+ final String expectedServerName = String.format("krbtgt/%s@%s", server.getRealm(), server.getRealm());
+ if (server.getName().equals(expectedServerName)) {
+ log.debug("Found TGT with client principal '{}' and server principal '{}'.", ticket.getClient().getName(),
+ ticket.getServer().getName());
+ return ticket;
+ }
+ }
+ return null;
+ }
+
+ /**
+ * Re-login a principal. This method assumes that {@link #login()} has happened already.
+ * @throws javax.security.auth.login.LoginException on a failure
+ */
+ private void reLogin() throws LoginException {
+ if (!isKrbTicket) {
+ return;
+ }
+ if (loginContext == null) {
+ throw new LoginException("Login must be done first");
+ }
+
+ synchronized (KerberosLogin.class) {
+ log.info("Initiating logout for {}", principal);
+ //clear up the kerberos state. But the tokens are not cleared! As per
+ //the Java kerberos login module code, only the kerberos credentials
+ //are cleared
+ loginContext.logout();
+ //login and also update the subject field of this instance to
+ //have the new credentials (pass it to the LoginContext constructor)
+ loginContext = new LoginContext(contextName(), subject, null, configuration());
+ log.info("Initiating re-login for {}", principal);
+ loginContext.login();
+ log.info("Successful re-login for {}", principal);
+ }
+ }
+
+}
diff --git a/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/main/java/org/apache/nifi/processors/kafka/pubsub/KafkaProcessorUtils.java b/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/main/java/org/apache/nifi/processors/kafka/pubsub/KafkaProcessorUtils.java
index 5c378a5..c1f625b 100644
--- a/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/main/java/org/apache/nifi/processors/kafka/pubsub/KafkaProcessorUtils.java
+++ b/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/main/java/org/apache/nifi/processors/kafka/pubsub/KafkaProcessorUtils.java
@@ -33,13 +33,17 @@ import org.apache.nifi.components.resource.ResourceCardinality;
import org.apache.nifi.components.resource.ResourceType;
import org.apache.nifi.expression.ExpressionLanguageScope;
import org.apache.nifi.kerberos.KerberosCredentialsService;
+import org.apache.nifi.kerberos.KerberosUserService;
+import org.apache.nifi.kerberos.SelfContainedKerberosUserService;
import org.apache.nifi.processor.ProcessContext;
import org.apache.nifi.processor.util.StandardValidators;
+import org.apache.nifi.security.krb.KerberosUser;
import org.apache.nifi.ssl.SSLContextService;
import org.apache.nifi.util.FormatUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import javax.security.auth.login.AppConfigurationEntry;
import java.lang.reflect.Field;
import java.lang.reflect.Modifier;
import java.util.ArrayList;
@@ -57,7 +61,7 @@ import java.util.regex.Pattern;
public final class KafkaProcessorUtils {
private static final String ALLOW_EXPLICIT_KEYTAB = "NIFI_ALLOW_EXPLICIT_KEYTAB";
- final Logger logger = LoggerFactory.getLogger(this.getClass());
+ static final Logger LOGGER = LoggerFactory.getLogger(KafkaProcessorUtils.class);
static final AllowableValue UTF8_ENCODING = new AllowableValue("utf-8", "UTF-8 Encoded", "The key is interpreted as a UTF-8 Encoded string.");
static final AllowableValue HEX_ENCODING = new AllowableValue("hex", "Hex Encoded",
@@ -199,6 +203,13 @@ public final class KafkaProcessorUtils {
.identifiesControllerService(KerberosCredentialsService.class)
.required(false)
.build();
+ public static final PropertyDescriptor SELF_CONTAINED_KERBEROS_USER_SERVICE = new PropertyDescriptor.Builder()
+ .name("kerberos-user-service")
+ .displayName("Kerberos User Service")
+ .description("Specifies the Kerberos User Controller Service that should be used for authenticating with Kerberos")
+ .identifiesControllerService(SelfContainedKerberosUserService.class)
+ .required(false)
+ .build();
static final PropertyDescriptor FAILURE_STRATEGY = new PropertyDescriptor.Builder()
.name("Failure Strategy")
@@ -209,6 +220,8 @@ public final class KafkaProcessorUtils {
.defaultValue(FAILURE_STRATEGY_FAILURE_RELATIONSHIP.getValue())
.build();
+ public static final String JAVA_SECURITY_AUTH_LOGIN_CONFIG = "java.security.auth.login.config";
+
static List<PropertyDescriptor> getCommonPropertyDescriptors() {
return Arrays.asList(
BOOTSTRAP_SERVERS,
@@ -216,6 +229,7 @@ public final class KafkaProcessorUtils {
SASL_MECHANISM,
JAAS_SERVICE_NAME,
KERBEROS_CREDENTIALS_SERVICE,
+ SELF_CONTAINED_KERBEROS_USER_SERVICE,
USER_PRINCIPAL,
USER_KEYTAB,
USERNAME,
@@ -231,6 +245,8 @@ public final class KafkaProcessorUtils {
final String securityProtocol = validationContext.getProperty(SECURITY_PROTOCOL).getValue();
final String saslMechanism = validationContext.getProperty(SASL_MECHANISM).getValue();
+ final KerberosUserService kerberosUserService = validationContext.getProperty(SELF_CONTAINED_KERBEROS_USER_SERVICE).asControllerService(KerberosUserService.class);
+
final String explicitPrincipal = validationContext.getProperty(USER_PRINCIPAL).evaluateAttributeExpressions().getValue();
final String explicitKeytab = validationContext.getProperty(USER_KEYTAB).evaluateAttributeExpressions().getValue();
final KerberosCredentialsService credentialsService = validationContext.getProperty(KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class);
@@ -253,6 +269,22 @@ public final class KafkaProcessorUtils {
.build());
}
+ if (kerberosUserService != null && (explicitPrincipal != null || explicitKeytab != null)) {
+ results.add(new ValidationResult.Builder()
+ .subject("Kerberos User")
+ .valid(false)
+ .explanation("Cannot specify both a Kerberos User Service and a principal/keytab")
+ .build());
+ }
+
+ if (kerberosUserService != null && credentialsService != null) {
+ results.add(new ValidationResult.Builder()
+ .subject("Kerberos User")
+ .valid(false)
+ .explanation("Cannot specify both a Kerberos User Service and a Kerberos Credentials Service")
+ .build());
+ }
+
final String allowExplicitKeytabVariable = System.getenv(ALLOW_EXPLICIT_KEYTAB);
if ("false".equalsIgnoreCase(allowExplicitKeytabVariable) && (explicitPrincipal != null || explicitKeytab != null)) {
results.add(new ValidationResult.Builder()
@@ -284,6 +316,16 @@ public final class KafkaProcessorUtils {
+ "must be set or neither must be set.")
.build());
}
+
+ final String jvmJaasConfigFile = System.getProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG);
+ if (kerberosUserService == null && resolvedPrincipal == null && resolvedKeytab == null && StringUtils.isBlank(jvmJaasConfigFile)) {
+ results.add(new ValidationResult.Builder()
+ .subject("Kerberos Credentials")
+ .valid(false)
+ .explanation("Kerberos credentials must be provided by a Kerberos Credentials Service, " +
+ "Kerberos User Service, explicit principal/keytab properties, or JVM JAAS configuration")
+ .build());
+ }
}
// validate that if SASL Mechanism is PLAIN or SCRAM, then username and password are both provided
@@ -437,7 +479,7 @@ public final class KafkaProcessorUtils {
}
}
- String securityProtocol = context.getProperty(SECURITY_PROTOCOL).getValue();
+ final String securityProtocol = context.getProperty(SECURITY_PROTOCOL).getValue();
if (SEC_SASL_PLAINTEXT.getValue().equals(securityProtocol) || SEC_SASL_SSL.getValue().equals(securityProtocol)) {
setJaasConfig(mapToPopulate, context);
}
@@ -484,6 +526,20 @@ public final class KafkaProcessorUtils {
}
private static void setGssApiJaasConfig(final Map<String, Object> mapToPopulate, final ProcessContext context) {
+ final SelfContainedKerberosUserService kerberosUserService = context.getProperty(SELF_CONTAINED_KERBEROS_USER_SERVICE).asControllerService(SelfContainedKerberosUserService.class);
+
+ final String jaasConfig;
+ if (kerberosUserService == null) {
+ jaasConfig = createGssApiJaasConfig(context);
+ } else {
+ jaasConfig = createGssApiJaasConfig(kerberosUserService);
+ }
+
+ mapToPopulate.put(SaslConfigs.SASL_JAAS_CONFIG, jaasConfig);
+ mapToPopulate.put(SaslConfigs.SASL_LOGIN_CLASS, CustomKerberosLogin.class);
+ }
+
+ private static String createGssApiJaasConfig(final ProcessContext context) {
String keytab = context.getProperty(USER_KEYTAB).evaluateAttributeExpressions().getValue();
String principal = context.getProperty(USER_PRINCIPAL).evaluateAttributeExpressions().getValue();
@@ -495,17 +551,51 @@ public final class KafkaProcessorUtils {
keytab = credentialsService.getKeytab();
}
+ final String serviceName = context.getProperty(JAAS_SERVICE_NAME).evaluateAttributeExpressions().getValue();
- String serviceName = context.getProperty(JAAS_SERVICE_NAME).evaluateAttributeExpressions().getValue();
- if (StringUtils.isNotBlank(keytab) && StringUtils.isNotBlank(principal) && StringUtils.isNotBlank(serviceName)) {
- mapToPopulate.put(SaslConfigs.SASL_JAAS_CONFIG, "com.sun.security.auth.module.Krb5LoginModule required "
+ return "com.sun.security.auth.module.Krb5LoginModule required "
+ "useTicketCache=false "
+ "renewTicket=true "
+ "serviceName=\"" + serviceName + "\" "
+ "useKeyTab=true "
+ "keyTab=\"" + keytab + "\" "
- + "principal=\"" + principal + "\";");
+ + "principal=\"" + principal + "\";";
+ }
+
+ static String createGssApiJaasConfig(final SelfContainedKerberosUserService kerberosUserService) {
+ final KerberosUser kerberosUser = kerberosUserService.createKerberosUser();
+ final AppConfigurationEntry configEntry = kerberosUser.getConfigurationEntry();
+
+ final StringBuilder configBuilder = new StringBuilder(configEntry.getLoginModuleName())
+ .append(" ").append(getControlFlagValue(configEntry.getControlFlag()));
+
+ final Map<String, ?> options = configEntry.getOptions();
+ options.entrySet().forEach((entry) -> {
+ configBuilder.append(" ").append(entry.getKey()).append("=");
+ final Object value = entry.getValue();
+ if (value instanceof String) {
+ configBuilder.append("\"").append((String)value).append("\"");
+ } else {
+ configBuilder.append(value);
+ }
+ });
+
+ configBuilder.append(";");
+ return configBuilder.toString();
+ }
+
+ private static String getControlFlagValue(final AppConfigurationEntry.LoginModuleControlFlag controlFlag) {
+ if (controlFlag == AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL) {
+ return "optional";
+ } else if (controlFlag == AppConfigurationEntry.LoginModuleControlFlag.REQUIRED) {
+ return "required";
+ } else if (controlFlag == AppConfigurationEntry.LoginModuleControlFlag.REQUISITE) {
+ return "requisite";
+ } else if (controlFlag == AppConfigurationEntry.LoginModuleControlFlag.SUFFICIENT) {
+ return "sufficient";
}
+
+ throw new IllegalStateException("Unknown control flag: " + controlFlag.toString());
}
private static void setPlainJaasConfig(final Map<String, Object> mapToPopulate, final ProcessContext context) {
diff --git a/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/test/java/org/apache/nifi/processors/kafka/pubsub/KafkaProcessorUtilsTest.java b/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/test/java/org/apache/nifi/processors/kafka/pubsub/KafkaProcessorUtilsTest.java
index 1a20d2d..dceba0d 100644
--- a/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/test/java/org/apache/nifi/processors/kafka/pubsub/KafkaProcessorUtilsTest.java
+++ b/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/test/java/org/apache/nifi/processors/kafka/pubsub/KafkaProcessorUtilsTest.java
@@ -16,12 +16,20 @@
*/
package org.apache.nifi.processors.kafka.pubsub;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
+import org.apache.nifi.kerberos.SelfContainedKerberosUserService;
+import org.apache.nifi.security.krb.KerberosUser;
+import org.junit.Test;
+import javax.security.auth.login.AppConfigurationEntry;
+import java.util.HashMap;
+import java.util.Map;
import java.util.function.Supplier;
-import org.junit.Test;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
public class KafkaProcessorUtilsTest {
@@ -38,4 +46,27 @@ public class KafkaProcessorUtilsTest {
Supplier<String> prefix = KafkaProcessorUtils.getTransactionalIdSupplier(null);
assertEquals(36, prefix.get().length() );
}
+
+ @Test
+ public void testCreateJaasConfigFromKerberosUser() {
+ final String loginModule = "com.sun.security.auth.module.Krb5LoginModule";
+ final AppConfigurationEntry.LoginModuleControlFlag controlFlag = AppConfigurationEntry.LoginModuleControlFlag.REQUIRED;
+
+ final Map<String,String> options = new HashMap<>();
+ options.put("option1", "value1");
+ options.put("option2", "value2");
+
+ final AppConfigurationEntry configEntry = new AppConfigurationEntry(loginModule, controlFlag, options);
+
+ final KerberosUser kerberosUser = mock(KerberosUser.class);
+ when(kerberosUser.getConfigurationEntry()).thenReturn(configEntry);
+
+ final SelfContainedKerberosUserService kerberosUserService = mock(SelfContainedKerberosUserService.class);
+ when(kerberosUserService.createKerberosUser()).thenReturn(kerberosUser);
+
+ final String jaasConfig = KafkaProcessorUtils.createGssApiJaasConfig(kerberosUserService);
+ assertNotNull(jaasConfig);
+ assertEquals("com.sun.security.auth.module.Krb5LoginModule required option1=\"value1\" option2=\"value2\";", jaasConfig);
+ }
+
}
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/test/java/org/apache/nifi/processors/kafka/pubsub/TestConsumeKafkaRecord_2_6.java b/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/test/java/org/apache/nifi/processors/kafka/pubsub/TestConsumeKafkaRecord_2_6.java
index e694ac5..5d3f27a 100644
--- a/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/test/java/org/apache/nifi/processors/kafka/pubsub/TestConsumeKafkaRecord_2_6.java
+++ b/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/test/java/org/apache/nifi/processors/kafka/pubsub/TestConsumeKafkaRecord_2_6.java
@@ -201,7 +201,7 @@ public class TestConsumeKafkaRecord_2_6 {
runner.assertNotValid();
runner.setProperty(KafkaProcessorUtils.JAAS_SERVICE_NAME, "kafka");
- runner.assertValid();
+ runner.assertNotValid();
runner.setProperty(KafkaProcessorUtils.USER_PRINCIPAL, "nifi@APACHE.COM");
runner.assertNotValid();
diff --git a/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/test/java/org/apache/nifi/processors/kafka/pubsub/TestConsumeKafka_2_6.java b/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/test/java/org/apache/nifi/processors/kafka/pubsub/TestConsumeKafka_2_6.java
index 0b8f92f..a7c582b 100644
--- a/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/test/java/org/apache/nifi/processors/kafka/pubsub/TestConsumeKafka_2_6.java
+++ b/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/test/java/org/apache/nifi/processors/kafka/pubsub/TestConsumeKafka_2_6.java
@@ -18,6 +18,10 @@ package org.apache.nifi.processors.kafka.pubsub;
import org.apache.kafka.clients.consumer.ConsumerConfig;
import org.apache.kafka.common.serialization.ByteArrayDeserializer;
+import org.apache.nifi.kerberos.KerberosCredentialsService;
+import org.apache.nifi.kerberos.KerberosUserService;
+import org.apache.nifi.kerberos.SelfContainedKerberosUserService;
+import org.apache.nifi.reporting.InitializationException;
import org.apache.nifi.util.TestRunner;
import org.apache.nifi.util.TestRunners;
import org.junit.Before;
@@ -26,6 +30,7 @@ import org.junit.Test;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
public class TestConsumeKafka_2_6 {
@@ -93,7 +98,7 @@ public class TestConsumeKafka_2_6 {
}
@Test
- public void testJaasConfiguration() throws Exception {
+ public void testJaasGssApiConfiguration() throws Exception {
ConsumeKafka_2_6 consumeKafka = new ConsumeKafka_2_6();
TestRunner runner = TestRunners.newTestRunner(consumeKafka);
runner.setProperty(KafkaProcessorUtils.BOOTSTRAP_SERVERS, "okeydokey:1234");
@@ -102,10 +107,11 @@ public class TestConsumeKafka_2_6 {
runner.setProperty(ConsumeKafka_2_6.AUTO_OFFSET_RESET, ConsumeKafka_2_6.OFFSET_EARLIEST);
runner.setProperty(KafkaProcessorUtils.SECURITY_PROTOCOL, KafkaProcessorUtils.SEC_SASL_PLAINTEXT);
+ runner.setProperty(KafkaProcessorUtils.SASL_MECHANISM, KafkaProcessorUtils.GSSAPI_VALUE);
runner.assertNotValid();
runner.setProperty(KafkaProcessorUtils.JAAS_SERVICE_NAME, "kafka");
- runner.assertValid();
+ runner.assertNotValid();
runner.setProperty(KafkaProcessorUtils.USER_PRINCIPAL, "nifi@APACHE.COM");
runner.assertNotValid();
@@ -123,6 +129,40 @@ public class TestConsumeKafka_2_6 {
runner.setProperty(KafkaProcessorUtils.USER_KEYTAB, "${keytab}");
runner.setProperty(KafkaProcessorUtils.JAAS_SERVICE_NAME, "${service}");
runner.assertValid();
+
+ final KerberosUserService kerberosUserService = enableKerberosUserService(runner);
+ runner.setProperty(KafkaProcessorUtils.SELF_CONTAINED_KERBEROS_USER_SERVICE, kerberosUserService.getIdentifier());
+ runner.assertNotValid();
+
+ runner.removeProperty(KafkaProcessorUtils.USER_PRINCIPAL);
+ runner.removeProperty(KafkaProcessorUtils.USER_KEYTAB);
+ runner.assertValid();
+
+ final KerberosCredentialsService kerberosCredentialsService = enabledKerberosCredentialsService(runner);
+ runner.setProperty(KafkaProcessorUtils.KERBEROS_CREDENTIALS_SERVICE, kerberosCredentialsService.getIdentifier());
+ runner.assertNotValid();
+
+ runner.removeProperty(KafkaProcessorUtils.SELF_CONTAINED_KERBEROS_USER_SERVICE);
+ runner.assertValid();
+ }
+
+ private SelfContainedKerberosUserService enableKerberosUserService(final TestRunner runner) throws InitializationException {
+ final SelfContainedKerberosUserService kerberosUserService = mock(SelfContainedKerberosUserService.class);
+ when(kerberosUserService.getIdentifier()).thenReturn("userService1");
+ runner.addControllerService(kerberosUserService.getIdentifier(), kerberosUserService);
+ runner.enableControllerService(kerberosUserService);
+ return kerberosUserService;
+ }
+
+ private KerberosCredentialsService enabledKerberosCredentialsService(final TestRunner runner) throws InitializationException {
+ final KerberosCredentialsService credentialsService = mock(KerberosCredentialsService.class);
+ when(credentialsService.getIdentifier()).thenReturn("credsService1");
+ when(credentialsService.getPrincipal()).thenReturn("principal1");
+ when(credentialsService.getKeytab()).thenReturn("keytab1");
+
+ runner.addControllerService(credentialsService.getIdentifier(), credentialsService);
+ runner.enableControllerService(credentialsService);
+ return credentialsService;
}
}
diff --git a/nifi-nar-bundles/nifi-kudu-bundle/nifi-kudu-processors/src/test/java/org/apache/nifi/processors/kudu/MockPutKudu.java b/nifi-nar-bundles/nifi-kudu-bundle/nifi-kudu-processors/src/test/java/org/apache/nifi/processors/kudu/MockPutKudu.java
index f394c0c..367edb2 100644
--- a/nifi-nar-bundles/nifi-kudu-bundle/nifi-kudu-processors/src/test/java/org/apache/nifi/processors/kudu/MockPutKudu.java
+++ b/nifi-nar-bundles/nifi-kudu-bundle/nifi-kudu-processors/src/test/java/org/apache/nifi/processors/kudu/MockPutKudu.java
@@ -33,10 +33,12 @@ import org.apache.nifi.processor.ProcessContext;
import org.apache.nifi.security.krb.KerberosUser;
import org.apache.nifi.serialization.record.Record;
+import javax.security.auth.login.AppConfigurationEntry;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
+import java.util.Collections;
import java.util.List;
import java.util.LinkedList;
import java.util.concurrent.atomic.AtomicReference;
@@ -175,6 +177,11 @@ public class MockPutKudu extends PutKudu {
}
@Override
+ public <T> T doAs(PrivilegedAction<T> action, ClassLoader contextClassLoader) throws IllegalStateException {
+ return action.run();
+ }
+
+ @Override
public <T> T doAs(final PrivilegedExceptionAction<T> action) throws IllegalStateException, PrivilegedActionException {
try {
return action.run();
@@ -184,6 +191,15 @@ public class MockPutKudu extends PutKudu {
}
@Override
+ public <T> T doAs(PrivilegedExceptionAction<T> action, ClassLoader contextClassLoader) throws IllegalStateException, PrivilegedActionException {
+ try {
+ return action.run();
+ } catch (Exception e) {
+ throw new PrivilegedActionException(e);
+ }
+ }
+
+ @Override
public boolean checkTGTAndRelogin() {
return true;
}
@@ -197,6 +213,11 @@ public class MockPutKudu extends PutKudu {
public String getPrincipal() {
return principal;
}
+
+ @Override
+ public AppConfigurationEntry getConfigurationEntry() {
+ return new AppConfigurationEntry("LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, Collections.emptyMap());
+ }
};
}
diff --git a/nifi-nar-bundles/nifi-parquet-bundle/nifi-parquet-processors/pom.xml b/nifi-nar-bundles/nifi-parquet-bundle/nifi-parquet-processors/pom.xml
index cd47ede..aabfc82 100644
--- a/nifi-nar-bundles/nifi-parquet-bundle/nifi-parquet-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-parquet-bundle/nifi-parquet-processors/pom.xml
@@ -81,6 +81,10 @@
<groupId>org.apache.nifi</groupId>
<artifactId>nifi-kerberos-credentials-service-api</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-kerberos-user-service-api</artifactId>
+ </dependency>
<!-- Test dependencies -->
<dependency>
<groupId>org.apache.nifi</groupId>
diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-api/pom.xml b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-api/pom.xml
new file mode 100644
index 0000000..a37d619
--- /dev/null
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-api/pom.xml
@@ -0,0 +1,35 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-standard-services</artifactId>
+ <version>1.15.0-SNAPSHOT</version>
+ </parent>
+ <artifactId>nifi-kerberos-user-service-api</artifactId>
+ <packaging>jar</packaging>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-security-kerberos-api</artifactId>
+ <version>1.15.0-SNAPSHOT</version>
+ </dependency>
+ </dependencies>
+</project>
diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-api/src/main/java/org/apache/nifi/kerberos/KerberosUserService.java b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-api/src/main/java/org/apache/nifi/kerberos/KerberosUserService.java
new file mode 100644
index 0000000..6c816ac
--- /dev/null
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-api/src/main/java/org/apache/nifi/kerberos/KerberosUserService.java
@@ -0,0 +1,40 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.kerberos;
+
+import org.apache.nifi.controller.ControllerService;
+import org.apache.nifi.security.krb.KerberosUser;
+
+/**
+ * Creates a KerberosUser which can be used for performing Kerberos authentication. Implementations should not cache a
+ * KerberosUser and return it to multiple callers, as any given caller could call logout and thus impact other callers
+ * with the same instance.
+ *
+ * It is the responsibility of the consumer to manage the lifecycle of the user by calling login and logout
+ * appropriately. Generally the KerberosAction class should be used to execute an action as the given user with
+ * proper handling of login/re-login.
+ */
+public interface KerberosUserService extends ControllerService {
+
+ /**
+ * Creates and returns a new instance of KerberosUser based on the configuration of the implementing service.
+ *
+ * @return a new KerberosUser instance
+ */
+ KerberosUser createKerberosUser();
+
+}
diff --git a/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/test/java/org/apache/nifi/processors/kafka/pubsub/KafkaProcessorUtilsTest.java b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-api/src/main/java/org/apache/nifi/kerberos/SelfContainedKerberosUserService.java
similarity index 53%
copy from nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/test/java/org/apache/nifi/processors/kafka/pubsub/KafkaProcessorUtilsTest.java
copy to nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-api/src/main/java/org/apache/nifi/kerberos/SelfContainedKerberosUserService.java
index 1a20d2d..cbe0034 100644
--- a/nifi-nar-bundles/nifi-kafka-bundle/nifi-kafka-2-6-processors/src/test/java/org/apache/nifi/processors/kafka/pubsub/KafkaProcessorUtilsTest.java
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-api/src/main/java/org/apache/nifi/kerberos/SelfContainedKerberosUserService.java
@@ -14,28 +14,16 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package org.apache.nifi.processors.kafka.pubsub;
+package org.apache.nifi.kerberos;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-
-import java.util.function.Supplier;
-
-import org.junit.Test;
-
-public class KafkaProcessorUtilsTest {
-
- @Test
- public void getTransactionalIdSupplierWithPrefix() {
- Supplier<String> prefix = KafkaProcessorUtils.getTransactionalIdSupplier("prefix");
- String id = prefix.get();
- assertTrue(id.startsWith("prefix"));
- assertEquals(42, id.length());
- }
+/**
+ * A KerberosUserService where calling getConfigurationEntry() on the returned KerberosUser will produce a self-contained
+ * JAAS AppConfigurationEntry that can be used to perform a login.
+ *
+ * As an example, keytab-based login with Krb5LoginModule is self-contained because the AppConfigurationEntry has the principal
+ * and keytab location which is all the information required to perform the login, whereas password-based login with Krb5LoginModule
+ * is not self-contained because a specific CallbackHandler must be configured to provide the username & password.
+ */
+public interface SelfContainedKerberosUserService extends KerberosUserService {
- @Test
- public void getTransactionalIdSupplierWithEmptyPrefix() {
- Supplier<String> prefix = KafkaProcessorUtils.getTransactionalIdSupplier(null);
- assertEquals(36, prefix.get().length() );
- }
-}
\ No newline at end of file
+}
diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service-nar/pom.xml b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service-nar/pom.xml
new file mode 100644
index 0000000..bbaa29a
--- /dev/null
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service-nar/pom.xml
@@ -0,0 +1,37 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-kerberos-user-service-bundle</artifactId>
+ <version>1.15.0-SNAPSHOT</version>
+ </parent>
+ <artifactId>nifi-kerberos-user-service-nar</artifactId>
+ <packaging>nar</packaging>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-standard-services-api-nar</artifactId>
+ <version>1.15.0-SNAPSHOT</version>
+ <type>nar</type>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-kerberos-user-service</artifactId>
+ <version>1.15.0-SNAPSHOT</version>
+ </dependency>
+ </dependencies>
+</project>
diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service-nar/src/main/resources/META-INF/LICENSE b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service-nar/src/main/resources/META-INF/LICENSE
new file mode 100644
index 0000000..f3c8ece
--- /dev/null
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service-nar/src/main/resources/META-INF/LICENSE
@@ -0,0 +1,209 @@
+
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+APACHE NIFI SUBCOMPONENTS:
+
+The Apache NiFi project contains subcomponents with separate copyright
+notices and license terms. Your use of the source code for the these
+subcomponents is subject to the terms and conditions of the following
+licenses.
diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service-nar/src/main/resources/META-INF/NOTICE b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service-nar/src/main/resources/META-INF/NOTICE
new file mode 100644
index 0000000..308835e
--- /dev/null
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service-nar/src/main/resources/META-INF/NOTICE
@@ -0,0 +1,20 @@
+nifi-kerberos-user-service-nar
+Copyright 2014-2021 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
+
+******************
+Apache Software License v2
+******************
+
+The following binary components are provided under the Apache Software License v2
+
+ (ASLv2) Apache Commons Lang
+ The following NOTICE information applies:
+ Apache Commons Lang
+ Copyright 2001-2017 The Apache Software Foundation
+
+ This product includes software from the Spring Framework,
+ under the Apache License 2.0 (see: StringUtils.containsWhitespace())
+
diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/pom.xml b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/pom.xml
new file mode 100644
index 0000000..0c1b9cb
--- /dev/null
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/pom.xml
@@ -0,0 +1,41 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with this
+ work for additional information regarding copyright ownership. The ASF licenses
+ this file to You under the Apache License, Version 2.0 (the "License"); you
+ may not use this file except in compliance with the License. You may obtain
+ a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless
+ required by applicable law or agreed to in writing, software distributed
+ under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES
+ OR CONDITIONS OF ANY KIND, either express or implied. See the License for
+ the specific language governing permissions and limitations under the License. -->
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-kerberos-user-service-bundle</artifactId>
+ <version>1.15.0-SNAPSHOT</version>
+ </parent>
+ <artifactId>nifi-kerberos-user-service</artifactId>
+ <packaging>jar</packaging>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-kerberos-user-service-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-security-kerberos</artifactId>
+ <version>1.15.0-SNAPSHOT</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-utils</artifactId>
+ <version>1.15.0-SNAPSHOT</version>
+ </dependency>
+ </dependencies>
+</project>
diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/src/main/java/org/apache/nifi/kerberos/AbstractKerberosUserService.java b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/src/main/java/org/apache/nifi/kerberos/AbstractKerberosUserService.java
new file mode 100644
index 0000000..2b24959
--- /dev/null
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/src/main/java/org/apache/nifi/kerberos/AbstractKerberosUserService.java
@@ -0,0 +1,114 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.kerberos;
+
+import org.apache.nifi.annotation.lifecycle.OnEnabled;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.ValidationContext;
+import org.apache.nifi.components.ValidationResult;
+import org.apache.nifi.controller.AbstractControllerService;
+import org.apache.nifi.controller.ConfigurationContext;
+import org.apache.nifi.controller.ControllerServiceInitializationContext;
+import org.apache.nifi.expression.ExpressionLanguageScope;
+import org.apache.nifi.processor.util.StandardValidators;
+import org.apache.nifi.reporting.InitializationException;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+/**
+ * Base class for KerberosUserService implementations.
+ */
+public abstract class AbstractKerberosUserService extends AbstractControllerService implements KerberosUserService {
+
+ static final PropertyDescriptor PRINCIPAL = new PropertyDescriptor.Builder()
+ .name("Kerberos Principal")
+ .description("Kerberos principal to authenticate as. Requires nifi.kerberos.krb5.file to be set in your nifi.properties")
+ .addValidator(StandardValidators.NON_BLANK_VALIDATOR)
+ .expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
+ .required(true)
+ .build();
+
+ private File kerberosConfigFile;
+ private volatile String principal;
+
+ @Override
+ protected final void init(final ControllerServiceInitializationContext config) throws InitializationException {
+ kerberosConfigFile = config.getKerberosConfigurationFile();
+ }
+
+ @Override
+ protected Collection<ValidationResult> customValidate(final ValidationContext validationContext) {
+ final List<ValidationResult> results = new ArrayList<>();
+
+ // Check that the Kerberos configuration is set
+ if (kerberosConfigFile == null) {
+ results.add(new ValidationResult.Builder()
+ .subject("Kerberos Configuration File")
+ .valid(false)
+ .explanation("The nifi.kerberos.krb5.file property must be set in nifi.properties in order to use Kerberos authentication")
+ .build());
+ } else if (!kerberosConfigFile.canRead()) {
+ // Check that the Kerberos configuration is readable
+ results.add(new ValidationResult.Builder()
+ .subject("Kerberos Configuration File")
+ .valid(false)
+ .explanation("Unable to read configured Kerberos Configuration File " + kerberosConfigFile.getAbsolutePath() + ", which is specified in nifi.properties. "
+ + "Please ensure that the path is valid and that NiFi has adequate permissions to read the file.")
+ .build());
+ }
+
+ return results;
+ }
+
+ @Override
+ protected List<PropertyDescriptor> getSupportedPropertyDescriptors() {
+ final List<PropertyDescriptor> properties = new ArrayList<>(2);
+ properties.add(PRINCIPAL);
+ properties.addAll(getAdditionalProperties());
+ return properties;
+ }
+
+ @OnEnabled
+ public void setConfiguredValues(final ConfigurationContext context) {
+ this.principal = context.getProperty(PRINCIPAL).evaluateAttributeExpressions().getValue();
+ setAdditionalConfiguredValues(context);
+ }
+
+ /**
+ * @return the configured principal
+ */
+ protected String getPrincipal() {
+ return principal;
+ }
+
+ /**
+ * @return a non-null list additional properties to add
+ */
+ protected abstract List<PropertyDescriptor> getAdditionalProperties();
+
+ /**
+ * Allow sub-classes to obtain additional configuration values during @OnEnabled.
+ *
+ * @param context the config context
+ */
+ protected abstract void setAdditionalConfiguredValues(final ConfigurationContext context);
+
+
+}
diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/src/main/java/org/apache/nifi/kerberos/KerberosKeytabUserService.java b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/src/main/java/org/apache/nifi/kerberos/KerberosKeytabUserService.java
new file mode 100644
index 0000000..b3359bc
--- /dev/null
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/src/main/java/org/apache/nifi/kerberos/KerberosKeytabUserService.java
@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.kerberos;
+
+import org.apache.nifi.annotation.behavior.Restricted;
+import org.apache.nifi.annotation.behavior.Restriction;
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.RequiredPermission;
+import org.apache.nifi.components.resource.ResourceCardinality;
+import org.apache.nifi.components.resource.ResourceType;
+import org.apache.nifi.controller.ConfigurationContext;
+import org.apache.nifi.expression.ExpressionLanguageScope;
+import org.apache.nifi.security.krb.KerberosKeytabUser;
+import org.apache.nifi.security.krb.KerberosUser;
+
+import java.util.Collections;
+import java.util.List;
+
+@CapabilityDescription("Provides a mechanism for creating a KerberosUser from a principal and keytab that other components are able to use in order to "
+ + "perform authentication using Kerberos. By encapsulating this information into a Controller Service and allowing other components to make use of it "
+ + "(as opposed to specifying the principal and keytab directly in the processor) an administrator is able to choose which users are allowed to "
+ + "use which keytabs and principals. This provides a more robust security model for multi-tenant use cases.")
+@Tags({"Kerberos", "Keytab", "Principal", "Credentials", "Authentication", "Security"})
+@Restricted(restrictions = {
+ @Restriction(requiredPermission = RequiredPermission.ACCESS_KEYTAB, explanation = "Allows user to define a Keytab and principal that can then be used by other components.")
+})
+public class KerberosKeytabUserService extends AbstractKerberosUserService implements SelfContainedKerberosUserService {
+
+ static final PropertyDescriptor KEYTAB = new PropertyDescriptor.Builder()
+ .name("Kerberos Keytab")
+ .description("Kerberos keytab associated with the principal.")
+ .identifiesExternalResource(ResourceCardinality.SINGLE, ResourceType.FILE)
+ .expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
+ .required(true)
+ .build();
+
+ private volatile String keytab;
+
+ @Override
+ protected List<PropertyDescriptor> getAdditionalProperties() {
+ return Collections.singletonList(KEYTAB);
+ }
+
+ @Override
+ protected void setAdditionalConfiguredValues(final ConfigurationContext context) {
+ this.keytab = context.getProperty(KEYTAB).evaluateAttributeExpressions().getValue();
+ }
+
+ @Override
+ public KerberosUser createKerberosUser() {
+ return new KerberosKeytabUser(getPrincipal(), keytab);
+ }
+
+}
diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/src/main/java/org/apache/nifi/kerberos/KerberosPasswordUserService.java b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/src/main/java/org/apache/nifi/kerberos/KerberosPasswordUserService.java
new file mode 100644
index 0000000..943d49a
--- /dev/null
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/src/main/java/org/apache/nifi/kerberos/KerberosPasswordUserService.java
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.kerberos;
+
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.controller.ConfigurationContext;
+import org.apache.nifi.processor.util.StandardValidators;
+import org.apache.nifi.security.krb.KerberosPasswordUser;
+import org.apache.nifi.security.krb.KerberosUser;
+
+import java.util.Collections;
+import java.util.List;
+
+@CapabilityDescription("Provides a mechanism for creating a KerberosUser from a principal and password that other " +
+ "components are able to use in order to perform authentication using Kerberos.")
+@Tags({"Kerberos", "Password", "Principal", "Credentials", "Authentication", "Security"})
+public class KerberosPasswordUserService extends AbstractKerberosUserService {
+
+ static final PropertyDescriptor PASSWORD = new PropertyDescriptor.Builder()
+ .name("Kerberos Password")
+ .description("Kerberos password associated with the principal.")
+ .addValidator(StandardValidators.NON_EMPTY_VALIDATOR)
+ .required(true)
+ .sensitive(true)
+ .build();
+
+ private volatile String password;
+
+ @Override
+ protected List<PropertyDescriptor> getAdditionalProperties() {
+ return Collections.singletonList(PASSWORD);
+ }
+
+ @Override
+ protected void setAdditionalConfiguredValues(final ConfigurationContext context) {
+ this.password = context.getProperty(PASSWORD).evaluateAttributeExpressions().getValue();
+ }
+
+ @Override
+ public KerberosUser createKerberosUser() {
+ return new KerberosPasswordUser(getPrincipal(), password);
+ }
+
+}
diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/src/main/java/org/apache/nifi/kerberos/KerberosTicketCacheUserService.java b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/src/main/java/org/apache/nifi/kerberos/KerberosTicketCacheUserService.java
new file mode 100644
index 0000000..4fb241e
--- /dev/null
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/src/main/java/org/apache/nifi/kerberos/KerberosTicketCacheUserService.java
@@ -0,0 +1,71 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.kerberos;
+
+import org.apache.nifi.annotation.behavior.Restricted;
+import org.apache.nifi.annotation.behavior.Restriction;
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.RequiredPermission;
+import org.apache.nifi.components.resource.ResourceCardinality;
+import org.apache.nifi.components.resource.ResourceType;
+import org.apache.nifi.controller.ConfigurationContext;
+import org.apache.nifi.expression.ExpressionLanguageScope;
+import org.apache.nifi.security.krb.KerberosTicketCacheUser;
+import org.apache.nifi.security.krb.KerberosUser;
+
+import java.util.Collections;
+import java.util.List;
+
+@CapabilityDescription("Provides a mechanism for creating a KerberosUser from a principal and ticket cache that other components " +
+ "are able to use in order to perform authentication using Kerberos. By encapsulating this information into a Controller Service " +
+ "and allowing other components to make use of it an administrator is able to choose which users are allowed to use which ticket " +
+ "caches and principals. This provides a more robust security model for multi-tenant use cases.")
+@Tags({"Kerberos", "Ticket", "Cache", "Principal", "Credentials", "Authentication", "Security"})
+@Restricted(restrictions = {
+ @Restriction(requiredPermission = RequiredPermission.ACCESS_TICKET_CACHE,
+ explanation = "Allows user to define a ticket cache and principal that can then be used by other components.")
+})
+public class KerberosTicketCacheUserService extends AbstractKerberosUserService implements SelfContainedKerberosUserService {
+
+ static final PropertyDescriptor TICKET_CACHE_FILE = new PropertyDescriptor.Builder()
+ .name("Kerberos Ticket Cache File")
+ .description("Kerberos ticket cache associated with the principal.")
+ .identifiesExternalResource(ResourceCardinality.SINGLE, ResourceType.FILE)
+ .expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
+ .required(true)
+ .build();
+
+ private volatile String ticketCacheFile;
+
+ @Override
+ protected List<PropertyDescriptor> getAdditionalProperties() {
+ return Collections.singletonList(TICKET_CACHE_FILE);
+ }
+
+ @Override
+ protected void setAdditionalConfiguredValues(final ConfigurationContext context) {
+ this.ticketCacheFile = context.getProperty(TICKET_CACHE_FILE).evaluateAttributeExpressions().getValue();
+ }
+
+ @Override
+ public KerberosUser createKerberosUser() {
+ return new KerberosTicketCacheUser(getPrincipal(), ticketCacheFile);
+ }
+
+}
diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/src/main/resources/META-INF/services/org.apache.nifi.controller.ControllerService b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/src/main/resources/META-INF/services/org.apache.nifi.controller.ControllerService
new file mode 100644
index 0000000..9fdfde7
--- /dev/null
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/src/main/resources/META-INF/services/org.apache.nifi.controller.ControllerService
@@ -0,0 +1,17 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+org.apache.nifi.kerberos.KerberosKeytabUserService
+org.apache.nifi.kerberos.KerberosPasswordUserService
+org.apache.nifi.kerberos.KerberosTicketCacheUserService
diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/pom.xml b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/pom.xml
new file mode 100644
index 0000000..7ae290d
--- /dev/null
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/pom.xml
@@ -0,0 +1,28 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-standard-services</artifactId>
+ <version>1.15.0-SNAPSHOT</version>
+ </parent>
+ <artifactId>nifi-kerberos-user-service-bundle</artifactId>
+ <packaging>pom</packaging>
+ <modules>
+ <module>nifi-kerberos-user-service</module>
+ <module>nifi-kerberos-user-service-nar</module>
+ </modules>
+</project>
diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-standard-services-api-nar/pom.xml b/nifi-nar-bundles/nifi-standard-services/nifi-standard-services-api-nar/pom.xml
index 403a578..77ebc4b 100644
--- a/nifi-nar-bundles/nifi-standard-services/nifi-standard-services-api-nar/pom.xml
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-standard-services-api-nar/pom.xml
@@ -108,6 +108,16 @@
</dependency>
<dependency>
<groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-kerberos-user-service-api</artifactId>
+ <scope>compile</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-security-kerberos-api</artifactId>
+ <scope>compile</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
<artifactId>nifi-proxy-configuration-api</artifactId>
<scope>compile</scope>
</dependency>
diff --git a/nifi-nar-bundles/nifi-standard-services/pom.xml b/nifi-nar-bundles/nifi-standard-services/pom.xml
index ebc026e..f783d2c 100644
--- a/nifi-nar-bundles/nifi-standard-services/pom.xml
+++ b/nifi-nar-bundles/nifi-standard-services/pom.xml
@@ -52,5 +52,7 @@
<module>nifi-record-sink-api</module>
<module>nifi-record-sink-service-bundle</module>
<module>nifi-hadoop-dbcp-service-bundle</module>
+ <module>nifi-kerberos-user-service-api</module>
+ <module>nifi-kerberos-user-service-bundle</module>
</modules>
</project>
diff --git a/nifi-nar-bundles/pom.xml b/nifi-nar-bundles/pom.xml
index ae5fc67..f1be696 100755
--- a/nifi-nar-bundles/pom.xml
+++ b/nifi-nar-bundles/pom.xml
@@ -234,6 +234,18 @@
</dependency>
<dependency>
<groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-kerberos-user-service-api</artifactId>
+ <version>1.15.0-SNAPSHOT</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-security-kerberos-api</artifactId>
+ <version>1.15.0-SNAPSHOT</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
<artifactId>nifi-mongodb-client-service-api</artifactId>
<version>1.15.0-SNAPSHOT</version>
<scope>provided</scope>