Kerberos - Ticket Cache and JAAS config

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Kerberos - Ticket Cache and JAAS config

Jason Iannone
Hi all,

We will have multiple processors which will be integrating with various sources and sinks (i.e. Kafka, HDFS, RDBMS) that will all have differing credentials and tickets (same cache location). At this point keytabs are not an option as the ticket/credential cache is more secure due to more frequent expiration and rotation.

From what I understand I would need to use JAAS configuration for this and passed in as a JVM argument to Nifi during startup. What I don't understand is how can I go about doing this? Is it possible to have multiple entries in a file such as this, and if so how would I specify them in the corresponding processor?

KafkaClientA {
...params go here
};

HDFSClientA {
...params go here
};

RDBMSClientA {
...params go hereĀ 
};

Thanks,
Jason
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos - Ticket Cache and JAAS config

Darren Govoni
I would use some kind of SSO type proxy service and have your Nifi processors request an authorization from that whereby the proxy service performs the authentication to the backend service you are protecting and only returns to Nifi the needed token to interact with it.

Probably for this approach you'll need a single JAAS implementation to the proxy and the token payloads can be any underlying implementation that the remote service requires.

Not sure off hand which SSO proxy might just drop into your scenario but a custom JAAS impl will probably be needed in Nifi regardless.

What you don't want Nifi to do is juggle and manage white box awareness of all these different remote services. Rather just request authorization and pass session tokens onward.

As they say, though, the devil is in the details.

Darren

Sent from my Verizon, Samsung Galaxy smartphone

Reply | Threaded
Open this post in threaded view
|

Re: Kerberos - Ticket Cache and JAAS config

Bryan Bende
Hello,

Using the JAAS config file is not great for multi-tenancy, many client libraries have hard-coded rules that make an assumption that there is only one client entry of the given type, like "KafkaClient", meaning you can't have multiple Kafka clients using different entries from the JAAS config.

This is the reason many processors allow directly specifying a principal + keytab, or a principal + password where keytabs are not preferred. The processors will then do an in-memory JAAS config and login behind the scenes.

Thanks,

Bryan



On Tue, Jun 16, 2020 at 2:43 PM Darren Govoni <[hidden email]> wrote:
I would use some kind of SSO type proxy service and have your Nifi processors request an authorization from that whereby the proxy service performs the authentication to the backend service you are protecting and only returns to Nifi the needed token to interact with it.

Probably for this approach you'll need a single JAAS implementation to the proxy and the token payloads can be any underlying implementation that the remote service requires.

Not sure off hand which SSO proxy might just drop into your scenario but a custom JAAS impl will probably be needed in Nifi regardless.

What you don't want Nifi to do is juggle and manage white box awareness of all these different remote services. Rather just request authorization and pass session tokens onward.

As they say, though, the devil is in the details.

Darren

Sent from my Verizon, Samsung Galaxy smartphone