https://community.cloudera.com/t5/Support-Questions/Multi-tenant-NiFi-writing-to-kerberized-HDFS-and-Kafka/m-p/122667#M85421 <P>Apologies for asking two questions at once, but they're very closely related. I have a NiFi cluster configured with kerberos and SSL that I would like to use with multiple tenants with strict policies in order to keep different groups from reading and/or altering each others' data. Each of the tenants need to write to HDFS and/or Kafka (which are in turn both kerberized). </P><P><STRONG> HDFS</STRONG> </P><P>The PutHDFS processor allows me to specify a kerberos principal and keytab, but that implies the linux user running the NiFi process has to have read access to the keytab, which means any NiFi tenant could specify any keytab as long as they knew the path. Is there a way to keep those identities distinct and secure? </P><P><STRONG>Kafka</STRONG> </P><P>The PutKafka processors only allow referencing the Kerberos Service Name from a jaas file that NiFi needs to know about at startup. That suggests to me that all tenants in NiFi would have to connect to Kafka as the same principal. Is there a way to do this that allows each tenant to have their own identity when talking to Kafka? </P><P>Thanks in advance for any tips!</P> Fri, 24 Feb 2017 04:05:04 GMT oliver 2017-02-24T04:05:04Z https://community.cloudera.com/t5/Support-Questions/Multi-tenant-NiFi-writing-to-kerberized-HDFS-and-Kafka/m-p/122667#M85421 <P>Apologies for asking two questions at once, but they're very closely related. I have a NiFi cluster configured with kerberos and SSL that I would like to use with multiple tenants with strict policies in order to keep different groups from reading and/or altering each others' data. Each of the tenants need to write to HDFS and/or Kafka (which are in turn both kerberized). </P><P><STRONG> HDFS</STRONG> </P><P>The PutHDFS processor allows me to specify a kerberos principal and keytab, but that implies the linux user running the NiFi process has to have read access to the keytab, which means any NiFi tenant could specify any keytab as long as they knew the path. Is there a way to keep those identities distinct and secure? </P><P><STRONG>Kafka</STRONG> </P><P>The PutKafka processors only allow referencing the Kerberos Service Name from a jaas file that NiFi needs to know about at startup. That suggests to me that all tenants in NiFi would have to connect to Kafka as the same principal. Is there a way to do this that allows each tenant to have their own identity when talking to Kafka? </P><P>Thanks in advance for any tips!</P> Fri, 24 Feb 2017 04:05:04 GMT https://community.cloudera.com/t5/Support-Questions/Multi-tenant-NiFi-writing-to-kerberized-HDFS-and-Kafka/m-p/122667#M85421 oliver 2017-02-24T04:05:04Z https://community.cloudera.com/t5/Support-Questions/Multi-tenant-NiFi-writing-to-kerberized-HDFS-and-Kafka/m-p/122668#M85422 <P>Hi <A rel="user" href="https://community.cloudera.com/users/3051/oliver.html" nodeid="3051">@Oliver Meyn</A>,</P><P>You are absolutely right on all points. Regarding HDFS, at the moment there is no option to keep the identities secure, but there are discussions going on to find a way to secure the keytabs.</P><P>Regarding Kafka, this is due to a limitation on Kafka's side (https://issues.apache.org/jira/browse/KAFKA-4259). This has been recently fixed and I'm sure the Kafka processors in NiFi will be updated in the future to allow a similar option as in other processors.</P><P>Hope this helps.</P> Fri, 24 Feb 2017 04:11:30 GMT https://community.cloudera.com/t5/Support-Questions/Multi-tenant-NiFi-writing-to-kerberized-HDFS-and-Kafka/m-p/122668#M85422 pvillard 2017-02-24T04:11:30Z https://community.cloudera.com/t5/Support-Questions/Multi-tenant-NiFi-writing-to-kerberized-HDFS-and-Kafka/m-p/122669#M85423 <P>Hi all, hi <A rel="user" href="https://community.cloudera.com/users/5078/pvillard.html" nodeid="5078">@Pierre Villard</A>,</P><P>I have the same question as Olivier last year, do you know whether there is any improvement of the keytab accessiblity in NIFI?</P><P>Thanks in advance</P><P>Arne</P> Tue, 13 Mar 2018 16:22:19 GMT https://community.cloudera.com/t5/Support-Questions/Multi-tenant-NiFi-writing-to-kerberized-HDFS-and-Kafka/m-p/122669#M85423 arne_kaiser 2018-03-13T16:22:19Z https://community.cloudera.com/t5/Support-Questions/Multi-tenant-NiFi-writing-to-kerberized-HDFS-and-Kafka/m-p/122670#M85424 <P>This seems to be the desired solution...</P><P><A href="https://bryanbende.com/development/2018/04/09/apache-nifi-secure-keytab-access" target="_blank">https://bryanbende.com/development/2018/04/09/apache-nifi-secure-keytab-access</A></P> Tue, 10 Apr 2018 13:51:26 GMT https://community.cloudera.com/t5/Support-Questions/Multi-tenant-NiFi-writing-to-kerberized-HDFS-and-Kafka/m-p/122670#M85424 arne_kaiser 2018-04-10T13:51:26Z