Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Access SQL Server via Nifi using Windows Authentication

Labels:
avatar
author-rank wsalazar
Rising Star

Created ‎11-07-2017 05:13 PM

I am looking to confirm methods for connecting to MS SQL Server without using SQL authentication. The two options I am aware of are Windows authentication and Kerberos authentication. It is also desired that the creditials of the logged in user or the service that Nifi's JVM is running under be supplied without a password needing to be supplied.

I am looking for someone who might have ran into this before as this is difficult to test. The difficulty lies in the number of components hat must be configured. Nifi, AD, MS SQL Server, Windows, Kerberos etc

Per the Microsoft documentation here https://docs.microsoft.com/en-us/sql/connect/jdbc/building-the-connection-url#Connectingintegrated

Windows authentication is made possible by adding the sqljdbc_auth.dll file to the host running Nifi. If this file is added to a directory outside the normal classpath of Nifi then the class path can be specified by updating the JVM property Djava.library.path The JDBC URL string for Windows authentication is jdbc:sqlserver://localhost:1433;databaseName=AdventureWorks;integratedSecurity=true; Where integratedSecurity=true; is the flag for using Windows authentication. In this case the credentials of the logged in user or service would automatically be provided without a prompt for a password. Which is highlighted here https://docs.microsoft.com/en-us/sql/connect/jdbc/setting-the-connection-properties under the details of the integratedSecurity flag

Can anyone confirm this works with Nifi? Are there any limitations other than the requirement for a Windows host?

Using Kerberos and the MSSQL JDBC Driver is documented here: https://docs.microsoft.com/en-us/sql/connect/jdbc/using-kerberos-integrated-authentication-to-connec...

What is not clear here is how the password for the Kerberos principal would be obtained as it is included in all the examples I have seen. e.g. jdbc:sqlserver://servername=server_name;integratedSecurity=true;authenticationScheme=JavaKerberos;userName=user@REALM;password=****

Can anyone confirm this works with Nifi? Is this functionality limited to a Windows host? It seems that this could also work from a xUnix host if I properly configure the Kerberos client on that machine.

Any input here is appreciated, thanks!

5,594 Views
3 REPLIES 3

avatar
author-rank daniel_ahn
Explorer

Created ‎10-19-2018 02:42 PM

@wsalazar

I ran into the same issue and I had to set up two more kerberos configuration files (krb5.ini and jaas.conf) and point Nifi to this. My HDF/Nifi is running on Linux host. Login credentials can be specified from controller's username and password value.

krb5.ini

[libdefaults] default_realm = YYYY.CORP.CONTOSO.COM dns_lookup_realm = false dns_lookup_kdc = true 
[domain_realm] .yyyy.corp.contoso.com = YYYY.CORP.CONTOSO.COM 
[realms] YYYY.CORP.CONTOSO.COM = { kdc = YYYY.CORP.CONTOSO.COM admin_server = YYYY.CORP.CONTOSO.COM master_kdc = YYYY.CORP.CONTOSO.COM default_domain= YYYY.CORP.CONTOSO.COM }

jaas.conf

SQLJDBCDriver {      
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=false
useTicketCache=false;   
};

Please see https://medium.com/@danielyahn/nifi-ms-sql-integrated-security-9efc184872db for more detail

4,469 Views
0 Kudos

avatar
author-rank louis_allen
Explorer

Created ‎11-14-2018 04:40 PM

Hi Daniel — I’m currently going through the same setup but it doesn’t seem to be working for me. I’ve done everything you’ve mentioned apart from add the username and password into the username/password boxes but NiFi is complaining that it cannot find a user… If I add a user into the box it complains that it cannot find a password.

The reason I do not want to add a username and password is because my understanding was that by using Kerberos you could instead just tickets/keytabs to authenticate on the underlying OS… Am I wrong?

4,469 Views
0 Kudos

avatar
author-rank DennisJaheruddi author-rank
Guru

Created ‎01-15-2019 10:44 AM

@Louis Allen

Just to confirm: Is the server where SQL runs kerberized, and have you set up a relaton of trust?


- Dennis Jaheruddin

If this answer helped, please mark it as 'solved' and/or if it is valuable for future readers please apply 'kudos'.
4,469 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements