Created 03-12-2017 04:25 PM
Hi,
From my understanding, enabling SSL in NiFi and connecting to LDAP is enough for security. What's the advantage of HDF Kerberisation ? is it only for Kafka and Storm ?
Can I have a non-Kerberised HDF cluster talking with a Kerberised HDF cluster
Thanks
Created 03-13-2017 01:03 PM
Hi Joe,
Please refer following useful links for answer.
What's the advantage of HDF Kerberisation ?
is it only for Kafka and Storm ?
https://hortonworks.com/blog/enabling-kerberos-hdp-active-directory-integration/
https://hortonworks.com/blog/office-hours-qa-on-yarn-in-hadoop-2/
Hope this will be useful.
Created 03-13-2017 01:27 PM
My questions are for HDF not HDP
Created 03-13-2017 02:42 PM
NiFi as an application provides multiple supported methods of user authentication. (User certs, Spenego, LDAP, etc...) NiFi server authentication within NiFi is always done via SSL.
Enabling Kerberos in HDF will change your NiFi to use kerberos for authentication. If you prefer to use LDAP that is fine and there is no need to enable Kerberos on NiFi.
NiFi can communicate with other kerberized and non-kerberized service/applications. The method NiFi is configured to use for user authentication has no role in that communication. Various processor support different end-point applications using kerberos differently (some require on configurations in processors, others require some added properties in the nifi.properties file, other require a jaas file, etc..). The reason these are all implemented differently is because each of the end-point applications client libraries which NiFi includes and are different in how they implement kerberos support.
Bottom line, having two HDF clusters communicate with one another from a NiFi standpoint has no bearing on kerberos since server to server authentication in NiFi always uses SSL certificates for mutual authentication.
Thanks,
Matt