Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Kerberos Spnego UserName/Password

Highlighted

Kerberos Spnego UserName/Password

New Contributor

https://community.hortonworks.com/articles/54275/apache-nifi-100-kerberos-authentication.html

I am trying to make kerberos work with Spnego following steps from above link , everything works except the spnego part.

the UI alway's presents login page, how can i avoid the login page ( don't want to provide username / password ) , tried this numerous times with firefox and other browsers as well.

( what i have observed is , if you login using username/password for first time , and if you clear browser cache launch nifi it will not show login page until you do kinit again , once you do kinit it will present the login screen again next time you launch nifi)

  1. docker-machine create --driver virtualbox boot2docker
  2. eval "$(docker-machine env boot2docker)"
  3. ./kdc stop
  4. ./kdc clean
  5. ./kdc build
  6. ./kdc start

./kdc test

  1. $(./kdc shellinit)
  2. kinit samar@NIFI.APACHE.ORG

open /Applications/Firefox.app from the terminal

my principal in kdc.json :

{
  "principals": [
    {
      "id": "samar@NIFI.APACHE.ORG",
      "password": "samar"
    },
    {
      "id": "HTTP/localhost@NIFI.APACHE.ORG",
      "password": "http"
    }
  ],
  "domain": "localhost",
  "realm": "NIFI.APACHE.ORG",
  "ip": "127.0.0.1",
  "port": 48088
}


FireFox Negotiate Settings

network.negotiate-auth.delegation-uris : https://localhost:9443
network.negotiate-auth.trusted-uris : https://localhost:9443


Nifi.properties changes

nifi.remote.input.secure=true
nifi.web.https.host=localhost
nifi.web.https.port=9443
nifi.remote.input.secure=true
nifi.security.user.login.identity.provider=kerberos-provider
nifi.kerberos.krb5.file=/Users/samar/Downloads/docker-kdc/krb5.conf
nifi.kerberos.spnego.principal=HTTP/localhost@NIFI.APACHE.ORG
nifi.kerberos.spnego.keytab.location=/Users/samar/Downloads/docker-kdc/krb5.keytab
nifi.kerberos.spnego.authentication.expiration=12 hours


uncomment below properties :

nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$
nifi.security.identity.mapping.value.dn=$1@$2
nifi.security.identity.mapping.transform.dn=NONE
nifi.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$
nifi.security.identity.mapping.value.kerb=$1@$2



login-identity-providers.xml changes

<provider>
        <identifier>kerberos-provider</identifier>
        <class>org.apache.nifi.kerberos.KerberosProvider</class>
        <property name="Default Realm">NIFI.APACHE.ORG</property>
        <property name="Authentication Expiration">12 hours</property>
</provider>



Authorizers.xml changes

<authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">samar@NIFI.APACHE.ORG</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1"></property>
    </authorizer>


Am i missing something here ? let me know who to avoid providing username/password