Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

nifi processor connection to schema registry with kerberos

New Contributor

when attempt to access a schema registry with kerberos authentication enabled the Nifi processors fail. How can nifi be configured to access the Schema registry with Kerberos enabled?

2018-08-17 10:53:03,255 ERROR [Timer-Driven Process Thread-3] c.h.n.r.UpdateAttributeWithSchemaViaSchemaRegistry UpdateAttributeWithSchemaViaSchemaRegistry[id=01591000-c204-13a9-a39f-cc675087c6cf] Failed FlowFile processing, routing to failure. Issue: HTTP 401 Authentication required: HTTP 401 Authentication required HTTP 401 Authentication required at org.glassfish.jersey.client.JerseyInvocation.convertToException( at org.glassfish.jersey.client.JerseyInvocation.translate( at org.glassfish.jersey.client.JerseyInvocation.access$700( at org.glassfish.jersey.client.JerseyInvocation$ at org.glassfish.jersey.internal.Errors.process( at org.glassfish.jersey.internal.Errors.process( at org.glassfish.jersey.internal.Errors.process( at org.glassfish.jersey.process.internal.RequestScope.runInScope( at org.glassfish.jersey.client.JerseyInvocation.invoke( at org.glassfish.jersey.client.JerseyInvocation$Builder.method( at org.glassfish.jersey.client.JerseyInvocation$Builder.get( at com.hortonworks.registries.schemaregistry.client.SchemaRegistryClient.getEntity( at com.hortonworks.registries.schemaregistry.client.SchemaRegistryClient.getLatestSchemaVersionInfo( at com.hortonworks.nifi.registry.SchemaRegistryService.retrieveSchema( at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke( at sun.reflect.DelegatingMethodAccessorImpl.invoke( at java.lang.reflect.Method.invoke( at org.apache.nifi.controller.service.StandardControllerServiceInvocationHandler.invoke(

at com.sun.proxy.$Proxy176.retrieveSchema(Unknown Source) at com.hortonworks.nifi.registry.RegistryCommon.retrieveSchemaViaDelegate( at com.hortonworks.nifi.registry.BaseTransformerViaSchemaRegistry.transform( at com.hortonworks.nifi.core.BaseTransformer$1.process( at at at com.hortonworks.nifi.core.BaseTransformer.doTransform( at com.hortonworks.nifi.core.BaseTransformer.onTrigger( at org.apache.nifi.processor.AbstractProcessor.onTrigger( at org.apache.nifi.controller.StandardProcessorNode.onTrigger( at at at org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$ at java.util.concurrent.Executors$ at java.util.concurrent.FutureTask.runAndReset( at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301( at java.util.concurrent.ScheduledThreadPoolExecutor$ at java.util.concurrent.ThreadPoolExecutor.runWorker( at java.util.concurrent.ThreadPoolExecutor$ at


Super Mentor
@Dan Caulfield

Have you added the following property in your Browser config?
For example in case of Firefox please try this:

1. Open Firefox and type the "about:config" in the address bar (press enter)
2. Add the following properties to make sure that your NiFi Registry url is trusted (Please make sure to add the correct hostname in the below properties) , ,

For other browsers you can find the instructions here:
Also please refer to

3. From the host where you are opening the browser to access NiFI Registry you should be able to do "kinit" to get a valid kerberos ticket and then reopen the browser and access the registry.

New Contributor

@Jay Kumar SenSharma

Thanks Jay, I guess I wasn't clear. I'm not having an issue with connecting from a browser. My issue is getting a nifi processor to connect to the schema registry when it has kerberos enabled. The trucking demo includes processors that attach to the registry, but the don't include configuration properties similar to the publishKafka processor that is used to find the jaas, principal, etc. The registry controller services also don't include anything that would support processor calls to the registry. I'm trying to figure out if I'm missing something in the property option, controller services or nifi configuration that would allow a nifi processor to interact with the registry, otherwise it looks like the only option is to modify the existing processor to include properties to support kerberos processors.


@Jay Kumar SenSharma

Thanks Jay, but your answer doesn't address the question. I'm working with the trucking demo in a kerberos protected cluster. The demo includes processors that interact with the schema registry. The included processors fail with a 401 Authentication error. I'm trying to figure out what changes I have to make to allow a processor to attach to the schema registry. Changing browser settings does not help a Nifi processor connect. Since the included processors and registry services don't have setting for JAAS,Principal, etc similar to the publishkafka processor, do I need to change something in the Nifi configuration that will allow nifi to send a kerberos ticket to the schema registry? Do I need to open the processor source code and add/enable code to past the ticket? How do I get that modified code to have configuration options within nifi?

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.