Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

nifi processor connection to schema registry with kerberos

dan_caulfield_
New Contributor

Created ‎08-17-2018 09:44 PM

when attempt to access a schema registry with kerberos authentication enabled the Nifi processors fail. How can nifi be configured to access the Schema registry with Kerberos enabled?

2018-08-17 10:53:03,255 ERROR [Timer-Driven Process Thread-3] c.h.n.r.UpdateAttributeWithSchemaViaSchemaRegistry UpdateAttributeWithSchemaViaSchemaRegistry[id=01591000-c204-13a9-a39f-cc675087c6cf] Failed FlowFile processing, routing to failure. Issue: HTTP 401 Authentication required: javax.ws.rs.NotAuthorizedException: HTTP 401 Authentication required javax.ws.rs.NotAuthorizedException: HTTP 401 Authentication required at org.glassfish.jersey.client.JerseyInvocation.convertToException(JerseyInvocation.java:1002) at org.glassfish.jersey.client.JerseyInvocation.translate(JerseyInvocation.java:816) at org.glassfish.jersey.client.JerseyInvocation.access$700(JerseyInvocation.java:92) at org.glassfish.jersey.client.JerseyInvocation$2.call(JerseyInvocation.java:700) at org.glassfish.jersey.internal.Errors.process(Errors.java:315) at org.glassfish.jersey.internal.Errors.process(Errors.java:297) at org.glassfish.jersey.internal.Errors.process(Errors.java:228) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:444) at org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:696) at org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:420) at org.glassfish.jersey.client.JerseyInvocation$Builder.get(JerseyInvocation.java:316) at com.hortonworks.registries.schemaregistry.client.SchemaRegistryClient.getEntity(SchemaRegistryClient.java:557) at com.hortonworks.registries.schemaregistry.client.SchemaRegistryClient.getLatestSchemaVersionInfo(SchemaRegistryClient.java:362) at com.hortonworks.nifi.registry.SchemaRegistryService.retrieveSchema(SchemaRegistryService.java:156) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.nifi.controller.service.StandardControllerServiceInvocationHandler.invoke(StandardControllerServiceInvocationHandler.java:89)

at com.sun.proxy.$Proxy176.retrieveSchema(Unknown Source) at com.hortonworks.nifi.registry.RegistryCommon.retrieveSchemaViaDelegate(RegistryCommon.java:122) at com.hortonworks.nifi.registry.BaseTransformerViaSchemaRegistry.transform(BaseTransformerViaSchemaRegistry.java:91) at com.hortonworks.nifi.core.BaseTransformer$1.process(BaseTransformer.java:104) at org.apache.nifi.controller.repository.StandardProcessSession.read(StandardProcessSession.java:2175) at org.apache.nifi.controller.repository.StandardProcessSession.read(StandardProcessSession.java:2145) at com.hortonworks.nifi.core.BaseTransformer.doTransform(BaseTransformer.java:101) at com.hortonworks.nifi.core.BaseTransformer.onTrigger(BaseTransformer.java:75) at org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27) at org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1124) at org.apache.nifi.controller.tasks.ContinuallyRunProcessorTask.call(ContinuallyRunProcessorTask.java:147) at org.apache.nifi.controller.tasks.ContinuallyRunProcessorTask.call(ContinuallyRunProcessorTask.java:47) at org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:128) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

2,234 Views
0 Kudos
2 REPLIES 2

jsensharma
Super Mentor

Created ‎08-18-2018 04:51 AM

@Dan Caulfield

Have you added the following property in your Browser config?
For example in case of Firefox please try this:


1. Open Firefox and type the "about:config" in the address bar (press enter)
2. Add the following properties to make sure that your NiFi Registry url is trusted (Please make sure to add the correct hostname in the below properties)

network.negotiate-auth.delegation-uris=test.example.com ,.test.example.com
network.negotiate-auth.trusted-uris=test.example.com ,.test.example.com



For other browsers you can find the instructions here: https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Ker...
Also please refer to https://registry-project.readthedocs.io/en/latest/security.html#spnego

3. From the host where you are opening the browser to access NiFI Registry you should be able to do "kinit" to get a valid kerberos ticket and then reopen the browser and access the registry.

1,854 Views
0 Kudos

dan_caulfield_
New Contributor

Created ‎08-20-2018 08:09 PM

@Jay Kumar SenSharma

Thanks Jay, I guess I wasn't clear. I'm not having an issue with connecting from a browser. My issue is getting a nifi processor to connect to the schema registry when it has kerberos enabled. The trucking demo includes processors that attach to the registry, but the don't include configuration properties similar to the publishKafka processor that is used to find the jaas, principal, etc. The registry controller services also don't include anything that would support processor calls to the registry. I'm trying to figure out if I'm missing something in the property option, controller services or nifi configuration that would allow a nifi processor to interact with the registry, otherwise it looks like the only option is to modify the existing processor to include properties to support kerberos processors.

,

@Jay Kumar SenSharma

Thanks Jay, but your answer doesn't address the question. I'm working with the trucking demo in a kerberos protected cluster. The demo includes processors that interact with the schema registry. The included processors fail with a 401 Authentication error. I'm trying to figure out what changes I have to make to allow a processor to attach to the schema registry. Changing browser settings does not help a Nifi processor connect. Since the included processors and registry services don't have setting for JAAS,Principal, etc similar to the publishkafka processor, do I need to change something in the Nifi configuration that will allow nifi to send a kerberos ticket to the schema registry? Do I need to open the processor source code and add/enable code to past the ticket? How do I get that modified code to have configuration options within nifi?

1,854 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
What's New @ Cloudera
Cloudera Operational Database (COD) UI supports creating a smaller cluster using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports scaling up the clusters vertically
Product Announcements
CDP Public Cloud: April 2023 Release Summary
What's New @ Cloudera
Cloudera Machine Learning launches "Add Data" feature to simplify data ingestion
What's New @ Cloudera
Simplify Data Access with Custom Connection Support in CML
View More Announcements