Kerberos
Below is an example and description of configuring an Identity Provider that integrates with a Kerberos Key Distribution Center (KDC) to authenticate users.
<provider>
<identifier>kerberos-identity-provider</identifier>
<class>org.apache.nifi.registry.web.security.authentication.kerberos.KerberosIdentityProvider</class>
<property name="Default Realm">NIFI.APACHE.ORG</property>
<property name="Kerberos Config File">/etc/krb5.conf</property>
<property name="Authentication Expiration">12 hours</property>
</provider>With this configuration, username/password authentication can be enabled by referencing this provider in nifi-registry.properties.
nifi.registry.security.user.identity.provider=kerberos-identity-provider
|
Property Name |
Description |
|---|---|
|
|
The duration for which the user authentication is valid. If the user never logs out, they will be required to log back in following this duration. |
|
|
Default realm to provide when user enters incomplete user principal (i.e. NIFI.APACHE.ORG). |
|
|
Absolute path to Kerberos client configuration file. |
See also Kerberos Service to allow single sign-on access via client Kerberos tickets.