Apache NiFi Registry Administration
Also available as:
PDF

Kerberos

Below is an example and description of configuring an Identity Provider that integrates with a Kerberos Key Distribution Center (KDC) to authenticate users.

<provider>
    <identifier>kerberos-identity-provider</identifier>
    <class>org.apache.nifi.registry.web.security.authentication.kerberos.KerberosIdentityProvider</class>
    <property name="Default Realm">NIFI.APACHE.ORG</property>
    <property name="Kerberos Config File">/etc/krb5.conf</property>
    <property name="Authentication Expiration">12 hours</property>
</provider>

With this configuration, username/password authentication can be enabled by referencing this provider in nifi-registry.properties.

nifi.registry.security.user.identity.provider=kerberos-identity-provider

Property Name

Description

Authentication Expiration

The duration for which the user authentication is valid. If the user never logs out, they will be required to log back in following this duration.

Default Realm

Default realm to provide when user enters incomplete user principal (i.e. NIFI.APACHE.ORG).

Kerberos Config File

Absolute path to Kerberos client configuration file.

See also Kerberos Service to allow single sign-on access via client Kerberos tickets.