Kerberos Service
NiFi can be configured to use Kerberos SPNEGO (or "Kerberos Service") for
authentication. In this scenario, users will hit the REST endpoint
/access/kerberos
and the server will respond with a
401
status code and the challenge response header
WWW-Authenticate: Negotiate
. This communicates to the browser to use
the GSS-API and load the user's Kerberos ticket and provide it as a Base64-encoded
header value in the subsequent request. It will be of the form Authorization:
Negotiate YII…
. NiFi will attempt to validate this ticket with the KDC. If it
is successful, the user's principal will be returned as the
identity, and the flow will follow login/credential authentication, in that a JWT will be
issued in the response to prevent the unnecessary overhead of Kerberos authentication on
every subsequent request. If the ticket cannot be validated, it will return with the
appropriate error response code. The user will then be able to provide their Kerberos
credentials to the login form if the KerberosLoginIdentityProvider
has
been configured. See Kerberos login
identity provider for more details.
NiFi will only respond to Kerberos SPNEGO negotiation over an HTTPS connection, as unsecured requests are never authenticated.
The following properties must be set in nifi.properties to enable Kerberos service authentication.
Property |
Required |
Description |
Service Principal |
true |
The service principal used by NiFi to communicate with the KDC |
Keytab Location |
true |
The file path to the keytab containing the service principal |
See Kerberos Properties for complete documentation.