Kerberos Service
NiFi Registry can be configured to use Kerberos SPNEGO (or "Kerberos Service") for
authentication. In this scenario, users will hit the REST endpoint
/access/token/kerberos
and the server will respond with a
401
status code and the challenge response header
WWW-Authenticate: Negotiate
. This communicates to the browser to use
the GSS-API and load the user's Kerberos ticket and provide it as a Base64-encoded header
value in the subsequent request. It will be of the form Authorization: Negotiate
YII…
. NiFi Registry will attempt to validate this ticket with the KDC. If it
is successful, the user's principal will be returned as the identity, and the flow
will follow login/credential authentication, in that a JWT will be issued in the response
to prevent the unnecessary overhead of Kerberos authentication on every subsequent request.
If the ticket cannot be validated, it will return with the appropriate error response code.
The user will then be able to provide their Kerberos credentials to the login form if the
KerberosIdentityProvider
has been configured.
NiFi Registry will only respond to Kerberos SPNEGO negotiation over an HTTPS connection, as unsecured requests are never authenticated.