Kerberos
Below is an example and description of configuring a Login Identity Provider that integrates with a Kerberos Key Distribution Center (KDC) to authenticate users.
Set the following in nifi.properties to enable Kerberos username/password authentication:
nifi.security.user.login.identity.provider=kerberos-provider
Modify login-identity-providers.xml to enable the kerberos-provider
. Here is the sample provided in the file:
<provider>
<identifier>kerberos-provider</identifier>
<class>org.apache.nifi.kerberos.KerberosProvider</class>
<property name="Default Realm">NIFI.APACHE.ORG</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
The kerberos-provider
has the following properties:
Property Name | Description |
---|---|
Authentication Expiration
|
The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration. |
|
Default realm to provide when user enters incomplete user principal (i.e.
|
See also Kerberos Service documentation to allow single sign-on access via client Kerberos tickets.
Note | |
---|---|
For changes to nifi.properties and login-identity-providers.xml to take effect, NiFi needs to be restarted. If NiFi is clustered, configuration files must be the same on all nodes. |