Kerberos

Below is an example and description of configuring an Identity Provider that integrates with a Kerberos Key Distribution Center (KDC) to authenticate users.

Set the following in nifi-registry.properties to enable Kerberos username/password authentication:


nifi.registry.security.user.identity.provider=kerberos-identity-provider

Modify identity-providers.xml to enable the kerberos-identity-provider. Here is the sample provided in the file:


<provider>
    <identifier>kerberos-identity-provider</identifier>
    <class>org.apache.nifi.registry.web.security.authentication.kerberos.KerberosIdentityProvider</class>
    <property name="Default Realm">NIFI.APACHE.ORG</property>
    <property name="Authentication Expiration">12 hours</property>
    <property name="Enable Debug">false</property>
</provider>

The kerberos-identity-provider has the following properties:

Property Name Description

Enable Debug

Enables debug logging output for the SunJaasKerberosClient used internally by the KerberosIdentityProvider. By default, this is set to false.

Default Realm

Default realm to provide when user enters incomplete user principal (i.e. NIFI.APACHE.ORG).

Authentication Expiration

The duration for which the user authentication is valid. If the user never logs out, they will be required to log back in following this duration.

See also Kerberos Service to allow single sign-on access via client Kerberos tickets.