Kerberos credentials

Learn how to provide the Kerberos credentials by defining the Keytab Credentials Controller Service.

In most processors there are two ways to provide the Kerberos credentials: either via properties directly available in processor's configuration (this is the legacy way) or via the definition of a Keytab Credentials Controller Service. The controller service is the recommended way in multi tenant environments where access to keytab configuration should be managed independently between different teams.

An environment variable is available to manage which option is used. In order to prevent the use of the old free-form keytab properties that were left around for backwards compatibility, it is possible to configure an environment variable in nifi-env.sh:

export NIFI_ALLOW_EXPLICIT_KEYTAB=true

Setting this value to false will produce a validation error in any component where the free-form keytab property is entered, which means the component cannot be started unless it uses a Keytab Controller service.

This environment variable set to false in combination with the /restricted-components/access-keytab policy is the recommended way to have the finest grained control over keytabs.