Nifi + Hortonworks Schema Registry + Kerberos: 401 Authentication required

0
votes

I am ussing Apache Nifi 1.7 and I'm trying to use a RecordWritter that uses Hortonwors Schema Registry service controller to read schema metadata.

However, this controller service doesn't have any KErberos configuration properties like "KErberos Credential Service" that other Nifi processor have, so I am getting a 401 Error: Authentication required when I try to read schema from Hortonworks Schema Registry.

The intriguing thing here is that this workflow was working before, and after stopping nifi flow, moving the cluster to a different LAN and relaunching the flow again, it started to fail. I discarded any networks issues here since kerberos and schema registry keep the same URI's as before and I can make a query to registry service from the command line with curl as before.

Is there a way to make Hortonworks schema registry Controler working with Kerberos?

1
kerberosapache-nificloudera

1 Answers

1
votes

In 1.7.0 the only way to do is through a JAAS file with an entry for RegistryClient like:

RegistryClient {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="REPLACE_WITH_KEYTAB"
    storeKey=true
    useTicketCache=false
    principal="REPLACE_WITH_PRINCIPAL";
};

Then in nifi's bootstrap.conf you need to specify the system property:

java.arg.16=-Djava.security.auth.login.config=/path/to/jaas.conf

In 1.10.0 there are new properties in the service to make it easier to configure.