Kerberos + Ni-Fi = Secure

Configuring Kerberos in nifi.properties

The following key parameters for Kerberos are added to nifi.properties:

Kerberos client authentication.

If you want NiFi to use Kerberos for user authentication:

nifi.kerberos.service.principal=nifi/_HOST@YOUR_REALM
nifi.kerberos.service.keytab.location=/path/to/nifi.keytab

• nifi.kerberos.service.principal is the Kerberos principal to be used by NiFi. Typically this is nifi/hostname@REALM.
• _HOST is replaced by the name of the host on which NiFi is running.
• nifi.kerberos.service.keytab.location is the path to the keytab file that contains the credentials for the principal.

Kerberos for LDAP/Active Directory Authentication

If you are using Kerberos in conjunction with LDAP or Active Directory for authentication:

nifi.kerberos.spnego.principal=nifi/_HOST@YOUR_REALM
nifi.kerberos.spnego.keytab.location=/path/to/spnego.keytab

• nifi.kerberos.spnego.principal - SPNEGO principal used for authentication via Kerberos.
• nifi.kerberos.spnego.keytab.location - path to the keytab file for SPNEGO.

Kerberos for Inter-Node Communication

If NiFi nodes in your cluster must also authenticate with each other using Kerberos:

nifi.cluster.node.kerberos.principal=nifi/_HOST@YOUR_REALM
nifi.cluster.node.kerberos.keytab.location=/path/to/cluster.keytab

• nifi.cluster.nuster.node.kerberos.principal - the principal used by the cluster nodes to authenticate with each other.
• nifi.cluster.node.node.kerberos.keytab.location - the path to the keytab file for the cluster nodes.

Customize the JVM Environment for Kerberos

krb5.conf

You must make sure that the krb5.conf file (usually found in /etc/krb5.conf) is configured correctly and contains all the necessary parameters for your Kerberos realm.

JVM Options

Add JVM options to point to krb5.conf if required:

java.arg.kerberos=-Djava.security.krb5.conf=/etc/krb5.conf

This parameter can be added to the NiFi startup scripts (nifi-env.sh).

Verify Kerberos Configuration

1. Verify that Keytab files are available and contain the correct credentials.

2. Verify that all nodes in the NiFi cluster can obtain Kerberos tickets using the kinit command.

3. Verify that NiFi is successfully using Kerberos for authentication by running it and checking the logs for Kerberos-related errors.

In a nutshell, these settings are needed if you need to consider

• Authentication: Kerberos provides a strong mechanism for authenticating users and nodes in the cluster. This means that each component, be it a user or another node, must prove its authenticity before accessing NiFi resources. In this way, the risk of unauthorized access is reduced.

• Security of inter-node communication: In a NiFi cluster where multiple nodes need to interact with each other, Kerberos ensures that all these interactions are secured. Each node must receive a ticket from the key distribution center (KDC) to prove its identity to other nodes.

• Encryption: Kerberos can be used in conjunction with SSL/TLS to provide encryption for data transmitted between cluster nodes and between users and NiFi. This protects data from interception and other attacks during transmission.