In the previous post we secured our NiFi cluster with X.509 certificates. Now we will add one more layer of security to our cluster through Kerberos authentication.
Below are the steps to be followed to install and configure KDC.
Step 1: Install KDC server
Step 2: Modify the KDC server configuration file krb5.conf located at /etc/krb5.conf
Add your host name and update domain_realm. Below is the screenshot of modified krb5.conf file
Step 3: Create a kerberos database with kdb5_util, When prompted for a password key in a password and keep a note of it.
Step 4: Start KDC server and KDC admin server
Step 5: Add a service principal and export keytab from KDC
kadmin.local
addprinc –randkey nifi/HDF
ktadd –k /opt/nifi-HDF.keytab nifi/HDF
q
Step 6: Create a login identity using Kerberos
Step 7: Configure NCM
update security user login identity provider in nifi.properties file with kerberos-provider and also update the kerberos section of nifi.properties file with details created in above steps.
For NCM, update the cluster-ncm-provider properties in the authority-provider file as per below screenshot
Also update the login-identity-providers.xml with kerberos details created in above steps.
Step 8: Configure Node 1
Update the cluster-node-provider properties in authority-provider file as per below screenshot
Step 9: Configure Node 2
Update the cluster-node-provider properties in authority-provider file as per below screenshot
Step 10: Once configured the properties file in all 3 instances, restart the NiFi server in all instances.
You will be prompted with a login page, key in the kerberos login identity we created in above steps.
When we login for the first time we will be redirected to justification page, where we can submit our request for access.
Once submitted, an admin can check the request and grant privileges.
We can go back to the browser where user key certificate was added (Please refer to my previous post http://www.bigdatadestination.com/nifi-securing-cluster-with-x-509-certificates/ to secure cluster with X.509 certificates) and can grant access to user test11(as we manually granted ROLE_ADMIN access for our user key in authorized-users.xml)
Now, test11 user can access the NCM with Read Only privilege.
Yippee! We have successfully configured Kerberos on our NiFi cluster and also controlled level of access to NiFi.
Watch this space http://www.bigdatadestination.com/ for more stuff.