NIFI-6808 Adding KeytabCredentialService to HortonworksSchemaRegistry and setting dynamic JAAS config property on client

This closes #3877.
2019-10-24 11:48:08 -04:00 · 2019-10-24 11:48:08 -04:00 · 388683a5c5
parent 18245a4441
commit 388683a5c5
2 changed files with 34 additions and 1 deletions
--- a/nifi-nar-bundles/nifi-standard-services/nifi-hwx-schema-registry-bundle/nifi-hwx-schema-registry-service/pom.xml
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-hwx-schema-registry-bundle/nifi-hwx-schema-registry-service/pom.xml
@ -28,7 +28,7 @@ limitations under the License.
    <artifactId>nifi-hwx-schema-registry-service</artifactId>
    <packaging>jar</packaging>
    <properties>
-        <hwx.registry.version>0.8.0</hwx.registry.version>
+        <hwx.registry.version>0.8.1</hwx.registry.version>
    </properties>
    <dependencies>
        <dependency>
@ -57,6 +57,10 @@ limitations under the License.
            <groupId>org.apache.nifi</groupId>
            <artifactId>nifi-ssl-context-service-api</artifactId>
        </dependency>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-kerberos-credentials-service-api</artifactId>
+        </dependency>
        <dependency>
            <groupId>org.apache.avro</groupId>
            <artifactId>avro</artifactId>
--- a/nifi-nar-bundles/nifi-standard-services/nifi-hwx-schema-registry-bundle/nifi-hwx-schema-registry-service/src/main/java/org/apache/nifi/schemaregistry/hortonworks/HortonworksSchemaRegistry.java
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-hwx-schema-registry-bundle/nifi-hwx-schema-registry-service/src/main/java/org/apache/nifi/schemaregistry/hortonworks/HortonworksSchemaRegistry.java
@ -34,6 +34,7 @@ import org.apache.nifi.components.PropertyDescriptor;
 import org.apache.nifi.controller.AbstractControllerService;
 import org.apache.nifi.controller.ConfigurationContext;
 import org.apache.nifi.expression.ExpressionLanguageScope;
+import org.apache.nifi.kerberos.KerberosCredentialsService;
 import org.apache.nifi.processor.util.StandardValidators;
 import org.apache.nifi.reporting.InitializationException;
 import org.apache.nifi.schema.access.SchemaField;
@ -99,6 +100,7 @@ public class HortonworksSchemaRegistry extends AbstractControllerService impleme
        .defaultValue("1 hour")
        .required(true)
        .build();
+
    static final PropertyDescriptor SSL_CONTEXT_SERVICE = new PropertyDescriptor.Builder()
        .name("ssl-context-service")
        .displayName("SSL Context Service")
@ -107,6 +109,14 @@ public class HortonworksSchemaRegistry extends AbstractControllerService impleme
        .identifiesControllerService(SSLContextService.class)
        .build();

+    static final PropertyDescriptor KERBEROS_CREDENTIALS_SERVICE = new PropertyDescriptor.Builder()
+        .name("kerberos-credentials-service")
+        .displayName("Kerberos Credentials Service")
+        .description("Specifies the Kerberos Credentials Controller Service that should be used for authenticating with Kerberos")
+        .identifiesControllerService(KerberosCredentialsService.class)
+        .required(false)
+        .build();
+
    private volatile SchemaRegistryClient schemaRegistryClient;
    private volatile boolean initialized;
    private volatile Map<String, Object> schemaRegistryConfig;
@ -135,6 +145,24 @@ public class HortonworksSchemaRegistry extends AbstractControllerService impleme
        if (!sslProperties.isEmpty()) {
            schemaRegistryConfig.put(CLIENT_SSL_PROPERTY_PREFIX, sslProperties);
        }
+
+        final KerberosCredentialsService kerberosCredentialsService = context.getProperty(KERBEROS_CREDENTIALS_SERVICE)
+                .asControllerService(KerberosCredentialsService.class);
+        if (kerberosCredentialsService != null) {
+            final String principal = kerberosCredentialsService.getPrincipal();
+            final String keytab = kerberosCredentialsService.getKeytab();
+            final String jaasConfigString = getJaasConfig(principal, keytab);
+            schemaRegistryConfig.put(SchemaRegistryClient.Configuration.SASL_JAAS_CONFIG.name(), jaasConfigString);
+        }
+    }
+
+    private String getJaasConfig(final String principal, final String keytab) {
+        return "com.sun.security.auth.module.Krb5LoginModule required "
+                + "useTicketCache=false "
+                + "renewTicket=true "
+                + "useKeyTab=true "
+                + "keyTab=\"" + keytab + "\" "
+                + "principal=\"" + principal + "\";";
    }

    private Map<String, String> buildSslProperties(final ConfigurationContext context) {
@ -176,6 +204,7 @@ public class HortonworksSchemaRegistry extends AbstractControllerService impleme
        properties.add(CACHE_SIZE);
        properties.add(CACHE_EXPIRATION);
        properties.add(SSL_CONTEXT_SERVICE);
+        properties.add(KERBEROS_CREDENTIALS_SERVICE);
        return properties;
    }