From 388683a5c56e3fd1fed2305aca574a2f8191f4e2 Mon Sep 17 00:00:00 2001
From: Bryan Bende <bbende@apache.org>
Date: Thu, 24 Oct 2019 11:48:08 -0400
Subject: [PATCH] NIFI-6808 Adding KeytabCredentialService to
 HortonworksSchemaRegistry and setting dynamic JAAS config property on client

This closes #3877.
---
 .../nifi-hwx-schema-registry-service/pom.xml  |  6 +++-
 .../HortonworksSchemaRegistry.java            | 29 +++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-hwx-schema-registry-bundle/nifi-hwx-schema-registry-service/pom.xml b/nifi-nar-bundles/nifi-standard-services/nifi-hwx-schema-registry-bundle/nifi-hwx-schema-registry-service/pom.xml
index 41bcc98d4e..8a4114b892 100644
--- a/nifi-nar-bundles/nifi-standard-services/nifi-hwx-schema-registry-bundle/nifi-hwx-schema-registry-service/pom.xml
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-hwx-schema-registry-bundle/nifi-hwx-schema-registry-service/pom.xml
@@ -28,7 +28,7 @@ limitations under the License.
     <artifactId>nifi-hwx-schema-registry-service</artifactId>
     <packaging>jar</packaging>
     <properties>
-        <hwx.registry.version>0.8.0</hwx.registry.version>
+        <hwx.registry.version>0.8.1</hwx.registry.version>
     </properties>
     <dependencies>
         <dependency>
@@ -57,6 +57,10 @@ limitations under the License.
             <groupId>org.apache.nifi</groupId>
             <artifactId>nifi-ssl-context-service-api</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-kerberos-credentials-service-api</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.apache.avro</groupId>
             <artifactId>avro</artifactId>
diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-hwx-schema-registry-bundle/nifi-hwx-schema-registry-service/src/main/java/org/apache/nifi/schemaregistry/hortonworks/HortonworksSchemaRegistry.java b/nifi-nar-bundles/nifi-standard-services/nifi-hwx-schema-registry-bundle/nifi-hwx-schema-registry-service/src/main/java/org/apache/nifi/schemaregistry/hortonworks/HortonworksSchemaRegistry.java
index eb5817e5fe..a18a5bdafa 100644
--- a/nifi-nar-bundles/nifi-standard-services/nifi-hwx-schema-registry-bundle/nifi-hwx-schema-registry-service/src/main/java/org/apache/nifi/schemaregistry/hortonworks/HortonworksSchemaRegistry.java
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-hwx-schema-registry-bundle/nifi-hwx-schema-registry-service/src/main/java/org/apache/nifi/schemaregistry/hortonworks/HortonworksSchemaRegistry.java
@@ -34,6 +34,7 @@ import org.apache.nifi.components.PropertyDescriptor;
 import org.apache.nifi.controller.AbstractControllerService;
 import org.apache.nifi.controller.ConfigurationContext;
 import org.apache.nifi.expression.ExpressionLanguageScope;
+import org.apache.nifi.kerberos.KerberosCredentialsService;
 import org.apache.nifi.processor.util.StandardValidators;
 import org.apache.nifi.reporting.InitializationException;
 import org.apache.nifi.schema.access.SchemaField;
@@ -99,6 +100,7 @@ public class HortonworksSchemaRegistry extends AbstractControllerService impleme
         .defaultValue("1 hour")
         .required(true)
         .build();
+
     static final PropertyDescriptor SSL_CONTEXT_SERVICE = new PropertyDescriptor.Builder()
         .name("ssl-context-service")
         .displayName("SSL Context Service")
@@ -107,6 +109,14 @@ public class HortonworksSchemaRegistry extends AbstractControllerService impleme
         .identifiesControllerService(SSLContextService.class)
         .build();
 
+    static final PropertyDescriptor KERBEROS_CREDENTIALS_SERVICE = new PropertyDescriptor.Builder()
+        .name("kerberos-credentials-service")
+        .displayName("Kerberos Credentials Service")
+        .description("Specifies the Kerberos Credentials Controller Service that should be used for authenticating with Kerberos")
+        .identifiesControllerService(KerberosCredentialsService.class)
+        .required(false)
+        .build();
+
     private volatile SchemaRegistryClient schemaRegistryClient;
     private volatile boolean initialized;
     private volatile Map<String, Object> schemaRegistryConfig;
@@ -135,6 +145,24 @@ public class HortonworksSchemaRegistry extends AbstractControllerService impleme
         if (!sslProperties.isEmpty()) {
             schemaRegistryConfig.put(CLIENT_SSL_PROPERTY_PREFIX, sslProperties);
         }
+
+        final KerberosCredentialsService kerberosCredentialsService = context.getProperty(KERBEROS_CREDENTIALS_SERVICE)
+                .asControllerService(KerberosCredentialsService.class);
+        if (kerberosCredentialsService != null) {
+            final String principal = kerberosCredentialsService.getPrincipal();
+            final String keytab = kerberosCredentialsService.getKeytab();
+            final String jaasConfigString = getJaasConfig(principal, keytab);
+            schemaRegistryConfig.put(SchemaRegistryClient.Configuration.SASL_JAAS_CONFIG.name(), jaasConfigString);
+        }
+    }
+
+    private String getJaasConfig(final String principal, final String keytab) {
+        return "com.sun.security.auth.module.Krb5LoginModule required "
+                + "useTicketCache=false "
+                + "renewTicket=true "
+                + "useKeyTab=true "
+                + "keyTab=\"" + keytab + "\" "
+                + "principal=\"" + principal + "\";";
     }
 
     private Map<String, String> buildSslProperties(final ConfigurationContext context) {
@@ -176,6 +204,7 @@ public class HortonworksSchemaRegistry extends AbstractControllerService impleme
         properties.add(CACHE_SIZE);
         properties.add(CACHE_EXPIRATION);
         properties.add(SSL_CONTEXT_SERVICE);
+        properties.add(KERBEROS_CREDENTIALS_SERVICE);
         return properties;
     }