mirror of https://github.com/apache/nifi.git
NIFI-6808 Adding KeytabCredentialService to HortonworksSchemaRegistry and setting dynamic JAAS config property on client
This closes #3877.
This commit is contained in:
parent
18245a4441
commit
388683a5c5
|
@ -28,7 +28,7 @@ limitations under the License.
|
||||||
<artifactId>nifi-hwx-schema-registry-service</artifactId>
|
<artifactId>nifi-hwx-schema-registry-service</artifactId>
|
||||||
<packaging>jar</packaging>
|
<packaging>jar</packaging>
|
||||||
<properties>
|
<properties>
|
||||||
<hwx.registry.version>0.8.0</hwx.registry.version>
|
<hwx.registry.version>0.8.1</hwx.registry.version>
|
||||||
</properties>
|
</properties>
|
||||||
<dependencies>
|
<dependencies>
|
||||||
<dependency>
|
<dependency>
|
||||||
|
@ -57,6 +57,10 @@ limitations under the License.
|
||||||
<groupId>org.apache.nifi</groupId>
|
<groupId>org.apache.nifi</groupId>
|
||||||
<artifactId>nifi-ssl-context-service-api</artifactId>
|
<artifactId>nifi-ssl-context-service-api</artifactId>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.apache.nifi</groupId>
|
||||||
|
<artifactId>nifi-kerberos-credentials-service-api</artifactId>
|
||||||
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.apache.avro</groupId>
|
<groupId>org.apache.avro</groupId>
|
||||||
<artifactId>avro</artifactId>
|
<artifactId>avro</artifactId>
|
||||||
|
|
|
@ -34,6 +34,7 @@ import org.apache.nifi.components.PropertyDescriptor;
|
||||||
import org.apache.nifi.controller.AbstractControllerService;
|
import org.apache.nifi.controller.AbstractControllerService;
|
||||||
import org.apache.nifi.controller.ConfigurationContext;
|
import org.apache.nifi.controller.ConfigurationContext;
|
||||||
import org.apache.nifi.expression.ExpressionLanguageScope;
|
import org.apache.nifi.expression.ExpressionLanguageScope;
|
||||||
|
import org.apache.nifi.kerberos.KerberosCredentialsService;
|
||||||
import org.apache.nifi.processor.util.StandardValidators;
|
import org.apache.nifi.processor.util.StandardValidators;
|
||||||
import org.apache.nifi.reporting.InitializationException;
|
import org.apache.nifi.reporting.InitializationException;
|
||||||
import org.apache.nifi.schema.access.SchemaField;
|
import org.apache.nifi.schema.access.SchemaField;
|
||||||
|
@ -99,6 +100,7 @@ public class HortonworksSchemaRegistry extends AbstractControllerService impleme
|
||||||
.defaultValue("1 hour")
|
.defaultValue("1 hour")
|
||||||
.required(true)
|
.required(true)
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
static final PropertyDescriptor SSL_CONTEXT_SERVICE = new PropertyDescriptor.Builder()
|
static final PropertyDescriptor SSL_CONTEXT_SERVICE = new PropertyDescriptor.Builder()
|
||||||
.name("ssl-context-service")
|
.name("ssl-context-service")
|
||||||
.displayName("SSL Context Service")
|
.displayName("SSL Context Service")
|
||||||
|
@ -107,6 +109,14 @@ public class HortonworksSchemaRegistry extends AbstractControllerService impleme
|
||||||
.identifiesControllerService(SSLContextService.class)
|
.identifiesControllerService(SSLContextService.class)
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
|
static final PropertyDescriptor KERBEROS_CREDENTIALS_SERVICE = new PropertyDescriptor.Builder()
|
||||||
|
.name("kerberos-credentials-service")
|
||||||
|
.displayName("Kerberos Credentials Service")
|
||||||
|
.description("Specifies the Kerberos Credentials Controller Service that should be used for authenticating with Kerberos")
|
||||||
|
.identifiesControllerService(KerberosCredentialsService.class)
|
||||||
|
.required(false)
|
||||||
|
.build();
|
||||||
|
|
||||||
private volatile SchemaRegistryClient schemaRegistryClient;
|
private volatile SchemaRegistryClient schemaRegistryClient;
|
||||||
private volatile boolean initialized;
|
private volatile boolean initialized;
|
||||||
private volatile Map<String, Object> schemaRegistryConfig;
|
private volatile Map<String, Object> schemaRegistryConfig;
|
||||||
|
@ -135,6 +145,24 @@ public class HortonworksSchemaRegistry extends AbstractControllerService impleme
|
||||||
if (!sslProperties.isEmpty()) {
|
if (!sslProperties.isEmpty()) {
|
||||||
schemaRegistryConfig.put(CLIENT_SSL_PROPERTY_PREFIX, sslProperties);
|
schemaRegistryConfig.put(CLIENT_SSL_PROPERTY_PREFIX, sslProperties);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
final KerberosCredentialsService kerberosCredentialsService = context.getProperty(KERBEROS_CREDENTIALS_SERVICE)
|
||||||
|
.asControllerService(KerberosCredentialsService.class);
|
||||||
|
if (kerberosCredentialsService != null) {
|
||||||
|
final String principal = kerberosCredentialsService.getPrincipal();
|
||||||
|
final String keytab = kerberosCredentialsService.getKeytab();
|
||||||
|
final String jaasConfigString = getJaasConfig(principal, keytab);
|
||||||
|
schemaRegistryConfig.put(SchemaRegistryClient.Configuration.SASL_JAAS_CONFIG.name(), jaasConfigString);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private String getJaasConfig(final String principal, final String keytab) {
|
||||||
|
return "com.sun.security.auth.module.Krb5LoginModule required "
|
||||||
|
+ "useTicketCache=false "
|
||||||
|
+ "renewTicket=true "
|
||||||
|
+ "useKeyTab=true "
|
||||||
|
+ "keyTab=\"" + keytab + "\" "
|
||||||
|
+ "principal=\"" + principal + "\";";
|
||||||
}
|
}
|
||||||
|
|
||||||
private Map<String, String> buildSslProperties(final ConfigurationContext context) {
|
private Map<String, String> buildSslProperties(final ConfigurationContext context) {
|
||||||
|
@ -176,6 +204,7 @@ public class HortonworksSchemaRegistry extends AbstractControllerService impleme
|
||||||
properties.add(CACHE_SIZE);
|
properties.add(CACHE_SIZE);
|
||||||
properties.add(CACHE_EXPIRATION);
|
properties.add(CACHE_EXPIRATION);
|
||||||
properties.add(SSL_CONTEXT_SERVICE);
|
properties.add(SSL_CONTEXT_SERVICE);
|
||||||
|
properties.add(KERBEROS_CREDENTIALS_SERVICE);
|
||||||
return properties;
|
return properties;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue