Details
-
Improvement
-
Status: In Progress
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
-
None
Description
Previously we introduced the KerberosCredentialsService as a mechanism to protect access to keytabs. The interface for this service was specific to keytabs and therefore couldn't be reused when introducing password-based Kerberos. It would also be nice to support ticket-cache based login, but we'd have to introduce yet another service for this.
Almost every processor that does Kerberos authentication already utilizes the KerberosUser related classes from nifi-commons, and there are implementations for keytab, password, and ticket cache logins. We introduce a new service API that returns an instance of KerberosUser, with corresponding implementations for keytab, password, and ticket cache.
This new service API would replace the existing KerberosCredentialsService which could be marked for removal on major release. In addition, we would be able to remove all of the inline properties for pincipal, keytab, and password from any processors/services, and solely rely on instances of the new KerberosUserService.
