nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nathamuni, Ramanujam" <>
Subject RE: Can we configure NiFi to run execute process with specific Kerberos Principal?
Date Mon, 24 Oct 2016 16:37:32 GMT
I did this stuff with SAS and OBIEE little outside of the application configuration.

1.)    On NIFI server and clusters  -  modify /etc/krb5.conf to match with your Kerberos enabled
Hadoop cluster ( you can change this location using the Kerberos configuration variables)

2.)    Get the Keytab file for users who has access to Hadoop cluster – usually  provided
to you by KDC admin or Hadoop admin

3.)    Transfer Keytab to all NiFi cluster nodes

4.)    Get the ticket as root user (kinit –kt <Keytab_file_name>  principla_name)
  - you can use the klist –kt <Keytab>  to find out the principal name  - you can
automate this using root crontab  or using other schedulers but it needs to be available for

5.)    Test it out  - klist

6.)    Now test it out from NiFi

From: Bryan Bende []
Sent: Monday, October 24, 2016 12:00 PM
Cc: Joe Zaher (jzaher); Shrilesh Naik (shrnaik)
Subject: Re: Can we configure NiFi to run execute process with specific Kerberos Principal?

Hi Ravi,

I'm not very familiar with Sqoop, but from quickly reading their documentation and some other
forums/blogs, it seems like the script that NiFi is calling should be doing something like
the follow:

<SQOOP2 DIRECTORY>/bin/ client

I would think however you execute the script successfully outside of NiFi, would be the same
with NiFI, meaning that NiFi is just calling a shell script and shouldn't really need to know
that Kerberos is involved.


On Mon, Oct 24, 2016 at 11:22 AM, Ravi Papisetti (rpapiset) <<>>

We are planning to use "ExecuteProcess" to run a sqoop script wrapped by shell. As part of
this we want NiFi to use its service principal in secure mode while submiting executing the
script. Otherwise sqoop script is failed to execute saying "Caused by GSSException: No valid
credentials provided (Mechanism level: Failed to find any Kerberos tgt)", because it is submitted
by NiFi service user (root) that doesn't have any kerberos user principal.

Are there any configuration options in NiFi to overcome this issue?

Our use case is very similar to what is posted here:


Ravi Papisetti

Technical Leader

Services Technology Incubation Center<><>

Phone: +1 512 340 3377<tel:%2B1%20512%20340%203377>


This e-mail may contain confidential or privileged information.
If you are not the intended recipient, please notify the sender immediately and then delete

View raw message