NIFI-14059 - add properties needed to use Kafka authentication mechan…

[greyp9]

…ism SASL_SSL

Tested using Docker kerberos/kafka images and property "SELF_CONTAINED_KERBEROS_USER_SERVICE", but also speculatively adding property "KERBEROS_CREDENTIALS_SERVICE" from deprecated implementation.

As a running kerberos instance is needed to test this, I did not implement an IT, but I'm open to alternate means of providing test coverage of the changes.

Summary

NIFI-14059

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

• Apache NiFi Jira issue created

Pull Request Tracking

• Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-00000
• Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-00000

Pull Request Formatting

• Pull Request based on current revision of the main branch
• Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

• Build completed using mvn clean install -P contrib-check
  • JDK 21

Licensing

• New dependencies are compatible with the Apache License 2.0 according to the License Policy
• New dependencies are documented in applicable LICENSE and NOTICE files

Documentation

• Documentation formatting appears as expected in rendered files

[bbende]

It has been a while since I worked on this, but I am not sure the Kafka processors can use the regular KerberosUserService because they expect to get the JAAS config string from the service and give it to the Kafka client which does the actual login, and this won't work for some of the implementations of KerberosUserService, this was the reason for limiting it to the SelfContainedKerberosUserService, see comment here:

https://github.com/apache/nifi/blob/main/nifi-extension-bundles/nifi-standard-services/nifi-kerberos-user-service-api/src/main/java/org/apache/nifi/kerberos/SelfContainedKerberosUserService.java#L20-L25

[greyp9]

Thanks for confirming. All this lines up perfectly with my observations. I didn't try KERBEROS_CREDENTIALS_SERVICE; I'll remove it. I was able to get things working with KERBEROS_USER_SERVICE, which referenced SelfContainedKerberosUserService, by adding the custom property sasl.jaas.config as described in this Confluent documentation:

https://docs.confluent.io/platform/7.3/kafka/authentication_sasl/authentication_sasl_gssapi.html#kafka-sasl-auth-gssapi

Also assuming that KERBEROS_SERVICE_NAME is needed, as it would seem that NiFi would need a means to convey which service it wants to authenticate to.