Apache NiFi Multitenancy and Kerberos Keytabs

Update - 2018-04-15

• On April 8, 2018, Apache NiFi 1.6.0 was released. This release includes features that improve Kerberos keytab handling.
  • @bbende has a blog post about these new features.

Update - 2018-03-10

• @bbende pointed out on Twitter that there are two Apache NiFi recently opened issues related to this:
  • NIFI-4885
  • NIFI-4917

Overview

Apache NiFi is “an easy to use, powerful, and reliable system to process and distribute data.” NiFi supports multi tenancy where different users can use a single NiFi instance. Restricted components are a feature of NiFi that try to identify dangerous components that can have separate authorization policies.

NiFi Multitenancy and Kerberos Keytabs

Kerberos keytabs are just like passwords in that they need to be protected at all costs. Typically file system permissions are used to secure keytabs and prevent unauthorized access. Since NiFi runs in a single JVM as a single process, this means that a single OS user (typically nifi) is used to run a NiFi instance.

Multitenancy NiFi can be dangerous since keytabs are not protected from users of the NiFi instance. Any keytabs on the NiFi instance OS that are accessible by the user running NiFi can also be accessed by the user of NiFi. Even though the contents of the keytab will not be readable, there are components that can use the keytabs.

The components that use keytabs are not all restricted components. This means that there is no way to prevent users from using components that use keytabs. If authorization policies are setup that allow the principal/keytab pair to access resources that the NiFi user would not have access to this could be an issues.

In many cases there is a non keytab replacement for the component that uses keytabs. The username/password properties in NiFi are not shared between users. This would provide the ability to securely use NiFi in a multitenant environment.

References

List of NiFi Restricted Components

nifi git:(master) git grep '@Restricted(' | cut -d':' -f1 | rev | cut -d'/' -f1 | rev | cut -d'.' -f1 | sort -u
DeleteHDFS
DeprecatedProcessor
ExecuteFlumeSink
ExecuteFlumeSource
ExecuteGroovyScript
ExecuteProcess
ExecuteScript
ExecuteStreamCommand
FetchFile
FetchHDFS
FetchParquet
FullyDocumentedControllerService
FullyDocumentedProcessor
FullyDocumentedReportingTask
GetFile
GetHDFS
InvokeScriptedProcessor
PutFile
PutHDFS
PutParquet
RestrictedProcessor
ScriptedLookupService
ScriptedReader
ScriptedRecordSetWriter
ScriptedReportingTask
SiteToSiteBulletinReportingTask
SiteToSiteProvenanceReportingTask
TailFile