Configuring Kerberos for Flume Thrift Source and Sink Using the Command Line
The Thrift source can be configured to start in secure mode by enabling Kerberos authentication. To communicate with a secure Thrift source, the Thrift sink should also be operating in secure mode.
The following tables list the properties that must be configured in the /etc/flume-ng/conf/flume.conf file to enable Kerberos for Flume's Thrift source and sink instances.
| Property | Description |
|---|---|
| kerberos | Set to true to enable Kerberos authentication. The agent-principal and agent-keytab properties are required for successful authentication. The Thrift source in secure mode, will accept connections only from Thrift sinks that have Kerberos-enabled and are successfully authenticated to the KDC. |
| agent-principal | The Kerberos principal used by the Thrift Source to authenticate to the KDC. |
| agent-keytab | The path to the keytab file used by the Thrift Source in combination with the agent-principal to authenticate to the KDC. |
| Property | Description |
|---|---|
| kerberos | Set to true to enable Kerberos authentication. In Kerberos mode, client-principal, client-keytab and server-principal are required for successful authentication and communication to a Kerberos enabled Thrift Source. |
| client-principal | The principal used by the Thrift Sink to authenticate to the Kerberos KDC. |
| client-keytab | The path to the keytab file used by the Thrift Sink in combination with the client-principal to authenticate to the KDC. |
| server-principal | The principal of the Thrift Source to which this Thrift Sink connects. |
Make sure you are configuring these properties for each Thrift source and sink instance. For
example, for agent a1, source r1, and sink k1, you would add the following properties:
# Kerberos properties for Thrift source s1 a1.sources.r1.kerberos=true a1.sources.r1.agent-principal=<source_principal> a1.sources.r1.agent-keytab=<path/to/source/keytab> # Kerberos properties for Thrift sink k1 a1.sinks.k1.kerberos=true a1.sinks.k1.client-principal=<sink_principal> a1.sinks.k1.client-keytab=<path/to/sink/keytab> a1.sinks.k1.server-principal=<path/to/source/keytab>Configure these sets of properties for as many instances of the Thrift source and sink as needed to enable Kerberos.