Configuring Kerberos for Flume Thrift Source and Sink Using the Command Line

The Thrift source can be configured to start in secure mode by enabling Kerberos authentication. To communicate with a secure Thrift source, the Thrift sink should also be operating in secure mode.

The following tables list the properties that must be configured in the /etc/flume-ng/conf/flume.conf file to enable Kerberos for Flume's Thrift source and sink instances.

Thrift Source Properties
Property Description
kerberos Set to true to enable Kerberos authentication. The agent-principal and agent-keytab properties are required for successful authentication. The Thrift source in secure mode, will accept connections only from Thrift sinks that have Kerberos-enabled and are successfully authenticated to the KDC.
agent-principal The Kerberos principal used by the Thrift Source to authenticate to the KDC.
agent-keytab The path to the keytab file used by the Thrift Source in combination with the agent-principal to authenticate to the KDC.
Thrift Sink Properties
Property Description
kerberos Set to true to enable Kerberos authentication. In Kerberos mode, client-principal, client-keytab and server-principal are required for successful authentication and communication to a Kerberos enabled Thrift Source.
client-principal The principal used by the Thrift Sink to authenticate to the Kerberos KDC.
client-keytab The path to the keytab file used by the Thrift Sink in combination with the client-principal to authenticate to the KDC.
server-principal The principal of the Thrift Source to which this Thrift Sink connects.
Make sure you are configuring these properties for each Thrift source and sink instance. For example, for agent a1, source r1, and sink k1, you would add the following properties:
# Kerberos properties for Thrift source s1 
a1.sources.r1.kerberos=true
a1.sources.r1.agent-principal=<source_principal>
a1.sources.r1.agent-keytab=<path/to/source/keytab>

# Kerberos properties for Thrift sink k1 
a1.sinks.k1.kerberos=true
a1.sinks.k1.client-principal=<sink_principal>
a1.sinks.k1.client-keytab=<path/to/sink/keytab>
a1.sinks.k1.server-principal=<path/to/source/keytab>
Configure these sets of properties for as many instances of the Thrift source and sink as needed to enable Kerberos.