Configuring Kerberos for Flume Thrift Source and Sink Using the Command Line
The Thrift source can be configured to start in secure mode by enabling Kerberos authentication. To communicate with a secure Thrift source, the Thrift sink should also be operating in secure mode.
The following tables list the properties that must be configured in the /etc/flume-ng/conf/flume.conf file to enable Kerberos for Flume's Thrift source and sink instances.
|kerberos||Set to true to enable Kerberos authentication. The agent-principal and agent-keytab properties are required for successful authentication. The Thrift source in secure mode, will accept connections only from Thrift sinks that have Kerberos-enabled and are successfully authenticated to the KDC.|
|agent-principal||The Kerberos principal used by the Thrift Source to authenticate to the KDC.|
|agent-keytab||The path to the keytab file used by the Thrift Source in combination with the agent-principal to authenticate to the KDC.|
|kerberos||Set to true to enable Kerberos authentication. In Kerberos mode, client-principal, client-keytab and server-principal are required for successful authentication and communication to a Kerberos enabled Thrift Source.|
|client-principal||The principal used by the Thrift Sink to authenticate to the Kerberos KDC.|
|client-keytab||The path to the keytab file used by the Thrift Sink in combination with the client-principal to authenticate to the KDC.|
|server-principal||The principal of the Thrift Source to which this Thrift Sink connects.|
# Kerberos properties for Thrift source s1 a1.sources.r1.kerberos=true a1.sources.r1.agent-principal=<source_principal> a1.sources.r1.agent-keytab=<path/to/source/keytab> # Kerberos properties for Thrift sink k1 a1.sinks.k1.kerberos=true a1.sinks.k1.client-principal=<sink_principal> a1.sinks.k1.client-keytab=<path/to/sink/keytab> a1.sinks.k1.server-principal=<path/to/source/keytab>Configure these sets of properties for as many instances of the Thrift source and sink as needed to enable Kerberos.