Skip to content
Advertisement

Nifi 1.5 Untrusted Proxy on cluster

I’ve done my best to follow: https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/

I’m running nifi-1.5.0 and when I go to each of the pages I see an error like: Untrusted proxy CN=nifi-{1-3}.east.companyname.com, OU=NIFI.

I’m using ldap authentication, and just accepting the “invalid” certificate.

I’ve used an unrelated key-server to generate the keystore/truststore/certs as per the link above.

I also have the nifi.security.needClientAuth=true and nifi.cluster.protocol.is.secure=true set in the nifi.properties files on all of my nodes

my authorizers file includes entries for all of the nodes like:

<property name="Node Identity 1">CN=nifi-1.east.companyname.com, OU=NIFI</property> <property name="Node Identity 2">CN=nifi-2.east.companyname.com, OU=NIFI</property> <property name="Node Identity 3">CN=nifi-3.east.companyname.com, OU=NIFI</property> Thanks in advance!

Advertisement

Answer

I would recommend configuring your authorizer in authorizers.xml to use a CompositeConfigurableUserGroupProvider that has two user group providers:

  1. file-user-group-provider: this will be used to store the identities (certificate DNs) of your cluster nodes
  2. ldap-user-group-provider: for your end users, that will be proxied when the cluster is replicating requests

Configure both of these UserGroupProviders, then configure the CompositeConfigurableUserGroupProvider to use the file-user-group-provider as the “Configurable Provider” and the ldap-user-group-provider as “User Group Provider 1”. Here is an example:

<authorizers>

    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Initial User Identity 1">CN=nifi-1.east.companyname.com, OU=NIFI</property>
        <property name="Initial User Identity 1">CN=nifi-2.east.companyname.com, OU=NIFI</property>
        <property name="Initial User Identity 1">CN=nifi-3.east.companyname.com, OU=NIFI</property>
    </userGroupProvider>

    <userGroupProvider>
        <identifier>ldap-user-group-provider</identifier>
        <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
        <!-- ... configure this to match the settings in login-identity-providers.xml ... -->
    </userGroupProvider>

    <userGroupProvider>
        <identifier>composite-configurable-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
        <property name="Configurable User Group Provider">file-user-group-provider</property>
        <property name="User Group Provider 1">ldap-user-group-provider</property>
    </userGroupProvider>

    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">composite-configurable-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity"></property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Node Identity 1">CN=nifi-1.east.companyname.com, OU=NIFI</property>
        <property name="Node Identity 2">CN=nifi-2.east.companyname.com, OU=NIFI</property>
        <property name="Node Identity 3">CN=nifi-3.east.companyname.com, OU=NIFI</property>
    </accessPolicyProvider>

    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>

</authorizers>

Configure this on each node, then remove users.xml and authorizations.xml and restart NiFi on each node. (This is necessary to create the users.xml and authorizations.xml with your node identities setup to act as proxies, which will not happen if users.xml and authorizations.xml exist with data.) If done correctly, each node should allow the clustered nodes to authenticate using the client certificate (from their keystore.jks) and each node will be authorized to act as proxies, meaning that when an end-user is talking to one cluster, that interaction will be replicated to all nodes in the cluster, which is what you want.

You should be able to set nifi.security.needClientAuth=false. Certificate-based authentication will still work, it just won’t be required (i.e., for the initial communication from an end-user to a node, LDAP credentials will be enough).

Hope this helps!

Reference: NiFi Admin Guide

User contributions licensed under: CC BY-SA
6 People found this is helpful
Advertisement