Community Articles

Find and share helpful community-sourced technical articles.
Labels (1)
avatar
Guru

Objective

This tutorial walks you through how to install and secure a NiFi Registry using client certificates. A quick example of modifying user privileges in the Registry is also included.

A video version of this tutorial can be seen here: https://youtu.be/qD03ao3R-a4

Note: To learn the basics of setting up an unsecured Registry and integrating with Apache NiFi see the HCC article Versioned DataFlows with Apache NiFi 1.5 and Apache NiFi Registry 0.1.0.

Environment

This tutorial was tested using the following environment and components:

  • Mac OS X 10.11.6
  • Apache NiFi Registry 0.1.0
  • Apache NiFi Toolkit 1.5.0

Secure NiFi Registry Configuration

Download & Extract Tarballs

Download the tarball for the 0.1.0 Registry release:

nifi-registry-0.1.0-bin.tar.gz

and the tarball for the 1.5.0 NiFi Toolkit:

nifi-toolkit-1.5.0-bin.tar.gz

Extract the tars:

 tar xzvf nifi-registry-0.1.0-bin.tar.gz
 tar xzvf nifi-toolkit-1.5.0-bin.tar.gz

Generate Configuration and Certificate Files

We will use the Apache NiFi TLS Toolkit to generate the necessary keystore, truststore, and client certificates. In this tutorial, we will create certs for two users: "sys_admin" and "test_user". The user “sys_admin” will have full access to the registry while “test_user” will be configured to have targeted access in the registry.

In the directory of your NiFi Toolkit install, run the following command:

 ./bin/tls-toolkit.sh standalone -n "localhost" -C "CN=sys_admin, OU=NIFI" -o target

Note: To see the usage information for the TLS Toolkit, run: ./bin/tls-toolkit.sh standalone -h.

TLS Toolkit generates the following in the target directory:

CN=sys_admin_OU=NIFI.p12
CN=sys_admin_OU=NIFI.p12.password
localhost
nifi-cert.pem
nifi-key.key

The localhost directory contains:

keystore.jks
nifi.properties
truststore.jks

Registry Configuration

Copy the keystore and trustore to the conf directory of your Registry install.

Copy the values of the keystore and truststore properties from the nifi.properties file:

 nifi.security.keystore=./conf/keystore.jks
 nifi.security.keystoreType=jks
 nifi.security.keystorePasswd=taceJshGdkyBRy4B7mwaSnM3AkbN7ffewjn3nVIGidw
 nifi.security.keyPasswd=taceJshGdkyBRy4B7mwaSnM3AkbN7ffewjn3nVIGidw
 nifi.security.truststore=./conf/truststore.jks
 nifi.security.truststoreType=jks
 nifi.security.truststorePasswd=WJwg6F2jmUcvpxRHDiseNRc/VV59WOS+SdrZ5amtnsE

into the values for the equivalent properties in the nifi-registry.properties file:

 nifi.registry.security.keystore=./conf/keystore.jks
 nifi.registry.security.keystoreType=jks
 nifi.registry.security.keystorePasswd=taceJshGdkyBRy4B7mwaSnM3AkbN7ffewjn3nVIGidw
 nifi.registry.security.keyPasswd=taceJshGdkyBRy4B7mwaSnM3AkbN7ffewjn3nVIGidw
 nifi.registry.security.truststore=./conf/truststore.jks
 nifi.registry.security.truststoreType=jks
 nifi.registry.security.truststorePasswd=WJwg6F2jmUcvpxRHDiseNRc/VV59WOS+SdrZ5amtnsE

While you are in nifi-registry.properties, modify the HTTP and HTTPS web properties as follows:

 nifi.registry.web.http.host=
 nifi.registry.web.http.port=
 nifi.registry.web.https.host=localhost
 nifi.registry.web.https.port=18443

In the same Registry conf directory, modify authorizers.xml in two places. First in the userGroupProvider section, add the "sys_admin" DN to the "Initial Admin Identity 1" property:

 <property name="Initial User Identity 1">CN=sys_admin, OU=NIFI</property>

Then in the accessPolicyProvider section, add the "sys_admin" DN to the "Initial Admin Identity" property:

 <property name="Initial Admin Identity">CN=sys_admin, OU=NIFI</property>

Note: During this step, it is crucial that you specify the exact DN string used when the TLS Toolkit was invoked. A common error is entering "CN=sys_admin,OU=NIFI" which will not work as it has a missing space.

Add Certificate to Keychain

Double-click on the .p12 file that was generated by the TLS Toolkit. When prompted, provide the password from the .password file.

60463-1-p12-password-prompt.png

Start the Registry

In a terminal window, navigate to the directory where NiFi Registry was installed and run:

 ./bin/nifi-registry.sh start

Open Registry UI

Navigate to the registry UI in your web browser (Chrome used in the following examples):

https://localhost:18443/nifi-registry

When prompted, select the "sys_admin" cert to add to your browser:

60464-2-add-cert-to-browser.png

When prompted, enter your "login" keychain password:

60465-3-keychain-password-prompt.png

You should now be able to view the Registry UI as the "CN=sys_admin, OU=NIFI" user:

60466-4-empty-secure-registry.png

Registry Administration

The "sys_admin" user has full access to the registry. Here are some examples of administration functions immediately available.

Bucket Creation

Select the Settings icon ( 60479-iconsettings.png) in the top right corner of the screen. In the Buckets window that appears, select the "New Bucket" button.

60467-5-new-bucket-button.png

In the dialog that appears, enter the bucket name "ABC" and select the "Create" button.

60468-6-new-bucket-dialog.png

The "ABC" bucket is created:

60469-7-abc-bucket.png

User Administration

Select "Users" at the top of the UI to access the user administration area of the Registry:

60470-8-users-admin.png

Select the pencil icon ( 60480-iconmanage.png) next to the "CN=sys_admin, OU=NIFI" user. This will open a side nav that shows the Special Privileges and group Membership:

60471-9-users-side-nav.png

You can see that the "sys_admin" was given all special privileges as the Initial Admin Identity (IAI). The privileges for the IAI are not editable. Let's create a second user to see how bucket access can be restricted by modifying these privileges.

Second User Creation

Close the side nav and select the "Add User" button.

60472-10-add-user-button.png

Enter "CN=test_user, OU=NIFI" in the Identity field and select the "Add" button:

60473-11-add-user-dialog.png

"CN=test_user", OU=NIFI" user is created:

60474-12-test-user-created.png

Second User Certificate

Next we need a client certificate for "test_user".

Return to the directory of your NiFi Toolkit installation and run:

 ./bin/tls-toolkit.sh standalone -C "CN=test_user, OU=NIFI" -o target

NOTE:The output directory must be set to target in order for the existing CA certificate in that directory to be used.

TLS Toolkit generates the following additional files in the target directory:

CN=test_user_OU=NIFI.p12
CN=test_user_OU=NIFI.p12.password

Add the .p12 cert to the Keychain as described earlier. However, choose a different browser this time to access the UI (Safari in the following examples):

https://localhost:18443/nifi-registry

Add the client certificate to the browser:

60475-13-client-cert-safari.png

You should now be able to view the Registry UI as the "CN=test_user, OU=NIFI" user:

60476-14-registry-ui-no-settings.png

You can see that "test_user" has no access to Settings.

Return to the Chrome browser where "sys_admin" is the user. Give "test_user" read-only bucket privileges:

60477-15-test-user-special-privileges.png

Return to the Safari browser where "test_user" is the user. Reload the browser. Select the Settings icon which is now available. The ABC bucket is now visible, but note that the Action to delete the bucket is not enabled, which is consistent with the privileges given to this user:

60478-16-test-user-bucket-read-only.png

Additional Help

If you would like to learn more about NiFi Registry functionality and working with versioned flows in NiFi, see the following articles:

Or documentation:

25,280 Views