Created on 02-08-2018 01:11 AM - edited 08-17-2019 09:07 AM
This tutorial walks you through how to install and secure a NiFi Registry using client certificates. A quick example of modifying user privileges in the Registry is also included.
A video version of this tutorial can be seen here: https://youtu.be/qD03ao3R-a4
Note: To learn the basics of setting up an unsecured Registry and integrating with Apache NiFi see the HCC article Versioned DataFlows with Apache NiFi 1.5 and Apache NiFi Registry 0.1.0.
This tutorial was tested using the following environment and components:
Download the tarball for the 0.1.0 Registry release:
and the tarball for the 1.5.0 NiFi Toolkit:
Extract the tars:
tar xzvf nifi-registry-0.1.0-bin.tar.gz tar xzvf nifi-toolkit-1.5.0-bin.tar.gz
We will use the Apache NiFi TLS Toolkit to generate the necessary keystore, truststore, and client certificates. In this tutorial, we will create certs for two users: "sys_admin" and "test_user". The user “sys_admin” will have full access to the registry while “test_user” will be configured to have targeted access in the registry.
In the directory of your NiFi Toolkit install, run the following command:
./bin/tls-toolkit.sh standalone -n "localhost" -C "CN=sys_admin, OU=NIFI" -o target
Note: To see the usage information for the TLS Toolkit, run:
./bin/tls-toolkit.sh standalone -h.
TLS Toolkit generates the following in the
localhost directory contains:
Copy the keystore and trustore to the
conf directory of your Registry install.
Copy the values of the keystore and truststore properties from the
nifi.security.keystore=./conf/keystore.jks nifi.security.keystoreType=jks nifi.security.keystorePasswd=taceJshGdkyBRy4B7mwaSnM3AkbN7ffewjn3nVIGidw nifi.security.keyPasswd=taceJshGdkyBRy4B7mwaSnM3AkbN7ffewjn3nVIGidw nifi.security.truststore=./conf/truststore.jks nifi.security.truststoreType=jks nifi.security.truststorePasswd=WJwg6F2jmUcvpxRHDiseNRc/VV59WOS+SdrZ5amtnsE
into the values for the equivalent properties in the
nifi.registry.security.keystore=./conf/keystore.jks nifi.registry.security.keystoreType=jks nifi.registry.security.keystorePasswd=taceJshGdkyBRy4B7mwaSnM3AkbN7ffewjn3nVIGidw nifi.registry.security.keyPasswd=taceJshGdkyBRy4B7mwaSnM3AkbN7ffewjn3nVIGidw nifi.registry.security.truststore=./conf/truststore.jks nifi.registry.security.truststoreType=jks nifi.registry.security.truststorePasswd=WJwg6F2jmUcvpxRHDiseNRc/VV59WOS+SdrZ5amtnsE
While you are in
nifi-registry.properties, modify the HTTP and HTTPS web properties as follows:
nifi.registry.web.http.host= nifi.registry.web.http.port= nifi.registry.web.https.host=localhost nifi.registry.web.https.port=18443
In the same Registry
conf directory, modify
authorizers.xml in two places. First in the userGroupProvider section, add the "sys_admin" DN to the "Initial Admin Identity 1" property:
<property name="Initial User Identity 1">CN=sys_admin, OU=NIFI</property>
Then in the accessPolicyProvider section, add the "sys_admin" DN to the "Initial Admin Identity" property:
<property name="Initial Admin Identity">CN=sys_admin, OU=NIFI</property>
Note: During this step, it is crucial that you specify the exact DN string used when the TLS Toolkit was invoked. A common error is entering "CN=sys_admin,OU=NIFI" which will not work as it has a missing space.
Double-click on the .p12 file that was generated by the TLS Toolkit. When prompted, provide the password from the .password file.
In a terminal window, navigate to the directory where NiFi Registry was installed and run:
Navigate to the registry UI in your web browser (Chrome used in the following examples):
When prompted, select the "sys_admin" cert to add to your browser:
When prompted, enter your "login" keychain password:
You should now be able to view the Registry UI as the "CN=sys_admin, OU=NIFI" user:
The "sys_admin" user has full access to the registry. Here are some examples of administration functions immediately available.
Select the Settings icon ( ) in the top right corner of the screen. In the Buckets window that appears, select the "New Bucket" button.
In the dialog that appears, enter the bucket name "ABC" and select the "Create" button.
The "ABC" bucket is created:
Select "Users" at the top of the UI to access the user administration area of the Registry:
Select the pencil icon ( ) next to the "CN=sys_admin, OU=NIFI" user. This will open a side nav that shows the Special Privileges and group Membership:
You can see that the "sys_admin" was given all special privileges as the Initial Admin Identity (IAI). The privileges for the IAI are not editable. Let's create a second user to see how bucket access can be restricted by modifying these privileges.
Close the side nav and select the "Add User" button.
Enter "CN=test_user, OU=NIFI" in the Identity field and select the "Add" button:
"CN=test_user", OU=NIFI" user is created:
Next we need a client certificate for "test_user".
Return to the directory of your NiFi Toolkit installation and run:
./bin/tls-toolkit.sh standalone -C "CN=test_user, OU=NIFI" -o target
NOTE:The output directory must be set to
target in order for the existing CA certificate in that directory to be used.
TLS Toolkit generates the following additional files in the
Add the .p12 cert to the Keychain as described earlier. However, choose a different browser this time to access the UI (Safari in the following examples):
Add the client certificate to the browser:
You should now be able to view the Registry UI as the "CN=test_user, OU=NIFI" user:
You can see that "test_user" has no access to Settings.
Return to the Chrome browser where "sys_admin" is the user. Give "test_user" read-only bucket privileges:
Return to the Safari browser where "test_user" is the user. Reload the browser. Select the Settings icon which is now available. The ABC bucket is now visible, but note that the Action to delete the bucket is not enabled, which is consistent with the privileges given to this user:
If you would like to learn more about NiFi Registry functionality and working with versioned flows in NiFi, see the following articles: