Created 02-15-2024 02:10 AM
Hi, iam testing nifi and experimenting on 2 laptops (that is what i have available).
I want to try transferring with a site 2 site, i have been trying and not getting anywhere, i have read the admin guide, watched youtube videos and it seems so simple, but icant get this to work.
so on latop A i have [RPG]--->["queued"]---->[putfile]
on laptop B i have [Generate floe file]-->["queued"]--->["from laptop A"]
i have 2 laptops with ubuntu and nifi 2.0.0-M2 installed.
i have changed the nifi.properties and authorizers.xml to get the option for users/groups.
I have also tested with remote site to site properties in nifi.properties, but when i change anything it breaks and i cant access the GUI anymore. When i remove the settings below it only works w/https GUI. I also dont have FQDN on the laptops, as i watched a youtube guide and he only changed the remote settings and used "localhost" it worked right away.
laptop/nifi A
laptop/nifi B
Created 02-15-2024 05:44 AM
@bucketsoffun Welcome to the Cloudera Community!
To help you get the best possible solution, I have tagged our NiFi experts @SAMSAL @MattWho who may be able to assist you further.
Please keep us updated on your post, and we hope you find a satisfactory solution to your query.
Regards,
Diana Torres,Created 02-16-2024 10:40 AM
@bucketsoffun
Welcome to Apache NiFi.
NiFi's Site-To-Site capability has been around since the very early stages of Apache NiFi. While the functionality has not changed, the world of security has evolved around it.
Prior to the release of Apache NiFi 1.14, the out-of-the-box installation was unsecured over HTTP. Securing NiFi required user configuration changes. 1.14+ out-of-the-box Apache NiFi start secured over HTTPS with generic certificates with the intent of being used only for evaluation purposes. Out-of-the box uses the following Security providers:
This information will help understand the challenges you are having with using Sit-to-Site if you are using these out of the box security providers.
The Site-To-Site basics:
Using localhost in the not going to work configured in the nifi.remote.input.host unless the only target you want the RPG to be able to talk to is itself (same server/host).
The RPG added to the canvas of your NiFi A:
Once you "Apply" the RPG configuration, a background Site0To-Site thread executes periodically to fetch the Site-To-SIte details from the target URL (NiFi B). Those Site-To-Site details include details about that target NiFi (is it clustered or standalone, hostnames of all the cluster nodes, http/https ports for all cluster instances, all cluster node remote socket ports, load on each node in the target NiFi cluster, list of remote input and output ports that this client is authorized to use, etc). This information is then used for the actual connection and FlowFile transfer.
Authorization becomes the first challenge. Since the RPGs initial connection regardless of RAW or HTTP transport protocol configuration is always to the NiFi UIs hostname and port. When that is HTTPS that will require negotiating a successful mutualTLS exchange/handshake. The Client (RPG) will present the clientAuth certificate from the keystore configured in the nifi.properties file. The DN from that certificate is used as the user identity. That identity is then used check if the client has been authorized to "receive site-to-site details". This is what authorizes the RPG to get all the S2S details I mentioned earlier. The Remote Input ports and remote output ports also have client authorizations needed for the client (input port --> "receive data via site-to-site" and output port --> "send data via site-to-site").
So using the default security providers makes setting up the authorizations needed for site-to-site not possible between different hosts. So you should first experiment with setting up security using some other form of authentication and authorization.
Another option could be to unsecure your NiFi. This remove any need for authentication and authorization. You could then use the IP addresses assigned to your NiFi A and NiFi B in all the hostname configurations.
There are a lot moving parts here important to Site-To-Site between hosts.
I know this does not give you a step 1 to n process to get what you have working, but hopefully gets you high level communications negotiations that happen. Same exist when unsecured just without the authentication and authorization complexity.
I'd encourage you to explore the production ready authorization providers first so you have better understanding of the granular nature of NiFi authorizations.
If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
Created 02-20-2024 07:29 AM
@bucketsoffun Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks.
Regards,
Diana Torres,