Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

NIFI - Set up LDAP integration on a running cluster

avatar
Contributor

Hi ,

I require assistance in configuring my secure cluster to function with LDAP.

Which procedure is recommended when doing that on a running cluster?

What steps do I need to take first?

Do I need to shut down all the nodes?

 

Thanks 

Edi

1 ACCEPTED SOLUTION

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
4 REPLIES 4

avatar
Super Mentor

@edim2525 
If your NiFi is already secured that means you have already using authentication and authorization is some form of configuration.   So depending in your current secure setup configuration, the guidance you may need will vary. 

There are multiple NiFi configuration files that establish the configurations for authentication and authorization (While authorization is dependent on successful authentication, the processes are executed separately).  

  1. nifi.properties
  2. login-identity-providers.xml
  3. authorizers.xml

Understanding your current setup is important for giving proper guidance to change configuration.

For authenticating with LDAP/AD users, you'll want to use the ldap-provider in the login-identity-providers.xml

For authorization you can NOT use default "single-user-authorizer" in the authorizers.xml authorizers.xml.  You'll need to switch to a different provider like the Standard Managed Authorizer.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

avatar
Contributor

Given that I need to update these three files (nifi.properties,login-identity-providers.xml,authorizers.xml) , does this imply that I must stop all the nodes within the cluster, perform the file updates, and then restart the nodes? Is there a method to accomplish this without stopping all the nodes?

 

Thanks

Edi

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Contributor

@MattWho My cluster is working with a single-user-authorizer .

I tried your method and tested it on a running cluster with three nodes that configure as single-user-authorizer, I updated the three files (nifi.properties,login-identity-providers.xml,authorizers.xml) to work with LDAP configuration. When I restarted the first node (not primary or coordinator ), I got the following error messages in the log. 

2023-09-26 11:20:34,441 ERROR [main] o.s.web.context.ContextLoader Context initialization failed
2023-09-26 11:50:19,381 ERROR [main] o.a.nifi.controller.StandardFlowService Failed to load flow from cluster due to: org.apache.nifi.controller.serialization.FlowSynchronizationException: Failed to connect node to cluster because local flow controller partially updated. Administrator should disconnect node and review flow for corruption.
2023-09-26 11:50:19,595 ERROR [main] o.a.n.c.c.node.NodeClusterCoordinator Event Reported for xxx:8443 -- Node disconnected from cluster due to org.apache.nifi.controller.serialization.FlowSynchronizationException: Failed to connect node to cluster because local flow controller partially updated. Administrator should disconnect node and review flow for corruption.

The LDAP configuration takes effect only after restarting all the nodes