Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Securing Apache Nifi 2.0.0-M2 and configure HTTPS

Labels:
avatar
author-rank darkcoffeelake
New Contributor

Created ‎03-19-2024 06:28 AM

Hey everyone, I was surfing the web since this morning looking for a way/guide/tutorial on how to secure Nifi so I can connect via https and not http but couldn't find anything that was compatible with the 2.0.0-M2 version.

I am new to Nifi and i just want to secure my access to it.

most of the guides i've stumbled upon use the nifi-toolkit with the command 

 

./bin/tls-toolkit.sh standalone -C "CN=my_username, OU=NiFi"

 

to generate and sign the client certificate for the access, alongside some tweaks in the nifi.properties file.
but in the toolkit version of nifi-2.0.0-M2, there is no file called tls-toolkit.sh 
so im kinda lost here as there is only :

darkcoffeelake_0-1710854738987.png

and according to the documentations with these scripts i didnt know how to secure nifi with the standalone method.

could someone please help provide some insights on how to secure nifi with https? 
thanks

 

3,526 Views
0 Kudos
8 REPLIES 8

avatar
author-rank DianaTorres author-rank
Community Manager

Created ‎03-19-2024 11:24 AM

@darkcoffeelake Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our NiFi experts @mburgess @MattWho  who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.

Regards,

Diana Torres,
Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
3,502 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎03-20-2024 12:52 PM

@darkcoffeelake 

NiFi out-of-the-box setup generates simply keystore and truststore automatically and set the login provider to single-user-provider and authorizer to single-user-authorizer.  This out-of-the-box setup is simplifies secured access for evaluation of NiFi.  It is not a production ready setup in that it does not support multi-user authentication, granular access controls, or NiFi cluster setups.

There are bunch of steps that go into securing Apache NiFi for production ready environments.  Securing NiFi not only sets up NiFi over an HTTPS connection, but also requires that user authentication and authorization is setup.  

NiFi will require a keystore and truststore which youcan create yourself or use publicly available service to create them for you (example would be tinycert).  The keystore created for you NiFi must meet the following requirements for NiFi:

  1. Contains only 1 PrivateKey entry. 
  2. Does not use wildcards in the DN of PrivateKey certificate.
  3. Has both clientAuth and serverAuth Extended key Usage (EKU)
  4. Has SubjectAlternativeNames (SAN) entry(s) matching NiFi hostname and any other name that may be used to access the NiFi.  

The truststore needs to contain the complete trust chain for your NiFi keystore certficate.  A certifcate might be self signed (meaning both issuer and signer are same DN), it may be signed by an intermediate CA, or rootCA.      If signed by an intermeidiate CA, your truststore would need to have the trustedCertEntry (public key) for the intermediate CA (intermediate CA is any CA where signer and issuer are different DNs) and the trusted certEntry for that signer and so until you reach the root CA in the chain (root CA will have same signer and issuer DN).

Once you have your certificates, you'll need to decide how your users are going to authenticate with NiFi.  NiFi does not have a embedded provider that supports multi-user authentication.  Here is what is available to choose from:

User Authentication

LDAP and Kerberos are probably the most commonly used.

Once you have decided how you are going to authenticate your users, you'll need to setup authorization for those users.  here are your options here:

Multi-Tenant Authorization

The simplest authorizers.xml setup would utilize the  StandardManagedAuthorizerFileAccessPolicyProvider, and FileUserGroupProvider.
a sample configuration can be seen here:
https://nifi.apache.org/documentation/nifi-2.0.0-M1/html/administration-guide.html#file-based-ldap-a...

If setup correctly, on first startup, the above authorizers.xml will generate and seed the users.xml and authorizations.xml file so that your initial admin user (a ldap user or kerberos user for example) with the necessary authorization policies to access the NiFi UI.  From the NiFi UI, that initial admin user can setup additional user identity authorizations.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

3,472 Views

avatar
author-rank Dataengineer1
New Contributor

Created ‎03-25-2024 01:52 AM

Hi @MattWho 

Thank you for your answer. 

Can you make a video for setup an instance of Nifi with a self signed Domain?

3,387 Views

avatar
author-rank saquibsk
Expert Contributor

Created on ‎03-25-2024 04:10 AM - edited ‎03-25-2024 04:12 AM

Hello @Dataengineer1 ,

Even I was looking for similar sort of solution, latest version seems different from the older one. New toolkit does not have the standalone command to generate the certificate.

Check below video might help you. ( This is old vlog)

https://www.youtube.com/watch?v=LanpbWR7Gv8

Shakib M.
3,376 Views

avatar
author-rank Dataengineer1
New Contributor

Created on ‎03-25-2024 04:29 AM - edited ‎03-25-2024 04:29 AM

Hi @saquibsk 

Thank for your reply. 

For generating these keys. I used the toolkit: https:// www.apache.org/dyn/closer.lua?path=/nifi/1.25.0/nifi-toolkit-1.25.0-bin.zip

 

 

3,371 Views

avatar
author-rank saquibsk
Expert Contributor

Created ‎03-25-2024 04:39 AM

Hi @Dataengineer1,

Did you get a chance to impliment it? 

Try below to impliment it. If worked please create document and upload in community to help others 🙂

https://www.youtube.com/watch?v=j-JXo3xPxOk

 

Shakib M.
How to Setup a Secure Apache NiFi
How to Setup a Secure Apache NiFi
youtube.com/watch?v=j-JXo3xPxOk
In this chapter we are going to learn "☛How to Setup a Secure Apache NiFi " ▶️The entire series in a playlist 🔗https://www.youtube.com/playlist?list=PLkp40uss1kSI66DA_aDCfx02gXipoRQHc 👍 GitHub Repo 🔗 https://github.com/InsightByte/ApacheNifi/tree/main/NiFi-Secured-Single-Instance 📒 Add NiFi ...
3,370 Views

avatar
author-rank saquibsk
Expert Contributor

Created ‎04-01-2024 12:30 AM

Hi @Dataengineer1 ,

Did you get a chance to implement it? Would you kindly share the resolution if it is done?

Shakib M.
3,197 Views

avatar
author-rank DianaTorres author-rank
Community Manager

Created ‎04-08-2024 08:43 AM

@darkcoffeelake Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks.

Regards,

Diana Torres,
Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
3,034 Views
0 Kudos
Announcements
What's New @ Cloudera
Updates to the HDFS clusters on AWS environments to add supp...
What's New @ Cloudera
Enhancements to the create-database command
Community Announcements
September 2024 Community Highlights
What's New @ Cloudera
Cloudera Streams Messaging Operator 1.1
What's New @ Cloudera
From Silos to Synergy: Unifying Data Warehousing and AI
View More Announcements