Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Securing Apache Nifi 2.0.0-M2 and configure HTTPS

avatar
New Contributor

Hey everyone, I was surfing the web since this morning looking for a way/guide/tutorial on how to secure Nifi so I can connect via https and not http but couldn't find anything that was compatible with the 2.0.0-M2 version.

I am new to Nifi and i just want to secure my access to it.

most of the guides i've stumbled upon use the nifi-toolkit with the command 

 

./bin/tls-toolkit.sh standalone -C "CN=my_username, OU=NiFi"

 

to generate and sign the client certificate for the access, alongside some tweaks in the nifi.properties file.
but in the toolkit version of nifi-2.0.0-M2, there is no file called tls-toolkit.sh 
so im kinda lost here as there is only :

darkcoffeelake_0-1710854738987.png

and according to the documentations with these scripts i didnt know how to secure nifi with the standalone method.

could someone please help provide some insights on how to secure nifi with https? 
thanks

 

8 REPLIES 8

avatar
Community Manager

@darkcoffeelake Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our NiFi experts @mburgess @MattWho  who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.


Regards,

Diana Torres,
Community Moderator


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
Super Mentor

@darkcoffeelake 

NiFi out-of-the-box setup generates simply keystore and truststore automatically and set the login provider to single-user-provider and authorizer to single-user-authorizer.  This out-of-the-box setup is simplifies secured access for evaluation of NiFi.  It is not a production ready setup in that it does not support multi-user authentication, granular access controls, or NiFi cluster setups.

There are bunch of steps that go into securing Apache NiFi for production ready environments.  Securing NiFi not only sets up NiFi over an HTTPS connection, but also requires that user authentication and authorization is setup.  

NiFi will require a keystore and truststore which youcan create yourself or use publicly available service to create them for you (example would be tinycert).  The keystore created for you NiFi must meet the following requirements for NiFi:

  1. Contains only 1 PrivateKey entry. 
  2. Does not use wildcards in the DN of PrivateKey certificate.
  3. Has both clientAuth and serverAuth Extended key Usage (EKU)
  4. Has SubjectAlternativeNames (SAN) entry(s) matching NiFi hostname and any other name that may be used to access the NiFi.  

The truststore needs to contain the complete trust chain for your NiFi keystore certficate.  A certifcate might be self signed (meaning both issuer and signer are same DN), it may be signed by an intermediate CA, or rootCA.      If signed by an intermeidiate CA, your truststore would need to have the trustedCertEntry (public key) for the intermediate CA (intermediate CA is any CA where signer and issuer are different DNs) and the trusted certEntry for that signer and so until you reach the root CA in the chain (root CA will have same signer and issuer DN).

Once you have your certificates, you'll need to decide how your users are going to authenticate with NiFi.  NiFi does not have a embedded provider that supports multi-user authentication.  Here is what is available to choose from:

User Authentication

LDAP and Kerberos are probably the most commonly used.

Once you have decided how you are going to authenticate your users, you'll need to setup authorization for those users.  here are your options here:

Multi-Tenant Authorization

The simplest authorizers.xml setup would utilize the  StandardManagedAuthorizerFileAccessPolicyProvider, and FileUserGroupProvider.
a sample configuration can be seen here:
https://nifi.apache.org/documentation/nifi-2.0.0-M1/html/administration-guide.html#file-based-ldap-a...

If setup correctly, on first startup, the above authorizers.xml will generate and seed the users.xml and authorizations.xml file so that your initial admin user (a ldap user or kerberos user for example) with the necessary authorization policies to access the NiFi UI.  From the NiFi UI, that initial admin user can setup additional user identity authorizations.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

avatar
New Contributor

Hi @MattWho 

Thank you for your answer. 

Can you make a video for setup an instance of Nifi with a self signed Domain?

avatar
Expert Contributor

Hello @Dataengineer1 ,

Even I was looking for similar sort of solution, latest version seems different from the older one. New toolkit does not have the standalone command to generate the certificate.

Check below video might help you. ( This is old vlog)

https://www.youtube.com/watch?v=LanpbWR7Gv8

avatar
New Contributor

Hi @saquibsk 

Thank for your reply. 

For generating these keys. I used the toolkit: https:// www.apache.org/dyn/closer.lua?path=/nifi/1.25.0/nifi-toolkit-1.25.0-bin.zip

 

 

avatar
Expert Contributor

Hi @Dataengineer1,

Did you get a chance to impliment it? 

Try below to impliment it. If worked please create document and upload in community to help others 🙂

https://www.youtube.com/watch?v=j-JXo3xPxOk

 

avatar
Expert Contributor

Hi @Dataengineer1 ,

Did you get a chance to implement it? Would you kindly share the resolution if it is done?

avatar
Community Manager

@darkcoffeelake Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks.


Regards,

Diana Torres,
Community Moderator


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community: