Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Want to Use SSL i.e., Organization Provided Certs for New NiFi Cluster Users

avatar
Contributor

Hello, I have a 3 node NiFi Cluster up and running.  The Initial Admin User is able now to successfully log into the NiFi cluster.  

 

I would now like to add new users to the NiFi cluster and SSL i.e., signed PKI certs for each user as the basis for these users to gain access to NiFi.

 

I do not want to use LDAP, I am in an environment that will require use of PKI certs for access to NiFi.

 

Can someone provide a prescriptive set of steps I can follow to successfully use PKI certs/SSL as a means of providing access to new NiFi cluster users and specifically, how do I add new users?

 

I would think the process of creating new users and using SSL would be explained explicitly.  

 

Can someone help me with this?

 

VR,

 

Dave

3 ACCEPTED SOLUTIONS

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
20 REPLIES 20

avatar
Contributor

Matt...how do i specify the Initial Admin identity as the authorizer?

avatar
Contributor

here is what I added to the authorizers.xml file:

 

<userGroupProvider>

 

<property name="Initial User Identity 1">CN=ec2-user</property>

<property name="Initial User Identity 2">CN=nifi1, OU=NIFI</property>

<property name="Initial User Identity 3">CN=nifi2, OU=NIFI</property>

<property name="Initial User Identity 4">CN=nifi3, OU=NIFI</property>

 

<accessPolicyProvider>

 

<property name="Initial Admin Identity">CN=ec2-user</property>

<property name="Node Identity 1">CN=nifi1, OU=NIFI</property>

<property name="Node Identity 2">CN=nifi2, OU=NIFI</property>

<property name="Node Identity 3">CN=nifi3, OU=NIFI</property>

 

 

avatar
Super Mentor

@davehkd 
That is an incomplete authorizers.xml and thus not valid.

 

Matt

avatar
Contributor

i only posted what I had changed Matt...sorry...

 

i'll add the entire file in a moment....thanks for taking a look

 

avatar
Contributor

Here are the complete contents of the authorizers.xml file Matt.  Thanks for taking a look! And, thanks in advance for any guidance/recommendations!

 

------------------------------------------------------------------------------

 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"??

 

<authorizers>

 

<userGroupProvider>

  <identifer>file-user-group-provider</identifier>

  <class>org.apache.nifi.authorization.FileUserGroupProvider</class>

  <property name="Initial User Identity 1">CN=ec2-user</property>

  <property name="Initial User Identity 2">CN=nifi1, OU=NIFI</property>

  <property name="Initial User Identity 3">CN=nifi2, OU=NIFI</property>

  <property name="Initial User Identity 4">CN=nifi3, OU=NIFI</property>

</userGroupProvider>

 

<accessPolicyProvider>

  <identifier>file-access-policy-provider</identifier?

  <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>

  <property name="User Group Provider">file-user-group-provider</property>

  <property name="Authorizations File">./conf/authorizations.xml</property>

  <property name="Initial Admin Identity">CN=ec2-user</property>

  <property name="Legacy Authorized Users File"></property>

  <property name="Node Identity 1">CN=nifi1, OU=NIFI</property>

  <property name="Node Identity 2">CN=nifi2, OU=NIFI</property>

  <property name="Node Identity 3">CN=nifi3, OU=NIFI</property>

</accessPolicyProvider>

 

<authorizer>

  <identifier>managed-authorizer</identifier>

  <property name="Access Policy Provider">file-access-policy-provider</property>

</authorizer>

 

<authorizer>

  <identity>single-user-authorizer</identifier>

  <class>org.apache.nifi.authorization.single.user.SingleUserAuthorizer</class>

</authorizer>

</authorizer>

 

 

 

 

 

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Super Mentor

@davehkd 

The "Initial Admin Identity" is defined in the file-access-policy provider in the authorizers.xml.

This provider is executed during startup of the application startup and creates an authorizations.xml file where it we set a pre-defined set of NiFi Resource Identifiers (NiFi policies) needed for NiFi administration by  the Initial Admin Identity and set NiFi Resource Identifiers needed by the NiFI nodes defined in "Node Identity <num>".

The file-access-policy-provider has a dependency on a user-group-provider.  This dependency exists because NiFi Resource Identifiers (NiFi Policies) can't be set for any user/client identity strings that are not provided by one of the user-group-providers NiFi offers.  In your case, it appears you are using the file-user-group-provider, which means the nodes and initial admin must be added as "Initial user identity <num>" in that provider.  The file-user-group-provider is responsible for creating the users.xml.

IMPORTANT: These providers will only generate a users.xml and authorizations.xml file if they do NOT already exist.  Expectation is that once created, additional users and setting of additional policies occurs from within the UI.  So configuration changes to these providers will have no impact on already existing users.xmll and authorizations.xml.  So if mistakes where made in configuration resulting in missing needed content in these files, they need to removed after making your config changes so new can be generated.


If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

 

avatar
Contributor

Correction to contents:

 

<authorizer>

  <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>

  <identifier>managed-authorizer</identifier>

  <property name="Access Policy Provider">file-access-policy-provider</property>

</authorizer>

 

avatar
Contributor

Matt - 

 

You are a gem and a genius!  

I was finally able to access the Users and Policy menu options.

 

A tremendous and heartfelt THANK YOU!

 

Can I send a note of thanks to anyone at Cloudera for the amazing help you provided me!

 

VR,

 

Dave

 

 

 

avatar
Super Mentor

@davehkd 
Thank you for the awesome feedback.  Glad i could help you.

It would be great if you could go through this back and forth exchange and accept all the responses I provided that helped you.  I noticed you accepted your own response.  🙂

Matt