Cloudera Community
alopresto
user rank
user rank
Guru

Re: How to upgrade Eclipse Jetty Server to a highe...

by Guru Guru in Support Questions
‎08-02-2018 07:12 PM
‎08-02-2018 07:12 PM
The root pom file located at nifi/pom.xml in the project structure should be modified so the existing jetty.version value is changed from 9.4.3.v20170317 to 9.4.11.v20180605 . Initial analysis suggests upgrading the Jetty version will cause runtime errors, as their handling of TLD loading has changed and is currently incompatible with how NiFi works. ... View more

Re: How to upgrade Eclipse Jetty Server to a highe...

by Guru Guru in Support Questions
‎08-01-2018 07:18 PM
1 Kudo
‎08-01-2018 07:18 PM
1 Kudo
You can do this manually on your instance by changing the Jetty dependency version in nifi/pom.xml ( <jetty.version>9.4.3.v20170317</jetty.version> ). There is an Apache Jira (NIFI-5479) to upgrade this in the core project. Please do not comment on that ticket indicating this is related to a security vulnerability, as the Apache Security Vulnerability Reporting Process must be followed. ... View more

Re: How should I use the SSLContext controller in ...

by Guru Guru in Support Questions
‎06-02-2018 02:35 AM
‎06-02-2018 02:35 AM
David, I would recommend you create an SSLContextService at root which only uses the truststore and ask your users to select that controller service when necessary. If they have requirements to connect to external services which require mutual authentication via TLS client certificates, you may have to create additional controller services with limited keystore access and provide those on a per-instance/user basis. If these are globally-accessible external services (aka not organizationally-signed), you could also provide a generic controller service which uses the Java CA truststore (something like $JAVA_HOME/jre/lib/security/cacerts with default password "changeit"). ... View more

Re: NiFi EncryptContent Processor's behaviour

by Guru Guru in Support Questions
‎06-02-2018 02:27 AM
1 Kudo
‎06-02-2018 02:27 AM
1 Kudo
Nikita, I believe this is an issue because if you export a public key without ASCII-armoring it (indicated by default by the extension .asc compared to .gpg), the key parsing is performed differently and thus the cipher cannot be formed. NiFi delegates the PGP key parsing to Bouncy Castle's PGPPublicKeyRingCollection class. As noted in the documentation, only a valid key ring is supported here. Is there a reason you cannot convert the single key file into a key ring (see steps here)? There is an open Jira to re-evaluate this handling, but it is not scheduled for work. The solution is to form a valid key ring file from the keys, or use the ASCII-armored public key, which works as you noted. ... View more

Re: Nifi GetFile (os operation) user impersonation

by Guru Guru in Support Questions
‎06-02-2018 01:30 AM
‎06-02-2018 01:30 AM
As @Abdelkrim Hadjidj mentioned, this is not currently possible in NiFi out of the box. You have a few options. Change the file permissions to be accessible by the OS user that is running NiFi. Assuming that user is "nifi", this could be done by adding the "nifi" account to a group with R/W access to the file, or by changing the owner to the "nifi" user (assuming the owner has R/W). This is the recommended solution. You could use an ExecuteStreamCommand or ExecuteProcess processor to run a shell command which reads the contents of the file into a flowfile. Because you are running a shell command, you can use something like "$ echo <other_account_password> | sudo -S -u OTHER_USER more ${path/to/file}". It would be more secure to provide the password in a separate password file (secured via OS permissions) to avoid history leakage, but you can also prepend the command with a space to avoid it showing up in the history. You might be able to use the GetHDFS processor with a configuration file that mapped it to the local file system and allowed user impersonation. This is not recommended and definitely not supported, but potentially technically possible. You could write a custom processor, but Java does not have any API for reading a file as an OS user other than the one that the JVM is running under. You could possibly use the Java FileSystem API to change the OS ownership or permissions on the file, but in that case, #1 is a better solution. ... View more

Re: Nifi Server dont starts after going secure.

by Guru Guru in Support Questions
‎02-08-2018 12:15 AM
‎02-08-2018 12:15 AM
Try removing the users.xml and authorizations.xml files (back these up if you have made other changes prior to securing the application). These files are generated and populated if they are not present at application startup, which means they will be auto-generated the first time the application is run, but not re-generated automatically once they exist. Ensure your files look something like the following: users.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <tenants> <groups/> <users> <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c" identity="CN=alopresto, OU=Apache NiFi"/> </users> </tenants> authorizers.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizers> <authorizer> <identifier>file-provider</identifier> <class>org.apache.nifi.authorization.FileAuthorizer</class> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Users File">./conf/users.xml</property> <property name="Initial Admin Identity">CN=alopresto, OU=Apache NiFi</property> <property name="Legacy Authorized Users File"></property> </authorizer> </authorizers> authorizations.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizations> <policies> <policy identifier="0f4d2dd0-7c8b-39ce-8292-0e459a8dd69f" resource="/flow" action="R"> <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/> </policy> <policy identifier="9f665453-1e5f-36b4-8f4c-e125491c1fd2" resource="/data/process-groups/4aa66ece-015a-1000-4348-efd94f63c4df" action="R"> <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/> </policy> <policy identifier="38e2a10c-a75f-3b48-8954-6e5af69c837b" resource="/data/process-groups/4aa66ece-015a-1000-4348-efd94f63c4df" action="W"> <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/> </policy> <policy identifier="67684272-2833-32e6-954a-d33b7dfc80b2" resource="/process-groups/4aa66ece-015a-1000-4348-efd94f63c4df" action="R"> <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/> </policy> <policy identifier="ce02741b-adb1-37cf-a818-7d5476e49805" resource="/process-groups/4aa66ece-015a-1000-4348-efd94f63c4df" action="W"> <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/> </policy> <policy identifier="2148640b-305c-3c53-8a92-5111159729a1" resource="/restricted-components" action="W"> <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/> </policy> <policy identifier="cc00676b-e0bb-34be-8ae5-89a35dd3ebcb" resource="/tenants" action="R"> <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/> </policy> <policy identifier="2bf2a497-4045-37d6-8a7f-e8b2753da197" resource="/tenants" action="W"> <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/> </policy> <policy identifier="9abc4f3b-008c-3ad2-81d3-85410b435c2e" resource="/policies" action="R"> <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/> </policy> <policy identifier="f4d3b871-7144-3d22-b93d-67110a369647" resource="/policies" action="W"> <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/> </policy> <policy identifier="e6cdf807-d293-3c5c-8123-0b42c4370a7e" resource="/controller" action="R"> <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/> </policy> <policy identifier="03947efb-1e7c-3c42-90ac-ba0ebd1e64fd" resource="/controller" action="W"> <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/> </policy> <policy identifier="015a1025-3be1-13fc-af08-0f6bf4e9285a" resource="/provenance" action="R"> <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/> </policy> </policies> </authorizations> ... View more

Re: Nifi Server dont starts after going secure.

by Guru Guru in Support Questions
‎02-07-2018 06:36 PM
‎02-07-2018 06:36 PM
It appears that you are specifying a different DN string in your command-line invocation of the TLS Toolkit and your initial admin identity: tls-toolkit.bat standalone -n localhost -C "CN=admin,OU=NIFI" <property name="Initial Admin Identity">CN=admin, OU=NIFI</property> There is a space between "admin," and "OU=NIFI" in the IAI property definition, but not in the certificate generation command. These strings need to match for NiFi to authenticate the user via client certificate/LDAP/Kerberos. ... View more

Re: Encrypted NiFi Content Repository

by Guru Guru in Support Questions
‎01-19-2018 04:03 AM
‎01-19-2018 04:03 AM
Hi Alvin, As stated above, I cannot indicate prioritization or scheduling of feature delivery. I am eager to develop this feature, as I am sure many users would like it to be available as well. You can always monitor activity on the Apache NiFi Jira and the mailing lists. ... View more

Re: Apache Nifi - username password for Rest Api

by Guru Guru in Support Questions
‎11-20-2017 06:44 PM
‎11-20-2017 06:44 PM
Hi Andy, Your question is ambiguous -- are you looking to use NiFi to make an external HTTP REST request to some other service, and that service requires a username and password, or are you trying to perform behavior in NiFi (adding templates, process groups, etc.) and want to authenticate to NiFi in order to do this? For the former, you'll need to provide the credentials as an Authorization header via an attribute in the InvokeHTTP (or similar) processor. For the latter, you configure NiFi to use one or more authentication mechanisms -- client certificates, LDAP, Kerberos, or OpenID Connect. All but client certificates use a username/password combination, which you can then exchange for an access token as described in the first link you included. Once you have that auth token, you pass it on each request and NiFi verifies it to prove your identity. ... View more

Re: Setting StandardSSLContext service for listenT...

by Guru Guru in Support Questions
‎11-08-2017 12:50 AM
1 Kudo
‎11-08-2017 12:50 AM
1 Kudo
You need the private key and public key to be stored in a Java Keystore (*.jks) file. You can import the PEM-encoded certificate and key into this form by using the following commands: openssl pkcs12 -export -in server.pem -inkey server.key -out server.p12 -name [some-alias] -chain keytool -importkeystore -deststorepass [yourpassword] -destkeypass [yourpassword] -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass [passwordfromabove] -alias [some-alias] When creating the temporary PKCS12 keystore, make sure to provide a password at the prompt, or the Java keytool utility will not accept it. Once you have the server.jks file, populate the properties as follows: Keystore file: path/to/server.jks Keystore password: [yourpassword] Key password: [yourpassword] Keystore type: JKS This will allow your NiFi instance/component to present a server certificate identifying itself and encrypt the channel. However, to connect to external HTTPS services, you will also need to provide a truststore. A truststore is a keystore file that contains only public certificates of other services to allow your system (in this case, NiFi) to trust them. If you have custom organizational certificates, you'll need to build your own truststore here. If you are just connecting to generic internet services, the JRE default should be fine: Truststore file: /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/cacerts (your JRE path may be different) Truststore password: changeit Truststore type: JKS ... View more
Contact Me
Online
Offline
Last Visited
‎04-30-2020 03:53 PM
Community Statistics
Member Since ‎07-30-2019 09:25 AM
Last Visited ‎04-30-2020 03:53 PM
Posts 155
Kudos received 107