Member since
11-08-2024
7
Posts
6
Kudos Received
0
Solutions
11-22-2024
12:05 AM
1 Kudo
Hello, I've use composite configurable and i don't remember what change i've done in the nifi registry but now i'm getting this error : "2024-11-22 10:59:12,704 ERROR [NiFi Registry Web Server-20] o.s.b.w.servlet.support.ErrorPageFilter Forwarding to error page from request [/access] due to exception [Multiple UserGroupProviders claim to provide user xxx] java.lang.IllegalStateException: Multiple UserGroupProviders claim to provide user xxx" <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Initial User Identity 1">CN=nifi0, OU=NIFI</property> <property name="Initial User Identity 2">CN=nifi1, OU=NIFI</property> <property name="Initial User Identity 3">CN=nifi2, OU=NIFI</property> </userGroupProvider> <userGroupProvider> <identifier>ldap-user-group-provider</identifier> <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">ldap_manager_dn</property> <property name="Manager Password">ldap_manager_password</property> <property name="TLS - Keystore">/opt/certs/registry/keystore.jks</property> <property name="TLS - Keystore Password">supersecretkeystore</property> <property name="TLS - Keystore Type">JKS</property> <property name="TLS - Truststore">/opt/certs/registry/truststore.jks</property> <property name="TLS - Truststore Password">supersecrettruststore</property> <property name="TLS - Truststore Type">JKS</property> <property name="TLS - Client Auth">NONE</property> <property name="TLS - Protocol"></property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap_url</property> <property name="Page Size"></property> <property name="Sync Interval">30 mins</property> <property name="Group Membership - Enforce Case Sensitivity">false</property> <property name="User Search Base">ldap_user_search_base</property> <property name="User Object Class">person</property> <property name="User Search Scope">SUBTREE</property> <property name="User Search Filter">ldap_user_search_filter_authorizers</property> <property name="User Identity Attribute">sAMAccountName</property> <property name="User Group Name Attribute">memberof</property> <property name="User Group Name Attribute - Referenced Group Attribute"></property> <property name="Identity Strategy">USE_USERNAME</property> <property name="Group Search Base">ldap_group_search_base</property> <property name="Group Object Class">group</property> <property name="Group Search Scope">ONE_LEVEL</property> <property name="Group Search Filter">(objectClass=group)</property> <property name="Group Name Attribute">cn</property> <property name="Group Member Attribute">member</property> <property name="Group Member Attribute - Referenced User Attribute">sAMAccountName</property> </userGroupProvider> <userGroupProvider> <identifier>composite-configurable-user-group-provider</identifier> <class>org.apache.nifi.registry.security.authorization.CompositeConfigurableUserGroupProvider</class> <property name="Configurable User Group Provider">file-user-group-provider</property> <property name="User Group Provider 1">ldap-user-group-provider</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> <property name="User Group Provider">composite-configurable-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">initial_admin_identity</property> <property name="NiFi Group Name"></property> <property name="Node Identity 1">CN=nifi0, OU=NIFI</property> <property name="Node Identity 2">CN=nifi1, OU=NIFI</property> <property name="Node Identity 3">CN=nifi2, OU=NIFI</property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers>
... View more
11-19-2024
12:21 AM
1 Kudo
is there anyone who can help me please ?
... View more
11-18-2024
12:12 AM
1 Kudo
I have already adjusted the NiFi Registry authorizers.xml configuration as follows: : <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 1">CN=nifi0, OU=NIFI</property> <property name="Initial User Identity 2">CN=nifi1, OU=NIFI</property> <property name="Initial User Identity 3">CN=nifi2, OU=NIFI</property> <property name="Initial User Identity 4">CN=localhost, OU=NIFI</property> </userGroupProvider> <userGroupProvider> <identifier>ldap-user-group-provider</identifier> <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">ldap_manager_dn</property> <property name="Manager Password">ldap_manager_password</property> <property name="TLS - Keystore">/opt/certs/registry/keystore.jks</property> <property name="TLS - Keystore Password">supersecretkeystore</property> <property name="TLS - Keystore Type">JKS</property> <property name="TLS - Truststore">/opt/certs/registry/truststore.jks</property> <property name="TLS - Truststore Password">supersecrettruststore</property> <property name="TLS - Truststore Type">JKS</property> <property name="TLS - Client Auth">NONE</property> <property name="TLS - Protocol"></property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap_url</property> <property name="Page Size"></property> <property name="Sync Interval">30 mins</property> <property name="Group Membership - Enforce Case Sensitivity">false</property> <property name="User Search Base">ldap_user_search_base</property> <property name="User Object Class">person</property> <property name="User Search Scope">SUBTREE</property> <property name="User Search Filter">ldap_user_search_filter_authorizers</property> <property name="User Identity Attribute">sAMAccountName</property> <property name="User Group Name Attribute">memberof</property> <property name="User Group Name Attribute - Referenced Group Attribute"></property> <property name="Identity Strategy">USE_USERNAME</property> <property name="Group Search Base">ldap_group_search_base</property> <property name="Group Object Class">group</property> <property name="Group Search Scope">ONE_LEVEL</property> <property name="Group Search Filter">(objectClass=group)</property> <property name="Group Name Attribute">cn</property> <property name="Group Member Attribute">member</property> <property name="Group Member Attribute - Referenced User Attribute">sAMAccountName</property> </userGroupProvider> <userGroupProvider> <identifier>composite-user-group-provider</identifier> <class>org.apache.nifi.registry.security.authorization.CompositeUserGroupProvider</class> <property name="User Group Provider 1">file-user-group-provider</property> <property name="User Group Provider 2">ldap-user-group-provider</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> <property name="User Group Provider">composite-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">initial_admin_identity</property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 1">CN=nifi0, OU=NIFI</property> <property name="Node Identity 2">CN=nifi1, OU=NIFI</property> <property name="Node Identity 3">CN=nifi2, OU=NIFI</property> <property name="Node Group"></property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers> And i've setup the required policies for NiFi nodes but still no available bucket in nifi
... View more
11-15-2024
04:34 AM
1 Kudo
This is the complete configuration for all packages. What should I correct, please? namespace: "namespace" nameOverride: "" fullnameOverride: "dt-service" serviceAccount: create: false ingress: enabled: true className: "nginx" annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" nginx.ingress.kubernetes.io/ssl-passthrough: "true" hosts: - host: service_url paths: - path: / pathType: Prefix backend: service: name: nifi-proxy-service port: number: 8444 - host: registry_service_url paths: - path: / pathType: Prefix backend: service: name: nifi-registry-service port: number: 18443 tls: - secretName: app_tls_secret_name hosts: - service_url - registry_service_url ### PROXY ### proxy: replicaCount: 1 imagePullSecrets: - name: secret restartPolicy: Always autoscaling: enabled: false minReplicas: 1 maxReplicas: 3 targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: 80 image: repository: nginx_image pullPolicy: IfNotPresent tag: "nginx_version" service: type: NodePort port: 8444 nodePort: 30844 env: [] volumeMounts: - name: nginx-conf mountPath: /etc/nginx/nginx.conf subPath: nginx.conf - name: ssl-certificates mountPath: /etc/nginx/ssl - name: nifi-certs mountPath: /opt/certs volumes: - name: nginx-conf configMap: name: nifiproxy-configmap - name: ssl-certificates secret: secretName: app_tls_secret_name - name: nifi-certs persistentVolumeClaim: claimName: nifi-certs-pvc resources: limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi ### NIFI0 ### nifi0: replicaCount: 1 imagePullSecrets: - name: secret restartPolicy: Always autoscaling: enabled: false minReplicas: 1 maxReplicas: 3 targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: 80 image: repository: nifi_image pullPolicy: IfNotPresent tag: "nifi_version" service: type: ClusterIP port: 8443 env: - name: NIFI_WEB_HTTPS_PORT value: "8443" - name: NIFI_CLUSTER_IS_NODE value: "true" - name: NIFI_ZK_CONNECT_STRING value: "nifi-zookeeper-service:2181" - name: NIFI_ELECTION_MAX_WAIT value: "30 sec" - name: NIFI_ELECTION_MAX_CANDIDATES value: "1" - name: NIFI_SENSITIVE_PROPS_KEY value: "xxx" - name: NIFI_CLUSTER_NODE_PROTOCOL_PORT value: "8082" - name: NIFI_WEB_PROXY_HOST value: "nifi_web_proxy_host" - name: KEYSTORE_TYPE value: "JKS" - name: KEYSTORE_PASSWORD value: "xxx" - name: TRUSTSTORE_TYPE value: "JKS" - name: TRUSTSTORE_PASSWORD value: "xxx" - name: NIFI_CLUSTER_ADDRESS value: "nifi0" - name: NIFI_WEB_HTTPS_HOST value: "xxx" - name: KEYSTORE_PATH value: "/opt/certs/nifi0/keystore.jks" - name: TRUSTSTORE_PATH value: "/opt/certs/nifi0/truststore.jks" ### LDAP ### - name: AUTH value: "ldap" - name: NIFI_SECURITY_USER_LOGIN_IDENTITY_PROVIDER value: "ldap-provider" - name: NIFI_SECURITY_USER_AUTHORIZER value: "managed-authorizer" - name: INITIAL_ADMIN_IDENTITY value: "initial_admin_identity" - name: LDAP_AUTHENTICATION_STRATEGY value: "SIMPLE" - name: LDAP_MANAGER_DN value: "ldap_manager_dn" - name: LDAP_MANAGER_PASSWORD value: "ldap_manager_password" - name: LDAP_USER_SEARCH_BASE value: "ldap_user_search_base" - name: LDAP_USER_SEARCH_FILTER value: "ldap_user_search_filter" - name: LDAP_GROUP_SEARCH_BASE value: "ldap_user_search_filter_authorizers" - name: LDAP_IDENTITY_STRATEGY value: "USE_USERNAME" - name: LDAP_URL value: "ldap_url" securityContext: runAsUser: 1000 initContainers: - name: init-conf image: nifi_image:nifi_version command: [ "sh", "-c", "cp -r /opt/nifi/nifi-current/conf/*.conf /mnt/nifi-conf/; cp -r /opt/nifi/nifi-current/conf/*.xml /mnt/nifi-conf/; cp -r /opt/nifi/nifi-current/conf/*.properties /mnt/nifi-conf/", ] volumeMounts: - name: nifi0-conf mountPath: /mnt/nifi-conf - name: nifi-authorizers mountPath: /opt/nifi/nifi-current/conf/nifi0-authorizers.xml subPath: nifi0-authorizers.xml - name: nifi-bootstrap mountPath: /opt/nifi/nifi-current/conf/nifi-bootstrap.conf subPath: nifi-bootstrap.conf command: - "/bin/bash" - "-c" - | cp /mnt/jar/*.jar /opt/nifi/nifi-current/lib/ && \ echo -n | openssl s_client -connect registry_service_url:443 |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cacert.crt && \ cp /opt/certs/nifi0/*.jks /opt/nifi/nifi-current && \ keytool -delete -alias nifi-registry-cert -keystore /opt/nifi/nifi-current/truststore.jks -storepass xxx || echo "Alias not found, skipping delete" && \ keytool -import -trustcacerts -file ./cacert.crt -keystore /opt/nifi/nifi-current/truststore.jks -storepass xxx -noprompt -alias nifi-registry-cert && \ cp /opt/nifi/nifi-current/conf/nifi-bootstrap.conf /opt/nifi/nifi-current/conf/bootstrap.conf && \ cp /opt/nifi/nifi-current/conf/nifi0-authorizers.xml /opt/nifi/nifi-current/conf/authorizers.xml && \ sed -i 's/nifi.ui.banner.text=.*/nifi.ui.banner.text=nifi (v1.27.0)/' /opt/nifi/nifi-current/conf/nifi.properties && \ ../scripts/start.sh volumeMounts: - name: nifi-certs mountPath: /opt/certs - name: nifi-jar mountPath: /mnt/jar - name: timezone mountPath: /etc/timezone subPath: timezone - name: nifi0-conf mountPath: /opt/nifi/nifi-current/conf - name: nifi0-extensions mountPath: /opt/nifi/nifi-current/extensions - name: nifi0-database-repository mountPath: /opt/nifi/nifi-current/database_repository - name: nifi0-flowfile-repository mountPath: /opt/nifi/nifi-current/flowfile_repository - name: nifi0-content-repository mountPath: /opt/nifi/nifi-current/content_repository - name: nifi0-provenance-repository mountPath: /opt/nifi/nifi-current/provenance-repository - name: nifi0-state mountPath: /opt/nifi/nifi-current/state - name: nifi0-logs mountPath: /opt/nifi/nifi-current/logs - name: nifi-logback mountPath: /opt/nifi/nifi-current/conf/logback.xml subPath: logback.xml volumes: - name: nifi-certs persistentVolumeClaim: claimName: nifi-certs-pvc - name: nifi-jar persistentVolumeClaim: claimName: nifi-jar-pvc - name: timezone configMap: name: timezone-configmap - name: nifi0-conf persistentVolumeClaim: claimName: nifi0-conf-pvc - name: nifi0-extensions persistentVolumeClaim: claimName: nifi0-extensions-pvc - name: nifi0-database-repository persistentVolumeClaim: claimName: nifi0-database-repository-pvc - name: nifi0-flowfile-repository persistentVolumeClaim: claimName: nifi0-flowfile-repository-pvc - name: nifi0-content-repository persistentVolumeClaim: claimName: nifi0-content-repository-pvc - name: nifi0-provenance-repository persistentVolumeClaim: claimName: nifi0-provenance-repository-pvc - name: nifi0-state persistentVolumeClaim: claimName: nifi0-state-pvc - name: nifi0-logs persistentVolumeClaim: claimName: nifi0-logs-pvc - name: nifi-authorizers configMap: name: nifi-authorizers-configmap - name: nifi-bootstrap configMap: name: nifi-bootstrap-configmap - name: nifi-logback configMap: name: nifi-logback-configmap resources: requests: cpu: 1 memory: 1Gi limits: cpu: 2 memory: 2Gi ### NIFI1 ### nifi1: replicaCount: 1 imagePullSecrets: - name: secret restartPolicy: Always autoscaling: enabled: false minReplicas: 1 maxReplicas: 3 targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: 80 image: repository: nifi_image pullPolicy: IfNotPresent tag: "nifi_version" service: type: ClusterIP port: 8443 env: - name: NIFI_WEB_HTTPS_PORT value: "8443" - name: NIFI_CLUSTER_IS_NODE value: "true" - name: NIFI_ZK_CONNECT_STRING value: "nifi-zookeeper-service:2181" - name: NIFI_ELECTION_MAX_WAIT value: "30 sec" - name: NIFI_ELECTION_MAX_CANDIDATES value: "1" - name: NIFI_SENSITIVE_PROPS_KEY value: "xxx" - name: NIFI_CLUSTER_NODE_PROTOCOL_PORT value: "8082" - name: NIFI_WEB_PROXY_HOST value: "nifi_web_proxy_host" - name: KEYSTORE_TYPE value: "JKS" - name: KEYSTORE_PASSWORD value: "xxx" - name: TRUSTSTORE_TYPE value: "JKS" - name: TRUSTSTORE_PASSWORD value: "xxx" - name: NIFI_CLUSTER_ADDRESS value: "nifi1" - name: NIFI_WEB_HTTPS_HOST value: "nifi1" - name: KEYSTORE_PATH value: "/opt/certs/nifi1/keystore.jks" - name: TRUSTSTORE_PATH value: "/opt/certs/nifi1/truststore.jks" ### LDAP ### - name: AUTH value: "ldap" - name: NIFI_SECURITY_USER_LOGIN_IDENTITY_PROVIDER value: "ldap-provider" - name: NIFI_SECURITY_USER_AUTHORIZER value: "managed-authorizer" - name: INITIAL_ADMIN_IDENTITY value: "initial_admin_identity" - name: LDAP_AUTHENTICATION_STRATEGY value: "SIMPLE" - name: LDAP_MANAGER_DN value: "ldap_manager_dn" - name: LDAP_MANAGER_PASSWORD value: "ldap_manager_password" - name: LDAP_USER_SEARCH_BASE value: "ldap_user_search_base" - name: LDAP_USER_SEARCH_FILTER value: "ldap_user_search_filter" - name: LDAP_GROUP_SEARCH_BASE value: "ldap_user_search_filter_authorizers" - name: LDAP_IDENTITY_STRATEGY value: "USE_USERNAME" - name: LDAP_URL value: "ldap_url" securityContext: runAsUser: 1000 initContainers: - name: init-conf image: nifi_image:nifi_version command: [ "sh", "-c", "cp -r /opt/nifi/nifi-current/conf/*.conf /mnt/nifi-conf/; cp -r /opt/nifi/nifi-current/conf/*.xml /mnt/nifi-conf/; cp -r /opt/nifi/nifi-current/conf/*.properties /mnt/nifi-conf/", ] volumeMounts: - name: nifi1-conf mountPath: /mnt/nifi-conf - name: nifi-authorizers mountPath: /opt/nifi/nifi-current/conf/nifi1-authorizers.xml subPath: nifi1-authorizers.xml - name: nifi-bootstrap mountPath: /opt/nifi/nifi-current/conf/nifi-bootstrap.conf subPath: nifi-bootstrap.conf command: - "/bin/bash" - "-c" - | cp /mnt/jar/*.jar /opt/nifi/nifi-current/lib/ && \ echo -n | openssl s_client -connect registry_service_url:443 |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cacert.crt && \ cp /opt/certs/nifi1/*.jks /opt/nifi/nifi-current && \ keytool -delete -alias nifi-registry-cert -keystore /opt/nifi/nifi-current/truststore.jks -storepass xxx || echo "Alias not found, skipping delete" && \ keytool -import -trustcacerts -file ./cacert.crt -keystore /opt/nifi/nifi-current/truststore.jks -storepass xxx -noprompt -alias nifi-registry-cert && \ cp /opt/nifi/nifi-current/conf/nifi-bootstrap.conf /opt/nifi/nifi-current/conf/bootstrap.conf && \ cp /opt/nifi/nifi-current/conf/nifi1-authorizers.xml /opt/nifi/nifi-current/conf/authorizers.xml && \ sed -i 's/nifi.ui.banner.text=.*/nifi.ui.banner.text=nifi (v1.27.0)/' /opt/nifi/nifi-current/conf/nifi.properties && \ ../scripts/start.sh volumeMounts: - name: nifi-certs mountPath: /opt/certs - name: nifi-jar mountPath: /mnt/jar - name: timezone mountPath: /etc/timezone subPath: timezone - name: nifi1-conf mountPath: /opt/nifi/nifi-current/conf - name: nifi1-extensions mountPath: /opt/nifi/nifi-current/extensions - name: nifi1-database-repository mountPath: /opt/nifi/nifi-current/database_repository - name: nifi1-flowfile-repository mountPath: /opt/nifi/nifi-current/flowfile_repository - name: nifi1-content-repository mountPath: /opt/nifi/nifi-current/content_repository - name: nifi1-provenance-repository mountPath: /opt/nifi/nifi-current/provenance-repository - name: nifi1-state mountPath: /opt/nifi/nifi-current/state - name: nifi1-logs mountPath: /opt/nifi/nifi-current/logs - name: nifi-logback mountPath: /opt/nifi/nifi-current/conf/logback.xml subPath: logback.xml volumes: - name: nifi-certs persistentVolumeClaim: claimName: nifi-certs-pvc - name: nifi-jar persistentVolumeClaim: claimName: nifi-jar-pvc - name: timezone configMap: name: timezone-configmap - name: nifi1-conf persistentVolumeClaim: claimName: nifi1-conf-pvc - name: nifi1-extensions persistentVolumeClaim: claimName: nifi1-extensions-pvc - name: nifi1-database-repository persistentVolumeClaim: claimName: nifi1-database-repository-pvc - name: nifi1-flowfile-repository persistentVolumeClaim: claimName: nifi1-flowfile-repository-pvc - name: nifi1-content-repository persistentVolumeClaim: claimName: nifi1-content-repository-pvc - name: nifi1-provenance-repository persistentVolumeClaim: claimName: nifi1-provenance-repository-pvc - name: nifi1-state persistentVolumeClaim: claimName: nifi1-state-pvc - name: nifi1-logs persistentVolumeClaim: claimName: nifi1-logs-pvc - name: nifi-authorizers configMap: name: nifi-authorizers-configmap - name: nifi-bootstrap configMap: name: nifi-bootstrap-configmap - name: nifi-logback configMap: name: nifi-logback-configmap resources: requests: cpu: 1 memory: 1Gi limits: cpu: 2 memory: 2Gi ### NIFI2 ### nifi2: replicaCount: 1 imagePullSecrets: - name: secret restartPolicy: Always autoscaling: enabled: false minReplicas: 1 maxReplicas: 3 targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: 80 image: repository: nifi_image pullPolicy: IfNotPresent tag: "nifi_version" service: type: ClusterIP port: 8443 env: - name: NIFI_WEB_HTTPS_PORT value: "8443" - name: NIFI_CLUSTER_IS_NODE value: "true" - name: NIFI_ZK_CONNECT_STRING value: "nifi-zookeeper-service:2181" - name: NIFI_ELECTION_MAX_WAIT value: "30 sec" - name: NIFI_ELECTION_MAX_CANDIDATES value: "1" - name: NIFI_SENSITIVE_PROPS_KEY value: "xxx" - name: NIFI_CLUSTER_NODE_PROTOCOL_PORT value: "8082" - name: NIFI_WEB_PROXY_HOST value: "nifi_web_proxy_host" - name: KEYSTORE_TYPE value: "JKS" - name: KEYSTORE_PASSWORD value: "xxx" - name: TRUSTSTORE_TYPE value: "JKS" - name: TRUSTSTORE_PASSWORD value: "xxx" - name: NIFI_CLUSTER_ADDRESS value: "nifi2" - name: NIFI_WEB_HTTPS_HOST value: "nifi2" - name: KEYSTORE_PATH value: "/opt/certs/nifi2/keystore.jks" - name: TRUSTSTORE_PATH value: "/opt/certs/nifi2/truststore.jks" ### LDAP ### - name: AUTH value: "ldap" - name: NIFI_SECURITY_USER_LOGIN_IDENTITY_PROVIDER value: "ldap-provider" - name: NIFI_SECURITY_USER_AUTHORIZER value: "managed-authorizer" - name: INITIAL_ADMIN_IDENTITY value: "initial_admin_identity" - name: LDAP_AUTHENTICATION_STRATEGY value: "SIMPLE" - name: LDAP_MANAGER_DN value: "ldap_manager_dn" - name: LDAP_MANAGER_PASSWORD value: "ldap_manager_password" - name: LDAP_USER_SEARCH_BASE value: "ldap_user_search_base" - name: LDAP_USER_SEARCH_FILTER value: "ldap_user_search_filter" - name: LDAP_GROUP_SEARCH_BASE value: "ldap_user_search_filter_authorizers" - name: LDAP_IDENTITY_STRATEGY value: "USE_USERNAME" - name: LDAP_URL value: "ldap_url" securityContext: runAsUser: 1000 initContainers: - name: init-conf image: nifi_image:nifi_version command: [ "sh", "-c", "cp -r /opt/nifi/nifi-current/conf/*.conf /mnt/nifi-conf/; cp -r /opt/nifi/nifi-current/conf/*.xml /mnt/nifi-conf/; cp -r /opt/nifi/nifi-current/conf/*.properties /mnt/nifi-conf/", ] volumeMounts: - name: nifi2-conf mountPath: /mnt/nifi-conf - name: nifi-authorizers mountPath: /opt/nifi/nifi-current/conf/nifi2-authorizers.xml subPath: nifi2-authorizers.xml - name: nifi-bootstrap mountPath: /opt/nifi/nifi-current/conf/nifi-bootstrap.conf subPath: nifi-bootstrap.conf command: - "/bin/bash" - "-c" - | cp /mnt/jar/*.jar /opt/nifi/nifi-current/lib/ && \ echo -n | openssl s_client -connect registry_service_url:443 |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cacert.crt && \ cp /opt/certs/nifi2/*.jks /opt/nifi/nifi-current && \ keytool -delete -alias nifi-registry-cert -keystore /opt/nifi/nifi-current/truststore.jks -storepass xxx || echo "Alias not found, skipping delete" && \ keytool -import -trustcacerts -file ./cacert.crt -keystore /opt/nifi/nifi-current/truststore.jks -storepass xxx -noprompt -alias nifi-registry-cert && \ cp /opt/nifi/nifi-current/conf/nifi-bootstrap.conf /opt/nifi/nifi-current/conf/bootstrap.conf && \ cp /opt/nifi/nifi-current/conf/nifi2-authorizers.xml /opt/nifi/nifi-current/conf/authorizers.xml && \ sed -i 's/nifi.ui.banner.text=.*/nifi.ui.banner.text=nifi (v1.27.0)/' /opt/nifi/nifi-current/conf/nifi.properties && \ ../scripts/start.sh volumeMounts: - name: nifi-certs mountPath: /opt/certs - name: nifi-jar mountPath: /mnt/jar - name: timezone mountPath: /etc/timezone subPath: timezone - name: nifi2-conf mountPath: /opt/nifi/nifi-current/conf - name: nifi2-extensions mountPath: /opt/nifi/nifi-current/extensions - name: nifi2-database-repository mountPath: /opt/nifi/nifi-current/database_repository - name: nifi2-flowfile-repository mountPath: /opt/nifi/nifi-current/flowfile_repository - name: nifi2-content-repository mountPath: /opt/nifi/nifi-current/content_repository - name: nifi2-provenance-repository mountPath: /opt/nifi/nifi-current/provenance-repository - name: nifi2-state mountPath: /opt/nifi/nifi-current/state - name: nifi2-logs mountPath: /opt/nifi/nifi-current/logs - name: nifi-logback mountPath: /opt/nifi/nifi-current/conf/logback.xml subPath: logback.xml volumes: - name: nifi-certs persistentVolumeClaim: claimName: nifi-certs-pvc - name: nifi-jar persistentVolumeClaim: claimName: nifi-jar-pvc - name: timezone configMap: name: timezone-configmap - name: nifi2-conf persistentVolumeClaim: claimName: nifi2-conf-pvc - name: nifi2-extensions persistentVolumeClaim: claimName: nifi2-extensions-pvc - name: nifi2-database-repository persistentVolumeClaim: claimName: nifi2-database-repository-pvc - name: nifi2-flowfile-repository persistentVolumeClaim: claimName: nifi2-flowfile-repository-pvc - name: nifi2-content-repository persistentVolumeClaim: claimName: nifi2-content-repository-pvc - name: nifi2-provenance-repository persistentVolumeClaim: claimName: nifi2-provenance-repository-pvc - name: nifi2-state persistentVolumeClaim: claimName: nifi2-state-pvc - name: nifi2-logs persistentVolumeClaim: claimName: nifi2-logs-pvc - name: nifi-authorizers configMap: name: nifi-authorizers-configmap - name: nifi-bootstrap configMap: name: nifi-bootstrap-configmap - name: nifi-logback configMap: name: nifi-logback-configmap resources: requests: cpu: 1 memory: 1Gi limits: cpu: 2 memory: 2Gi ### ZOOKEEPER ### zookeeper: replicaCount: 1 imagePullSecrets: - name: secret restartPolicy: Always image: repository: zookeeper_image pullPolicy: IfNotPresent tag: "zookeeper_version" service: type: ClusterIP port: 2181 env: - name: ALLOW_ANONYMOUS_LOGIN value: "yes" volumeMounts: [] volumes: [] resources: requests: cpu: 500m memory: 1Gi limits: cpu: 1 memory: 2Gi ### TOOLKIT ### toolkit: replicaCount: 1 imagePullSecrets: - name: secret restartPolicy: Never image: repository: nifi_toolkit_image pullPolicy: IfNotPresent tag: "nifi_version" service: type: ClusterIP port: 80 env: [] securityContext: runAsUser: 1000 command: - "bash" - "-c" - "/opt/nifi-toolkit/*/bin/tls-toolkit.sh standalone -o /opt/certs -n nifi[0-2] -C 'CN=initial_admin_identity' -P xxx -K xxx -S xxx; /opt/nifi-toolkit/*/bin/tls-toolkit.sh standalone -o /opt/certs -n registry -P xxx -K xxx -S xxx; chown -R nifi:nifi /opt/certs" volumeMounts: - name: nifi-certs mountPath: /opt/certs volumes: - name: nifi-certs persistentVolumeClaim: claimName: nifi-certs-pvc resources: limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi ### NIFI REGISTRY ### nifiregistry: replicaCount: 1 imagePullSecrets: - name: secret restartPolicy: Always autoscaling: enabled: false minReplicas: 1 maxReplicas: 3 targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: 80 image: repository: nifi_registry_image }} pullPolicy: IfNotPresent tag: "nifi_version" service: type: NodePort port: 18443 nodePort: 30843 env: - name: NIFI_REGISTRY_WEB_HTTPS_PORT value: "18443" - name: NIFI_REGISTRY_SECURITY_NEED_CLIENT_AUTH value: "true" ### CERTIFICATE ### - name: KEYSTORE_TYPE value: "JKS" - name: KEYSTORE_PASSWORD value: "xxx" - name: TRUSTSTORE_TYPE value: "JKS" - name: TRUSTSTORE_PASSWORD value: "xxx" - name: KEYSTORE_PATH value: "/opt/certs/registry/keystore.jks" - name: TRUSTSTORE_PATH value: "/opt/certs/registry/truststore.jks" ### LDAP ### - name: AUTH value: "ldap" - name: NIFI_SECURITY_USER_LOGIN_IDENTITY_PROVIDER value: "ldap-provider" - name: NIFI_SECURITY_USER_AUTHORIZER value: "managed-authorizer" - name: INITIAL_ADMIN_IDENTITY value: "initial_admin_identity" - name: LDAP_AUTHENTICATION_STRATEGY value: "SIMPLE" - name: LDAP_MANAGER_DN value: "ldap_manager_dn" - name: LDAP_MANAGER_PASSWORD value: "ldap_manager_password" - name: LDAP_USER_SEARCH_BASE value: "ldap_user_search_base" - name: LDAP_USER_SEARCH_FILTER value: "ldap_user_search_filter" - name: LDAP_GROUP_SEARCH_BASE value: "ldap_user_search_filter_authorizers" - name: LDAP_IDENTITY_STRATEGY value: "USE_USERNAME" - name: LDAP_URL value: "ldap_url" securityContext: runAsUser: 1000 initContainers: - name: init-conf image: nifi_registry_image }}:nifi_version command: - "sh" - "-c" - | cp -r /opt/nifi-registry/nifi-registry-current/conf/*.conf /mnt/nifi-conf/ && \ cp -r /opt/nifi-registry/nifi-registry-current/conf/*.xml /mnt/nifi-conf/ && \ cp -r /opt/nifi-registry/nifi-registry-current/conf/*.properties /mnt/nifi-conf/ volumeMounts: - name: nifiregistry-conf mountPath: /mnt/nifi-conf - name: registry-authorizers mountPath: /opt/nifi-registry/nifi-registry-current/conf/registry-authorizers.xml subPath: registry-authorizers.xml command: - "/bin/bash" - "-c" - | echo -n | openssl s_client -connect service_url:443 |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cacert.crt && \ keytool -delete -alias nifi-cert -keystore /opt/certs/registry/truststore.jks -storepass xxx || echo "Alias not found, skipping delete" && \ keytool -import -trustcacerts -file ./cacert.crt -keystore /opt/certs/registry/truststore.jks -storepass xxx -noprompt -alias nifi-cert && \ cp /opt/nifi-registry/nifi-registry-current/conf/registry-authorizers.xml /opt/nifi-registry/nifi-registry-current/conf/authorizers.xml && \ sed -i 's/^nifi.registry.security.needClientAuth=false/nifi.registry.security.needClientAuth=true/' /opt/nifi-registry/nifi-registry-current/conf/nifi-registry.properties && \ ../scripts/start.sh volumeMounts: - name: nifi-certs mountPath: /opt/certs - name: timezone mountPath: /etc/timezone subPath: timezone - name: nifiregistry-conf mountPath: /opt/nifi-registry/nifi-registry-current/conf - name: nifiregistry-database mountPath: /opt/nifi-registry/nifi-registry-current/database - name: nifiregistry-ext mountPath: /opt/nifi-registry/nifi-registry-current/ext - name: nifiregistry-ext-bundles mountPath: /opt/nifi-registry/nifi-registry-current/extension_bundles - name: nifiregistry-flow-storage mountPath: /opt/nifi-registry/nifi-registry-current/flow_storage - name: nifiregistry-flow-storage-versioned mountPath: /opt/nifi-registry/nifi-registry-current/versioned_flows - name: nifi-providers mountPath: /opt/nifi-registry/nifi-registry-current/conf/providers.xml subPath: providers.xml - name: nifiregistry-logs mountPath: /opt/nifi-registry/nifi-registry-current/logs volumes: - name: nifi-certs persistentVolumeClaim: claimName: nifi-certs-pvc - name: timezone configMap: name: timezone-configmap - name: nifiregistry-conf persistentVolumeClaim: claimName: nifiregistry-conf-pvc - name: nifiregistry-database persistentVolumeClaim: claimName: nifiregistry-database-pvc - name: nifiregistry-ext persistentVolumeClaim: claimName: nifiregistry-ext-pvc - name: nifiregistry-ext-bundles persistentVolumeClaim: claimName: nifiregistry-ext-bundles-pvc - name: nifiregistry-flow-storage persistentVolumeClaim: claimName: nifiregistry-flow-storage-pvc - name: nifiregistry-flow-storage-versioned persistentVolumeClaim: claimName: nifiregistry-flow-storage-versioned-pvc - name: nifi-providers configMap: name: nifi-registry-providers-configmap - name: nifiregistry-logs persistentVolumeClaim: claimName: nifiregistry-logs-pvc - name: registry-authorizers configMap: name: registry-authorizers-configmap resources: requests: cpu: 500m memory: 1Gi limits: cpu: 1 memory: 2Gi ### STORAGE ### storage: accessModes: - ReadWriteOnce server: nfs_host basePath: host_path services: nifi-certs: path: certs size: 100Mi nifi-jar: path: jar size: 100Mi ## NIFI 0 ## nifi0-conf: path: nifi0/conf size: 1Gi nifi0-extensions: path: nifi0/extensions size: 1Gi nifi0-database-repository: path: nifi0/database_repository size: 1Gi nifi0-flowfile-repository: path: nifi0/flowfile_repository size: 1Gi nifi0-content-repository: path: nifi0/content_repository size: 1Gi nifi0-provenance-repository: path: nifi0/provenance_repository size: 1Gi nifi0-state: path: nifi0/state size: 1Gi nifi0-logs: path: nifi0/logs size: 1Gi ## NIFI 1 ## nifi1-conf: path: nifi1/conf size: 1Gi nifi1-extensions: path: nifi1/extensions size: 1Gi nifi1-database-repository: path: nifi1/database_repository size: 1Gi nifi1-flowfile-repository: path: nifi1/flowfile_repository size: 1Gi nifi1-content-repository: path: nifi1/content_repository size: 1Gi nifi1-provenance-repository: path: nifi1/provenance_repository size: 1Gi nifi1-state: path: nifi1/state size: 1Gi nifi1-logs: path: nifi1/logs size: 1Gi ## NIFI 2 ## nifi2-conf: path: nifi2/conf size: 1Gi nifi2-extensions: path: nifi2/extensions size: 1Gi nifi2-database-repository: path: nifi2/database_repository size: 1Gi nifi2-flowfile-repository: path: nifi2/flowfile_repository size: 1Gi nifi2-content-repository: path: nifi2/content_repository size: 1Gi nifi2-provenance-repository: path: nifi2/provenance_repository size: 1Gi nifi2-state: path: nifi2/state size: 1Gi nifi2-logs: path: nifi2/logs size: 1Gi ## NIFI REGISTRY ## nifiregistry-conf: path: nifiregistry/conf size: 1Gi nifiregistry-database: path: nifiregistry/database size: 1Gi nifiregistry-ext: path: nifiregistry/ext size: 1Gi nifiregistry-ext-bundles: path: nifiregistry/extension_bundles size: 1Gi nifiregistry-flow-storage: path: nifiregistry/flow_storage size: 1Gi nifiregistry-flow-storage-versioned: path: nifiregistry/versioned_flows size: 1Gi nifiregistry-logs: path: nifiregistry/logs size: 1Gi And This concerns my Nginx configuration: events { worker_connections 1024; } stream { upstream nifi_nodes { hash $remote_addr consistent; server nifi0:8443; server nifi1:8443; server nifi2:8443; } server { listen [::]:8444; listen 8444; proxy_ssl_certificate /opt/certs/nifi-cert.pem; proxy_ssl_certificate_key /opt/certs/nifi-key.key; proxy_ssl_trusted_certificate /opt/certs/nifi-cert.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256'; ssl_certificate /etc/nginx/ssl/tls.crt; ssl_certificate_key /etc/nginx/ssl/tls.key; proxy_pass nifi_nodes; } }
... View more
11-13-2024
09:30 PM
1 Kudo
Here is one of the configurations of authorizers.xml for the NiFi nodes : <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial Admin Identity">initial_admin_identity</property> <property name="Initial User Identity 1">CN=nifi0, OU=NIFI</property> <property name="Initial User Identity 2">CN=nifi1, OU=NIFI</property> <property name="Initial User Identity 3">CN=nifi2, OU=NIFI</property> </userGroupProvider> <userGroupProvider> <identifier>ldap-user-group-provider</identifier> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">ldap_manager_dn</property> <property name="Manager Password">ldap_manager_password</property> <property name="TLS - Keystore">/opt/certs/nifi0/keystore.jks</property> <property name="TLS - Keystore Password">xxx</property> <property name="TLS - Keystore Type">JKS</property> <property name="TLS - Truststore">/opt/certs/nifi0/truststore.jks</property> <property name="TLS - Truststore Password">xxx</property> <property name="TLS - Truststore Type">JKS</property> <property name="TLS - Client Auth">NONE</property> <property name="TLS - Protocol"></property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap_url</property> <property name="Sync Interval">30 mins</property> <property name="Group Membership - Enforce Case Sensitivity">false</property> <property name="User Search Base">ldap_user_search_base</property> <property name="User Object Class">person</property> <property name="User Search Scope">SUBTREE</property> <property name="User Search Filter">ldap_user_search_filter_authorizers</property> <property name="User Identity Attribute">sAMAccountName</property> <property name="User Group Name Attribute">memberof</property> <property name="User Group Name Attribute - Referenced Group Attribute"></property> <property name="Identity Strategy">USE_USERNAME</property> <property name="Group Search Base">ldap_group_search_base</property> <property name="Group Object Class">group</property> <property name="Group Search Scope">ONE_LEVEL</property> <property name="Group Search Filter">(objectClass=group)</property> <property name="Group Name Attribute">cn</property> <property name="Group Member Attribute">member</property> <property name="Group Member Attribute - Referenced User Attribute">sAMAccountName</property> </userGroupProvider> <userGroupProvider> <identifier>composite-user-group-provider</identifier> <class>org.apache.nifi.authorization.CompositeUserGroupProvider</class> <property name="User Group Provider 1">file-user-group-provider</property> <property name="User Group Provider 2">ldap-user-group-provider</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">composite-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">initial_admin_identity</property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 1">CN=nifi0, OU=NIFI</property> <property name="Node Identity 2">CN=nifi1, OU=NIFI</property> <property name="Node Identity 3">CN=nifi2, OU=NIFI</property> <property name="Node Group"></property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> <authorizer> <identifier>single-user-authorizer</identifier> <class>org.apache.nifi.authorization.single.user.SingleUserAuthorizer</class> </authorizer> </authorizers> And here is my authorizers.xml for the NiFi Registry. <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Initial User Identity 1">initial_admin_identity</property> <property name="Initial User Identity 2">CN=nifi0, OU=NIFI</property> <property name="Initial User Identity 3">CN=nifi1, OU=NIFI</property> <property name="Initial User Identity 4">CN=nifi2, OU=NIFI</property> </userGroupProvider> <userGroupProvider> <identifier>ldap-user-group-provider</identifier> <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">ldap_manager_dn</property> <property name="Manager Password">ldap_manager_password</property> <property name="TLS - Keystore">/opt/certs/registry/keystore.jks</property> <property name="TLS - Keystore Password">xxx</property> <property name="TLS - Keystore Type">JKS</property> <property name="TLS - Truststore">/opt/certs/registry/truststore.jks</property> <property name="TLS - Truststore Password">xxx</property> <property name="TLS - Truststore Type">JKS</property> <property name="TLS - Client Auth">NONE</property> <property name="TLS - Protocol"></property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap_url</property> <property name="Page Size"></property> <property name="Sync Interval">30 mins</property> <property name="Group Membership - Enforce Case Sensitivity">false</property> <property name="User Search Base">ldap_user_search_base</property> <property name="User Object Class">person</property> <property name="User Search Scope">SUBTREE</property> <property name="User Search Filter">ldap_user_search_filter_authorizers</property> <property name="User Identity Attribute">sAMAccountName</property> <property name="User Group Name Attribute">memberof</property> <property name="User Group Name Attribute - Referenced Group Attribute"></property> <property name="Identity Strategy">USE_USERNAME</property> <property name="Group Search Base">ldap_group_search_base</property> <property name="Group Object Class">group</property> <property name="Group Search Scope">ONE_LEVEL</property> <property name="Group Search Filter">(objectClass=group)</property> <property name="Group Name Attribute">cn</property> <property name="Group Member Attribute">member</property> <property name="Group Member Attribute - Referenced User Attribute">sAMAccountName</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> <property name="User Group Provider">ldap-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">initial_admin_identity</property> <property name="NiFi Group Name"></property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers> The certificates for the nodes and NiFi Registry are generated by the NiFi Toolkit using the following command and then mounted on each NiFi and Registry node : command: - "bash" - "-c" - "/opt/nifi-toolkit/*/bin/tls-toolkit.sh standalone -o /opt/certs -n nifi[0-2] -P xxx -K xxx -S xxx; /opt/nifi-toolkit/*/bin/tls-toolkit.sh standalone -o /opt/certs -n registry -P xxx -K xxx -S xxx;" Could you let me know if I missed something or if I made any mistakes in my configuration?
... View more
11-13-2024
04:25 AM
1 Kudo
@satz I’m not sure I fully understand what you mean regarding the Nifi Registry authorization setup. Could you please clarify and provide more details?
... View more
11-12-2024
09:00 PM
Hello, I have deployed Apache NiFi and NiFi Registry on a Kubernetes cluster, but I am unable to retrieve the buckets in the NiFi interface. However, when I set the buckets to "public", I can see them in the "Network" tab of the browser’s developer tools. I have been troubleshooting this issue for over a month without success. If anyone has encountered a similar situation or has any suggestions on what might be causing this, I would greatly appreciate any help or advice. Thank you in advance for your assistance! @MattWho
... View more
Labels:
- Labels:
-
Apache NiFi