Cloudera Community
dilnafathimath8
user rank
Explorer

Re: LDAP authorization issue with NiFi cluster

by Explorer in Support Questions
‎02-22-2018 03:06 AM
‎02-22-2018 03:06 AM
Thank you very much @Bryan Bende for your valuable inputs. I finally got it working by following your suggestion. Here is my working authorizers.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 1">CN=node1-nifi.jp.local, OU=NIFI</property> <property name="Initial User Identity 2">CN=node2-nifi.jp.local, OU=NIFI</property> <property name="Initial User Identity 3">cn=admin,ou=users,dc=nifi,dc=ldap,dc=jp</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">cn=admin,ou=users,dc=nifi,dc=ldap,dc=jp</property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 1">CN=node1-nifi.jp.local, OU=NIFI</property> <property name="Node Identity 2">CN=node2-nifi.jp.local, OU=NIFI</property> <property name="Node Identity 3">cn=admin,ou=users,dc=nifi,dc=ldap,dc=jp</property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers> Apart from the above changes, I have modified identity mapping pattern in nifi.properties nifi.security.identity.mapping.pattern.dn=^cn=(.*?),ou=(.*?),dc=(.*?),dc=(.*?),dc=(.*?)$ nifi.security.identity.mapping.value.dn=$1 Thanks again! ... View more

LDAP authorization issue with NiFi cluster

by Explorer in Support Questions
‎02-21-2018 09:37 AM
‎02-21-2018 09:37 AM
Environment: 2 Node NiFi cluster running NiFi 1.5.0 Basic LDAP server for user authentication. Issue background: I am trying to secure NiFi using LDAP authentication. I have used `tls-toolkit` to generate security.keystore and `security.truststore` files and configured `nifi.properties` in both the nodes to access NiFi UI using HTTPS: # tls-toolkit.sh standalone -n 'node[1-2]-nifi.jp.local' -C 'CN=admin,OU=NIFI' I also configured 'login-identity-providers.xml' and 'authorizers.xml' but NiFi is not getting started due to LDAP configuration issue. Error message: Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin CN=admin,OU=NIFI to seed policies ... 95 common frames omitted Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin CN=admin,OU=NIFI to seed policies login-identity-providers.xml: <loginIdentityProviders> <provider> <identifier>ldap-provider</identifier> <class>org.apache.nifi.ldap.LdapProvider</class> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">cn=admin,dc=nifi,dc=ldap,dc=jp</property> <property name="Manager Password">secret</property> <property name="TLS - Keystore"></property> <property name="TLS - Keystore Password"></property> <property name="TLS - Keystore Type"></property> <property name="TLS - Truststore"></property> <property name="TLS - Truststore Password"></property> <property name="TLS - Truststore Type"></property> <property name="TLS - Client Auth"></property> <property name="TLS - Protocol"></property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://192.168.2.1:389</property> <property name="User Search Base">ou=users,dc=nifi,dc=ldap,dc=jp</property> <property name="User Search Filter">uid={0}</property> <property name="Identity Strategy">USE_DN</property> <property name="Authentication Expiration">12 hours</property> </provider></loginIdentityProviders> authorizers.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 1">cn=node1-nifi.jp.local,ou=users,dc=nifi,dc=ldap,dc=jp</property> <property name="Initial User Identity 2">cn=node2-nifi.jp.local,ou=users,dc=nifi,dc=ldap,dc=jp</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">CN=admin,OU=NIFI</property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 1">cn=node1-nifi.jp.local,ou=users,dc=nifi,dc=ldap,dc=jp</property> <property name="Node Identity 2">cn=node2-nifi.jp.local,ou=users,dc=nifi,dc=ldap,dc=jp</property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers> nifi.properties (security settings) nifi.security.keystore=./conf/keystore.jks nifi.security.keystoreType=jks nifi.security.keystorePasswd=xx nifi.security.keyPasswd=xx nifi.security.truststore=./conf/truststore.jks nifi.security.truststoreType=jks nifi.security.truststorePasswd=xxx nifi.security.needClientAuth= nifi.security.user.authorizer=managed-authorizer nifi.security.user.login.identity.provider=ldap-provider nifi.security.ocsp.responder.url= nifi.security.ocsp.responder.certificate= Refer attachment for LDAP configuration. I checked https://community.hortonworks.com/questions/131557/nifi-authorizercreationexception-unable-to-locate.html but it didn't worked. Please guide me to secure my NiFi cluster using LDAP authentication. ... View more
Labels:

Re: Deployment in Production NiFi cluster

by Explorer in Support Questions
‎01-18-2018 12:12 AM
‎01-18-2018 12:12 AM
@Matt Clarke Thanks for the clear explanation on NiFi custom processor deployment. Also, I would like to know if we can deploy NiFi flow and configuration node by node without interrupting the service. ... View more

Deployment in Production NiFi cluster

by Explorer in Support Questions
‎01-17-2018 12:38 AM
‎01-17-2018 12:38 AM
I am using 3 node NiFi (v1.4.0) cluster in production environment. I am in need of deploying new custom processors, but it requires NiFi restart, the challenge here is that NiFi receives chunks of data(s) per second. I would like to know the best possible way to deploy custom processors in NiFi cluster without interrupting the service. ... View more
Labels:
Contact Me
Online
Offline
Last Visited
‎02-22-2018 09:42 AM
Community Statistics
Member Since ‎01-17-2018 12:29 AM
Last Visited ‎02-22-2018 09:42 AM
Posts 4