mirror of https://github.com/apache/nifi.git
NIFI-11750 Updated the NiFi Cluster TLS Toolkit Guide
This closes #7432 Signed-off-by: David Handermann <exceptionfactory@apache.org>
This commit is contained in:
parent
01fa3773fb
commit
5beb4cd974
Binary file not shown.
Before Width: | Height: | Size: 224 KiB |
Binary file not shown.
Before Width: | Height: | Size: 180 KiB |
|
@ -18,6 +18,8 @@
|
||||||
Apache NiFi Team <dev@nifi.apache.org>
|
Apache NiFi Team <dev@nifi.apache.org>
|
||||||
:homepage: http://nifi.apache.org
|
:homepage: http://nifi.apache.org
|
||||||
:linkattrs:
|
:linkattrs:
|
||||||
|
// This document refers to NiFi version 1.11.4 and to 1.22.0 as well. Where you see 1.22.0, the steps were verified against that version.
|
||||||
|
// Technically we could rename all 1.11.4 references to 1.22.0, because we are trying to be backward compatible, but it is better to double check.
|
||||||
|
|
||||||
== Purpose
|
== Purpose
|
||||||
The intent of this document is to provide a canonical source of prescriptive instruction sets for common administrator and user tasks using Apache NiFi. It is intended to complement the link:overview.html[NiFi Overview^], link:administration-guide.html[NiFi System Administrator's Guide^], and link:user-guide.html[NiFi User's Guide^]. Those documents provide extensive reference information about various features and configuration values, but they do not provide information on _how_ to accomplish tasks.
|
The intent of this document is to provide a canonical source of prescriptive instruction sets for common administrator and user tasks using Apache NiFi. It is intended to complement the link:overview.html[NiFi Overview^], link:administration-guide.html[NiFi System Administrator's Guide^], and link:user-guide.html[NiFi User's Guide^]. Those documents provide extensive reference information about various features and configuration values, but they do not provide information on _how_ to accomplish tasks.
|
||||||
|
@ -859,21 +861,26 @@ The end result will resolve `*.nifi` hostnames to the local machine and all othe
|
||||||
[source]
|
[source]
|
||||||
----
|
----
|
||||||
host@macbook ~ % brew install dnsmasq
|
host@macbook ~ % brew install dnsmasq
|
||||||
==> Downloading https://homebrew.bintray.com/bottles/dnsmasq-2.81.catalina.bottle.tar.gz
|
==> Fetching dnsmasq
|
||||||
==> Downloading from https://akamai.bintray.com/e4/e46052d3d5ae49135b80d383a9d89...
|
==> Downloading https://ghcr.io/v2/homebrew/core/dnsmasq/manifests/2.89
|
||||||
######################################################################## 100.0%
|
########################################################################## 100.0%
|
||||||
==> Pouring dnsmasq-2.81.catalina.bottle.tar.gz
|
==> Downloading https://ghcr.io/v2/homebrew/core/dnsmasq/blobs/sha256:490265bd8d3e8392380fff3b0fbb4caf65f918366b5cf8c613372d21844860aa
|
||||||
|
==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:490265bd8d3e8392380fff3b0fbb4caf65f918366b5cf8c61...
|
||||||
|
########################################################################## 100.0%
|
||||||
|
==> Pouring dnsmasq--2.89.arm64_ventura.bottle.tar.gz
|
||||||
==> Caveats
|
==> Caveats
|
||||||
To have launchd start dnsmasq now and restart at startup:
|
To start dnsmasq now and restart at startup:
|
||||||
sudo brew services start dnsmasq
|
sudo brew services start dnsmasq
|
||||||
|
Or, if you don't want/need a background service you can just run:
|
||||||
|
/opt/homebrew/opt/dnsmasq/sbin/dnsmasq --keep-in-foreground -C /opt/homebrew/etc/dnsmasq.conf -7 /opt/homebrew/etc/dnsmasq.d,*.conf
|
||||||
==> Summary
|
==> Summary
|
||||||
/usr/local/Cellar/dnsmasq/2.81: 8 files, 543.9KB
|
🍺 /opt/homebrew/Cellar/dnsmasq/2.89: 10 files, 646.3KB
|
||||||
----
|
----
|
||||||
--
|
--
|
||||||
.. Start dnsmasq using the service manager.
|
.. Start dnsmasq using the service manager.
|
||||||
* `sudo brew services start dnsmasq`
|
* `sudo brew services start dnsmasq`
|
||||||
.. Make a new file `development.conf` in `/usr/local/etc/dnsmasq.d/`. This file defines the address pattern to resolve. Here, `$EDITOR` is an environment variable defined as path to a text editor. You can use any text editor of your choice (Sublime Text, Atom, vi, emacs, nano, etc.).
|
.. Make a new file `development.conf` in `/opt/homebrew/etc/dnsmasq.d/`. This file defines the address pattern to resolve. Here, `$EDITOR` is an environment variable defined as path to a text editor. You can use any text editor of your choice (Sublime Text, Atom, vi, emacs, nano, etc.).
|
||||||
* `$EDITOR /usr/local/etc/dnsmasq.d/development.conf` -- creates and opens `development.conf` file for editing
|
* `$EDITOR /opt/homebrew/etc/dnsmasq.d/development.conf` -- creates and opens `development.conf` file for editing
|
||||||
.. Populate the `development.conf` with the address pattern. The `address/` line defines the pattern and the `# Direct` line is a comment describing the pattern.
|
.. Populate the `development.conf` with the address pattern. The `address/` line defines the pattern and the `# Direct` line is a comment describing the pattern.
|
||||||
* Add the following lines to `development.conf`:
|
* Add the following lines to `development.conf`:
|
||||||
+
|
+
|
||||||
|
@ -991,82 +998,82 @@ The end result will consist of a self-signed external CA (the root), a keystore
|
||||||
image::nifi-cluster-tls-toolkit-certificate-diagram.png["NiFi Cluster with TLS Toolkit Certificates Diagram"]
|
image::nifi-cluster-tls-toolkit-certificate-diagram.png["NiFi Cluster with TLS Toolkit Certificates Diagram"]
|
||||||
|
|
||||||
. Create the NiFi Client Certificates. When using the `standalone` mode of the TLS Toolkit, it is important that *all certificates are generated from the same instance, using the same generated NiFi CA certificate to sign each*. The certificates can be generated by a single command, or individually. By default, the Distinguished Name (DN) will be `CN=<provided_hostname>, OU=NIFI`. For more information on toolkit flag options, see link:toolkit-guide.html#usage-8[NiFi Toolkit Guide: TLS Toolkit Usage^].
|
. Create the NiFi Client Certificates. When using the `standalone` mode of the TLS Toolkit, it is important that *all certificates are generated from the same instance, using the same generated NiFi CA certificate to sign each*. The certificates can be generated by a single command, or individually. By default, the Distinguished Name (DN) will be `CN=<provided_hostname>, OU=NIFI`. For more information on toolkit flag options, see link:toolkit-guide.html#usage-8[NiFi Toolkit Guide: TLS Toolkit Usage^].
|
||||||
.. Navigate to the `nifi-toolkit-1.11.4/` directory.
|
.. Create a directory for the cluster configuration and navigate to it.
|
||||||
* `cd /etc/nifi-toolkit-1.11.4/` -- Changes to the toolkit directory
|
* `mkdir /opt/nifi_cluster_conf && cd /opt/nifi_cluster_conf`
|
||||||
.. Generate the certificates. Running these commands first generates the NiFi CA public certificate and private key if not present, then generates the server certificates, followed by the client certificate necessary for the *Initial Admin Identity*. An alternative command performing all the steps sequentially is also provided.
|
.. Generate the certificates. Running these commands first generates the NiFi CA public certificate and private key if not present, then generates the server certificates, followed by the client certificate necessary for the *Initial Admin Identity*. An alternative command performing all the steps sequentially is also provided.
|
||||||
* `./bin/tls-toolkit.sh standalone -n 'node1.nifi' -c 'ca.nifi'` -- Generates the NiFi CA (`ca.nifi`) certificate and key if not present and generates and signs `node1` certificate, placing the `keystore.jks`, `truststore.jks`, and populated `nifi.properties` in a subdirectory called `node1.nifi`
|
* `/opt/nifi-toolkit-1.22.0/bin/tls-toolkit.sh standalone -n 'node1.nifi' -c 'ca.nifi'` -- Generates the NiFi CA (`ca.nifi`) certificate and key if not present and generates and signs `node1` certificate, placing the `keystore.jks`, `truststore.jks`, and populated `nifi.properties` in a subdirectory called `node1.nifi`
|
||||||
+
|
+
|
||||||
--
|
--
|
||||||
_Note the creation of the CA certificate and key_
|
_Note the creation of the CA certificate and key_
|
||||||
[source]
|
[source]
|
||||||
----
|
----
|
||||||
% ./bin/tls-toolkit.sh standalone -n 'node1.nifi' -c 'ca.nifi'
|
% /opt/nifi-toolkit-1.22.0/bin/tls-toolkit.sh standalone -n 'node1.nifi' -c 'ca.nifi'
|
||||||
2020/04/06 18:12:07 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one.
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine - No nifiPropertiesFile specified, using embedded one.
|
||||||
2020/04/06 18:12:07 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.11.4
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Running standalone certificate generation with output directory ../nifi_cluster_conf
|
||||||
2020/04/06 18:12:08 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generated new CA certificate ../nifi-toolkit-1.11.4/nifi-cert.pem and key ../nifi-toolkit-1.11.4/nifi-key.key
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Generated new CA certificate ../nifi_cluster_conf/nifi-cert.pem and key ../nifi_cluster_conf/nifi-key.key
|
||||||
2020/04/06 18:12:08 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.11.4/node1.nifi
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Writing new ssl configuration to ../nifi_cluster_conf/node1.nifi
|
||||||
2020/04/06 18:12:08 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node1.nifi 1 in ../nifi-toolkit-1.11.4/node1.nifi
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Successfully generated TLS configuration for node1.nifi 1 in ../nifi_cluster_conf/node1.nifi
|
||||||
2020/04/06 18:12:08 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates.
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - No clientCertDn specified, not generating any client certificates.
|
||||||
2020/04/06 18:12:08 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - tls-toolkit standalone completed successfully
|
||||||
% ls -alGh node1.nifi
|
% ls -alGh node1.nifi
|
||||||
total 48
|
total 56
|
||||||
drwx------ 5 alopresto staff 160B Apr 6 18:12 .
|
drwx------@ 5 johndoe wheel 160B Jun 26 17:33 .
|
||||||
drwxr-xr-x 11 alopresto staff 352B Apr 6 18:12 ..
|
drwxr-xr-x@ 5 johndoe wheel 160B Jun 26 17:33 ..
|
||||||
-rw------- 1 alopresto staff 3.0K Apr 6 18:12 keystore.jks
|
-rw-------@ 1 johndoe wheel 3.0K Jun 26 17:33 keystore.jks
|
||||||
-rw------- 1 alopresto staff 12K Apr 6 18:12 nifi.properties
|
-rw-------@ 1 johndoe wheel 17K Jun 26 17:33 nifi.properties
|
||||||
-rw------- 1 alopresto staff 895B Apr 6 18:12 truststore.jks
|
-rw-------@ 1 johndoe wheel 929B Jun 26 17:33 truststore.jks
|
||||||
----
|
----
|
||||||
--
|
--
|
||||||
* `./bin/tls-toolkit.sh standalone -n 'node2.nifi'` -- Generates and signs `node2` certificate with the same CA
|
* `/opt/nifi-toolkit-1.22.0/bin/tls-toolkit.sh standalone -n 'node2.nifi'` -- Generates and signs `node2` certificate with the same CA
|
||||||
+
|
+
|
||||||
--
|
--
|
||||||
_Note the existing CA certificate being used_
|
_Note the existing CA certificate being used_
|
||||||
[source]
|
[source]
|
||||||
----
|
----
|
||||||
% ./bin/tls-toolkit.sh standalone -n 'node2.nifi'
|
% /opt/nifi-toolkit-1.22.0/bin/tls-toolkit.sh standalone -n 'node2.nifi'
|
||||||
2020/04/06 18:13:13 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one.
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine - No nifiPropertiesFile specified, using embedded one.
|
||||||
2020/04/06 18:13:14 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.11.4
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Running standalone certificate generation with output directory ../nifi_cluster_conf
|
||||||
2020/04/06 18:13:14 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Verifying the certificate signature for CN=ca.nifi,OU=NIFI
|
[main] INFO org.apache.nifi.toolkit.tls.util.TlsHelper - Verifying the certificate signature for CN=ca.nifi,OU=NIFI
|
||||||
2020/04/06 18:13:14 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Attempting to verify certificate CN=ca.nifi,OU=NIFI signature with CN=ca.nifi,OU=NIFI
|
[main] INFO org.apache.nifi.toolkit.tls.util.TlsHelper - Attempting to verify certificate CN=ca.nifi,OU=NIFI signature with CN=ca.nifi,OU=NIFI
|
||||||
2020/04/06 18:13:14 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Certificate was signed by CN=ca.nifi,OU=NIFI
|
[main] INFO org.apache.nifi.toolkit.tls.util.TlsHelper - Certificate was signed by CN=ca.nifi,OU=NIFI
|
||||||
2020/04/06 18:13:14 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.11.4/nifi-cert.pem and key ../nifi-toolkit-1.11.4/nifi-key.key
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Using existing CA certificate ../nifi_cluster_conf/nifi-cert.pem and key ../nifi_cluster_conf/nifi-key.key
|
||||||
2020/04/06 18:13:14 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.11.4/node2.nifi
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Writing new ssl configuration to ../nifi_cluster_conf/node2.nifi
|
||||||
2020/04/06 18:13:14 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node2.nifi 1 in ../nifi-toolkit-1.11.4/node2.nifi
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Successfully generated TLS configuration for node2.nifi 1 in ../nifi_cluster_conf/node2.nifi
|
||||||
2020/04/06 18:13:14 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates.
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - No clientCertDn specified, not generating any client certificates.
|
||||||
2020/04/06 18:13:14 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - tls-toolkit standalone completed successfully
|
||||||
----
|
----
|
||||||
--
|
--
|
||||||
* `./bin/tls-toolkit.sh standalone -n 'node3.nifi'` -- Generates and signs `node3` certificate with the same CA
|
* `/opt/nifi-toolkit-1.22.0/bin/tls-toolkit.sh standalone -n 'node3.nifi'` -- Generates and signs `node3` certificate with the same CA
|
||||||
+
|
+
|
||||||
[source]
|
[source]
|
||||||
----
|
----
|
||||||
% ./bin/tls-toolkit.sh standalone -n 'node3.nifi'
|
% /opt/nifi-toolkit-1.22.0/bin/tls-toolkit.sh standalone -n 'node3.nifi'
|
||||||
2020/04/06 18:53:07 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one.
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine - No nifiPropertiesFile specified, using embedded one.
|
||||||
2020/04/06 18:53:08 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.11.4
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Running standalone certificate generation with output directory ../nifi_cluster_conf
|
||||||
2020/04/06 18:53:08 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Verifying the certificate signature for CN=ca.nifi,OU=NIFI
|
[main] INFO org.apache.nifi.toolkit.tls.util.TlsHelper - Verifying the certificate signature for CN=ca.nifi,OU=NIFI
|
||||||
2020/04/06 18:53:08 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Attempting to verify certificate CN=ca.nifi,OU=NIFI signature with CN=ca.nifi,OU=NIFI
|
[main] INFO org.apache.nifi.toolkit.tls.util.TlsHelper - Attempting to verify certificate CN=ca.nifi,OU=NIFI signature with CN=ca.nifi,OU=NIFI
|
||||||
2020/04/06 18:53:08 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Certificate was signed by CN=ca.nifi,OU=NIFI
|
[main] INFO org.apache.nifi.toolkit.tls.util.TlsHelper - Certificate was signed by CN=ca.nifi,OU=NIFI
|
||||||
2020/04/06 18:53:08 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.11.4/nifi-cert.pem and key ../nifi-toolkit-1.11.4/nifi-key.key
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Using existing CA certificate ../nifi_cluster_conf/nifi-cert.pem and key ../nifi_cluster_conf/nifi-key.key
|
||||||
2020/04/06 18:53:08 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.11.4/node3.nifi
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Writing new ssl configuration to ../nifi_cluster_conf/node3.nifi
|
||||||
2020/04/06 18:53:08 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node3.nifi 1 in ../nifi-toolkit-1.11.4/node3.nifi
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Successfully generated TLS configuration for node3.nifi 1 in ../nifi_cluster_conf/node3.nifi
|
||||||
2020/04/06 18:53:08 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates.
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - No clientCertDn specified, not generating any client certificates.
|
||||||
2020/04/06 18:53:08 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - tls-toolkit standalone completed successfully
|
||||||
----
|
----
|
||||||
* `./bin/tls-toolkit.sh standalone -C 'CN=my_username'` -- Generates and signs `my_username` client certificate with the same CA
|
* `/opt/nifi-toolkit-1.22.0/bin/tls-toolkit.sh standalone -C 'CN=my_username'` -- Generates and signs `my_username` client certificate with the same CA
|
||||||
+
|
+
|
||||||
[source]
|
[source]
|
||||||
----
|
----
|
||||||
% ./bin/tls-toolkit.sh standalone -C 'CN=my_username'
|
% /opt/nifi-toolkit-1.22.0/bin/tls-toolkit.sh standalone -C 'CN=my_username'
|
||||||
2020/04/06 18:53:19 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one.
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine - No nifiPropertiesFile specified, using embedded one.
|
||||||
2020/04/06 18:53:20 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.11.4
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Running standalone certificate generation with output directory ../nifi_cluster_conf
|
||||||
2020/04/06 18:53:20 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Verifying the certificate signature for CN=ca.nifi,OU=NIFI
|
[main] INFO org.apache.nifi.toolkit.tls.util.TlsHelper - Verifying the certificate signature for CN=ca.nifi,OU=NIFI
|
||||||
2020/04/06 18:53:20 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Attempting to verify certificate CN=ca.nifi,OU=NIFI signature with CN=ca.nifi,OU=NIFI
|
[main] INFO org.apache.nifi.toolkit.tls.util.TlsHelper - Attempting to verify certificate CN=ca.nifi,OU=NIFI signature with CN=ca.nifi,OU=NIFI
|
||||||
2020/04/06 18:53:20 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Certificate was signed by CN=ca.nifi,OU=NIFI
|
[main] INFO org.apache.nifi.toolkit.tls.util.TlsHelper - Certificate was signed by CN=ca.nifi,OU=NIFI
|
||||||
2020/04/06 18:53:20 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.11.4/nifi-cert.pem and key ../nifi-toolkit-1.11.4/nifi-key.key
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Using existing CA certificate ../nifi_cluster_conf/nifi-cert.pem and key ../nifi_cluster_conf/nifi-key.key
|
||||||
2020/04/06 18:53:20 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No hostnames specified, not generating any host certificates or configuration.
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - No hostnames specified, not generating any host certificates or configuration.
|
||||||
2020/04/06 18:53:20 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generating new client certificate ../nifi-toolkit-1.11.4/CN=my_username.p12
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Generating new client certificate ../nifi_cluster_conf/CN=my_username.p12
|
||||||
2020/04/06 18:53:20 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated client certificate ../nifi-toolkit-1.11.4/CN=my_username.p12
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Successfully generated client certificate ../nifi_cluster_conf/CN=my_username.p12
|
||||||
2020/04/06 18:53:20 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully
|
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - tls-toolkit standalone completed successfully
|
||||||
----
|
----
|
||||||
+
|
+
|
||||||
--
|
--
|
||||||
|
@ -1081,27 +1088,29 @@ The resulting directory will contain 7 new entries:
|
||||||
** `node3.nifi/` -- The directory containing `node3` keystore and related files
|
** `node3.nifi/` -- The directory containing `node3` keystore and related files
|
||||||
--
|
--
|
||||||
Optional command to execute all steps together using the toolkit pattern syntax:
|
Optional command to execute all steps together using the toolkit pattern syntax:
|
||||||
* `./bin/tls-toolkit.sh standalone -n 'node[1-3].nifi' -C 'CN=my_username' -c 'ca.nifi'` -- Performs all steps listed above simultaneously
|
* `/opt/nifi-toolkit-1.22.0/bin/tls-toolkit.sh standalone -n 'node[1-3].nifi' -C 'CN=my_username' -c 'ca.nifi'` -- Performs all steps listed above simultaneously
|
||||||
. Create a new `nifi_cluster` folder in an appropriate location. In this example, where all three nodes will run on the same machine, the `/etc/nifi_cluster` directory is used. All further instructions occur from this directory.
|
. Create a new `nifi_cluster` folder in an appropriate location. In this example, where all three nodes will run on the same machine, the `/etc/nifi_cluster` directory is used. All further instructions occur from this directory.
|
||||||
* `mkdir /etc/nifi_cluster` -- Creates the working directory
|
* `mkdir /etc/nifi_cluster` -- Creates the working directory
|
||||||
* `cd /etc/nifi_cluster` -- Change to the created directory
|
* `cd /etc/nifi_cluster` -- Change to the created directory
|
||||||
. Copy the NiFi installation folder (i.e. `nifi-1.11.4`) to a new folder for *each* node in the `nifi_cluster` folder created in the previous step.
|
. Copy the NiFi installation folder (i.e. `nifi-1.22.0`) to a new folder for *each* node in the `nifi_cluster` folder created in the previous step.
|
||||||
* `mkdir node1.nifi && cp -R /etc/nifi-1.11.4 node1.nifi` -- Creates the `node1` directory and copies the NiFi application into it
|
* `cp -R /etc/nifi-1.22.0 node1.nifi` -- Creates the `node1` directory and copies the NiFi application into it
|
||||||
* `mkdir node2.nifi && cp -R /etc/nifi-1.11.4 node2.nifi` -- Creates the `node2` directory and copies the NiFi application into it
|
* `cp -R /etc/nifi-1.22.0 node2.nifi` -- Creates the `node2` directory and copies the NiFi application into it
|
||||||
* `mkdir node3.nifi && cp -R /etc/nifi-1.11.4 node3.nifi` -- Creates the `node3` directory and copies the NiFi application into it
|
* `cp -R /etc/nifi-1.22.0 node3.nifi` -- Creates the `node3` directory and copies the NiFi application into it
|
||||||
. Copy the generated `keystore.jks`, `truststore.jks`, and `nifi.properties` to the `conf/` directory of *each* node.
|
. Copy the generated `keystore.jks`, `truststore.jks`, and `nifi.properties` to the `conf/` directory of *each* node.
|
||||||
* `cp -R /etc/nifi-toolkit-1.11.4/node1.nifi/* node1.nifi/conf/.` -- Copies the `node1` files
|
* `cp -R /etc/nifi_cluster_configuration/node1.nifi/* node1.nifi/conf` -- Copies the `node1` files
|
||||||
* `cp -R /etc/nifi-toolkit-1.11.4/node2.nifi/* node2.nifi/conf/.` -- Copies the `node2` files
|
* `cp -R /etc/nifi_cluster_configuration/node2.nifi/* node2.nifi/conf` -- Copies the `node2` files
|
||||||
* `cp -R /etc/nifi-toolkit-1.11.4/node3.nifi/* node3.nifi/conf/.` -- Copies the `node3` files
|
* `cp -R /etc/nifi_cluster_configuration/node3.nifi/* node3.nifi/conf` -- Copies the `node3` files
|
||||||
. Modify the `nifi.properties` file for each node to set the appropriate ports and enable the embedded link:https://zookeeper.apache.org/[ZooKeeper^] server. *If the nodes are being deployed to separate physical or virtual machines (such that each is treated as an independent host for networking), modifying the ports is not required, but enabling the embedded ZooKeeper servers is*. If the nodes are being deployed on the same machine such that the ports cannot conflict, all parts of this step are required. This port selection convention follows the pattern defined at the top of this section, where the last digit corresponds to the node identifier. For more information on ZooKeeper configuration for NiFi, see link:administration-guide.html#embedded_zookeeper[NiFi Administrator's Guide: Embedded ZooKeeper^].
|
. Modify the `nifi.properties` file for each node to set the appropriate ports and enable the embedded link:https://zookeeper.apache.org/[ZooKeeper^] server. *If the nodes are being deployed to separate physical or virtual machines (such that each is treated as an independent host for networking), modifying the ports is not required, but enabling the embedded ZooKeeper servers is*. If the nodes are being deployed on the same machine such that the ports cannot conflict, all parts of this step are required. This port selection convention follows the pattern defined at the top of this section, where the last digit corresponds to the node identifier. For more information on ZooKeeper configuration for NiFi, see link:administration-guide.html#embedded_zookeeper[NiFi Administrator's Guide: Embedded ZooKeeper^].
|
||||||
+
|
+
|
||||||
NOTE: The `nifi.cluster.load.balance.host=` entry must be manually populated here because it was added after the TLS Toolkit was last updated. The toolkit correctly populates the hostname in all other necessary properties.
|
NOTE: The `nifi.cluster.load.balance.host=` entry must be manually populated here because it was added after the TLS Toolkit was last updated. The toolkit correctly populates the hostname in all other necessary properties.
|
||||||
|
NOTE: Starting with version 1.14.0, NiFi requires a value for `nifi.sensitive.props.key`. Set the same value on each node.
|
||||||
|
|
||||||
* `$EDITOR node1.nifi/conf/nifi.properties` -- Opens the `nifi.properties` file in a text editor
|
* `$EDITOR node1.nifi/conf/nifi.properties` -- Opens the `nifi.properties` file in a text editor
|
||||||
* Update the following lines:
|
* Update the following lines:
|
||||||
** `nifi.state.management.embedded.zookeeper.start=false` -> `nifi.state.management.embedded.zookeeper.start=true`
|
** `nifi.state.management.embedded.zookeeper.start=false` -> `nifi.state.management.embedded.zookeeper.start=true`
|
||||||
** `nifi.remote.input.socket.port=10443` -> `nifi.remote.input.socket.port=10441`
|
** `nifi.remote.input.socket.port=10443` -> `nifi.remote.input.socket.port=10441`
|
||||||
** `nifi.web.https.port=9443` -> `nifi.web.https.port=9441`
|
** `nifi.web.https.port=9443` -> `nifi.web.https.port=9441`
|
||||||
|
** `nifi.sensitive.props.key=` -> `nifi.sensitive.props.key=<secretKey>`
|
||||||
** `nifi.cluster.is.node=false` -> `nifi.cluster.is.node=true`
|
** `nifi.cluster.is.node=false` -> `nifi.cluster.is.node=true`
|
||||||
** `nifi.cluster.node.protocol.port=11443` -> `nifi.cluster.node.protocol.port=11441`
|
** `nifi.cluster.node.protocol.port=11443` -> `nifi.cluster.node.protocol.port=11441`
|
||||||
** `nifi.cluster.load.balance.host=` -> `nifi.cluster.load.balance.host=node1.nifi`
|
** `nifi.cluster.load.balance.host=` -> `nifi.cluster.load.balance.host=node1.nifi`
|
||||||
|
@ -1112,6 +1121,7 @@ NOTE: The `nifi.cluster.load.balance.host=` entry must be manually populated her
|
||||||
** `nifi.state.management.embedded.zookeeper.start=false` -> `nifi.state.management.embedded.zookeeper.start=true`
|
** `nifi.state.management.embedded.zookeeper.start=false` -> `nifi.state.management.embedded.zookeeper.start=true`
|
||||||
** `nifi.remote.input.socket.port=10443` -> `nifi.remote.input.socket.port=10442`
|
** `nifi.remote.input.socket.port=10443` -> `nifi.remote.input.socket.port=10442`
|
||||||
** `nifi.web.https.port=9443` -> `nifi.web.https.port=9442`
|
** `nifi.web.https.port=9443` -> `nifi.web.https.port=9442`
|
||||||
|
** `nifi.sensitive.props.key=` -> `nifi.sensitive.props.key=<secretKey>`
|
||||||
** `nifi.cluster.is.node=false` -> `nifi.cluster.is.node=true`
|
** `nifi.cluster.is.node=false` -> `nifi.cluster.is.node=true`
|
||||||
** `nifi.cluster.node.protocol.port=11443` -> `nifi.cluster.node.protocol.port=11442`
|
** `nifi.cluster.node.protocol.port=11443` -> `nifi.cluster.node.protocol.port=11442`
|
||||||
** `nifi.cluster.load.balance.host=` -> `nifi.cluster.load.balance.host=node2.nifi`
|
** `nifi.cluster.load.balance.host=` -> `nifi.cluster.load.balance.host=node2.nifi`
|
||||||
|
@ -1122,6 +1132,7 @@ NOTE: The `nifi.cluster.load.balance.host=` entry must be manually populated her
|
||||||
** `nifi.state.management.embedded.zookeeper.start=false` -> `nifi.state.management.embedded.zookeeper.start=true`
|
** `nifi.state.management.embedded.zookeeper.start=false` -> `nifi.state.management.embedded.zookeeper.start=true`
|
||||||
** `nifi.remote.input.socket.port=10443` -> `nifi.remote.input.socket.port=10443`
|
** `nifi.remote.input.socket.port=10443` -> `nifi.remote.input.socket.port=10443`
|
||||||
** `nifi.web.https.port=9443` -> `nifi.web.https.port=9443`
|
** `nifi.web.https.port=9443` -> `nifi.web.https.port=9443`
|
||||||
|
** `nifi.sensitive.props.key=` -> `nifi.sensitive.props.key=<secretKey>`
|
||||||
** `nifi.cluster.is.node=false` -> `nifi.cluster.is.node=true`
|
** `nifi.cluster.is.node=false` -> `nifi.cluster.is.node=true`
|
||||||
** `nifi.cluster.node.protocol.port=11443` -> `nifi.cluster.node.protocol.port=11443`
|
** `nifi.cluster.node.protocol.port=11443` -> `nifi.cluster.node.protocol.port=11443`
|
||||||
** `nifi.cluster.load.balance.host=` -> `nifi.cluster.load.balance.host=node3.nifi`
|
** `nifi.cluster.load.balance.host=` -> `nifi.cluster.load.balance.host=node3.nifi`
|
||||||
|
@ -1159,13 +1170,37 @@ NOTE: Each `Initial User Identity` must have a **unique** name (`Initial User Id
|
||||||
** In the `<userGroupProvider>` section, add the line `<property name="Initial User Identity 3">CN=node2.nifi, OU=NIFI</property>` -- Adds an initial user for `node2`
|
** In the `<userGroupProvider>` section, add the line `<property name="Initial User Identity 3">CN=node2.nifi, OU=NIFI</property>` -- Adds an initial user for `node2`
|
||||||
** In the `<userGroupProvider>` section, add the line `<property name="Initial User Identity 4">CN=node3.nifi, OU=NIFI</property>` -- Adds an initial user for `node3`
|
** In the `<userGroupProvider>` section, add the line `<property name="Initial User Identity 4">CN=node3.nifi, OU=NIFI</property>` -- Adds an initial user for `node3`
|
||||||
+
|
+
|
||||||
image::authorizers-xml-initial-user-identities.png["authorizers.xml with Initial User Identities"]
|
[source,xml]
|
||||||
|
<userGroupProvider>
|
||||||
|
<identifier>file-user-group-provider</identifier>
|
||||||
|
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
|
||||||
|
<property name="Users File">./conf/users.xml</property>
|
||||||
|
<property name="Legacy Authorized Users File"></property>
|
||||||
|
<property name="Initial User Identity 1">CN=my_username</property>
|
||||||
|
<property name="Initial User Identity 2">CN=node1.nifi, OU=NIFI</property>
|
||||||
|
<property name="Initial User Identity 3">CN=node2.nifi, OU=NIFI</property>
|
||||||
|
<property name="Initial User Identity 4">CN=node3.nifi, OU=NIFI</property>
|
||||||
|
</userGroupProvider>
|
||||||
|
|
||||||
** In the `<accessPolicyProvider>` section, `<property name="Initial Admin Identity"></property>` -> `<property name="Initial Admin Identity">CN=my_username</property>` -- Adds an initial admin with the DN generated in the client certificate
|
** In the `<accessPolicyProvider>` section, `<property name="Initial Admin Identity"></property>` -> `<property name="Initial Admin Identity">CN=my_username</property>` -- Adds an initial admin with the DN generated in the client certificate
|
||||||
** In the `<accessPolicyProvider>` section, `<property name="Node Identity 1"></property>` -> `<property name="Node Identity 1">CN=node1.nifi, OU=NIFI</property>` -- Adds an initial node with the DN generated in the `node1` certificate
|
** In the `<accessPolicyProvider>` section, `<property name="Node Identity 1"></property>` -> `<property name="Node Identity 1">CN=node1.nifi, OU=NIFI</property>` -- Adds an initial node with the DN generated in the `node1` certificate
|
||||||
** In the `<accessPolicyProvider>` section, add the line `<property name="Node Identity 2">CN=node2.nifi, OU=NIFI</property>`
|
** In the `<accessPolicyProvider>` section, add the line `<property name="Node Identity 2">CN=node2.nifi, OU=NIFI</property>`
|
||||||
** In the `<accessPolicyProvider>` section, add the line `<property name="Node Identity 3">CN=node3.nifi, OU=NIFI</property>`
|
** In the `<accessPolicyProvider>` section, add the line `<property name="Node Identity 3">CN=node3.nifi, OU=NIFI</property>`
|
||||||
+
|
+
|
||||||
image::authorizers-xml-initial-node-identities.png["authorizers.xml with Initial Node Identities"]
|
[source,xml]
|
||||||
|
<accessPolicyProvider>
|
||||||
|
<identifier>file-access-policy-provider</identifier>
|
||||||
|
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
|
||||||
|
<property name="User Group Provider">file-user-group-provider</property>
|
||||||
|
<property name="Authorizations File">./conf/authorizations.xml</property>
|
||||||
|
<property name="Initial Admin Identity">CN=my_username</property>
|
||||||
|
<property name="Legacy Authorized Users File"></property>
|
||||||
|
<property name="Node Identity 1">CN=node1.nifi, OU=NIFI</property>
|
||||||
|
<property name="Node Identity 2">CN=node2.nifi, OU=NIFI</property>
|
||||||
|
<property name="Node Identity 3">CN=node3.nifi, OU=NIFI</property>
|
||||||
|
<property name="Node Group"></property>
|
||||||
|
</accessPolicyProvider>
|
||||||
|
|
||||||
* `cp node1.nifi/conf/authorizers.xml node2.nifi/conf/authorizers.xml` -- Copies the modified `authorizers.xml` file from `node1` to `node2`
|
* `cp node1.nifi/conf/authorizers.xml node2.nifi/conf/authorizers.xml` -- Copies the modified `authorizers.xml` file from `node1` to `node2`
|
||||||
* `cp node1.nifi/conf/authorizers.xml node3.nifi/conf/authorizers.xml` -- Copies the modified `authorizers.xml` file from `node1` to `node3`
|
* `cp node1.nifi/conf/authorizers.xml node3.nifi/conf/authorizers.xml` -- Copies the modified `authorizers.xml` file from `node1` to `node3`
|
||||||
. By default, NiFi waits for nodes to join for 5 minutes before the cluster is available. Because the number of nodes is known, this delay can be modified on each node to start up much faster. (Optional)
|
. By default, NiFi waits for nodes to join for 5 minutes before the cluster is available. Because the number of nodes is known, this delay can be modified on each node to start up much faster. (Optional)
|
||||||
|
|
Loading…
Reference in New Issue