nifi/minifi/minifi-c2
exceptionfactory 42547eb60c
NIFI-11703 Upgraded to Spring Framework 6 and Jetty 12
- Upgraded Spring Framework from 5.3.31 to 6.0.15
- Upgraded Spring Security from 5.8.7 to 6.2.0
- Upgraded Spring Vault from 2.3.4 to 3.1.0
- Upgraded Jetty from 10.0.18 to 12.0.5 with EE 10
- Upgraded Jersey from 2.41 to 3.1.4
- Upgraded JAXB from 2.3.9 to 4.0.4
- Upgraded AspectJ from 1.9.20.1 to 1.9.21
- Upgraded JMS API from 2.0.1 to 3.1.0
- Upgraded ActiveMQ Broker from 5.18.2 to 6.0.1 for JMS 3
- Upgraded JJWT from 0.9.1 to 0.12.3
- Replaced jackson-module-jaxb-annotations with jackson-module-jakarta-xmlbind-annotations
- Replaced maven-jaxb2-plugin with hisrc-higherjaxb40-maven-plugin 2.1.1
- Replaced kongchen swagger-maven-plugin with swagger-codegen-maven-plugin from Swagger 3
- Replaced com.nickwongdev AspectJ Plugin with Codehaus 1.14.0 for newer Java versions
- Removed unused cglib-nodep
- Removed references to javax.validation
- Removed custom Jetty ALPN Processor not required for Java 21
- Removed several tests depending on older Jetty and Jakarta libraries
- Removed unnecessary webdefault.xml configurations
- Replaced unsupported cross-context servlet forwarding with HTTP forwarding
- Replaced javax.servlet references with jakarta.servlet
- Replaced javax.xml.bind references with jakarta.xml.bind
- Replaced javax.ws references with jakarata.ws
- Updated Spring Security CSRF implementation for Spring Security 6
- Updated web.xml versions to 6.0
- Updated REST API templates using new swagger-codegen variables
- Removed VALIDATE_DATA property from ParseCEF based on library compatibility issue with javax.validation
- Added application URL logging to NiFi JettyServer

Signed-off-by: Pierre Villard <pierre.villard.fr@gmail.com>

This closes #8197.
2024-01-04 14:01:32 +04:00
..
minifi-c2-api NIFI-11703 Upgraded to Spring Framework 6 and Jetty 12 2024-01-04 14:01:32 +04:00
minifi-c2-assembly NIFI-11703 Upgraded to Spring Framework 6 and Jetty 12 2024-01-04 14:01:32 +04:00
minifi-c2-cache NIFI-12508 Cleaning up remainders of the Event Driven Strategy 2023-12-13 13:15:29 -06:00
minifi-c2-docker NIFI-12177 Added integration tests for MiNiFi and C2 Docker 2023-10-26 15:35:04 -05:00
minifi-c2-integration-tests NIFI-11703 Upgraded to Spring Framework 6 and Jetty 12 2024-01-04 14:01:32 +04:00
minifi-c2-jetty NIFI-11703 Upgraded to Spring Framework 6 and Jetty 12 2024-01-04 14:01:32 +04:00
minifi-c2-provider NIFI-12103 Replaced deprecated usage of new URL(String) 2023-09-23 10:30:42 -05:00
minifi-c2-service NIFI-11703 Upgraded to Spring Framework 6 and Jetty 12 2024-01-04 14:01:32 +04:00
README.md NIFI-11514 Flow JSON support and deprecating YAML format. Revised parameter generation. Generic refactors. 2023-08-18 11:33:23 +02:00
c2-integration-test.graphml MINIFI-422: Incorporate MiNiFi Java into NiFi 2021-04-27 21:06:56 -04:00
c2-integration-test.png MINIFI-422: Incorporate MiNiFi Java into NiFi 2021-04-27 21:06:56 -04:00
pom.xml NIFI-11103 prepping for 2.0.0 line 2023-02-09 15:32:53 -07:00

README.md

Apache NiFi MiNiFi Command and Control (C2) Server

MiNiFi agents allow us to push data flows down to smaller devices on the edge of the network. This provides many of the niceties of processing data with NiFi in a smaller package. One big challenge with many disparate agents running on all sorts of devices is coordinating their work and pushing out revised flows.

The C2 server is the beginning of an attempt to address this usecase. It provides an endpoint for existing PullHttpChangeIngestor functionality that is intended to facilitate distributing appropriate flow definitions to each class of agent.

In the assumed usecase one or more class of MiNiFi agent polls the C2 server periodically for updates to its flow. When there is a new version available, the C2 server will send it back to the agent at which point the agent will attempt to restart itself with the new flow, rolling back if there is a problem starting.

The C2 server is intended to be extensible and flexibly configurable. The ConfigurationProvider interface is the main extension point where arbitrary logic should be able to be used to get updated flows. The server supports bidirectional TLS authentication and configurable authorization.

Usage

After building, extract minifi-c2/minifi-c2-assembly/target/minifi-c2-VERSION-bin.tar.gz into a directory.

./bin/c2.sh or ./bin/c2.bat will start the server.

./conf/c2.properties can be used to configure the listening port, tls settings.

./conf/minifi-c2-context.xml can be configured according to the configuration provider examples below to retrieve configuration payloads from the appropriate provider.

./conf/authorities.yaml determines the authority or authorities (arbitrary string value) to assign to requesters based on their DN.

./conf/authorizations.yaml is used to determine whether to allow access based on a requester's authorities.

When using the CacheConfigurationProvider, by default, the server will look for files in the ./files/ directory to satisfy requests. It will resolve the correct file using the query parameters and content type provided to it and then serve up either the requested version if specified in the query parameters or the latest if unspecified. Alternatively, if the S3ConfigurationCache is used, the server will look for files in a given Amazon S3 bucket. The S3 bucket name, prefix, region, and credentials are specified in minifi-c2-context.xml. If S3 credentials are not provided, the server will attempt to retrieve credentials via an IAM role. The role must allow for S3 read access to the given bucket and prefix.

The pattern can be configured in ./conf/minifi-c2-context.xml and the default value ({class}/config) will replace {class} with the class query parameter and then look for CLASS/config.CONTENT_TYPE.vVERSION in the directory structure.

Ex: http://localhost:10090/c2/config?class=raspi&version=1 with an Accept header that matches application/json would result in ./files/raspi3/config.application.json.v1 and omitting the version parameter would look for the highest version number in the directory.

The version resolution is cached in memory to accommodate many devices polling periodically. The cache duration can be configured with additional arguments in ./conf/minifi-c2-context.xml that call the overloaded constructor.

MiNiFi Java agents can be configured to poll the C2 server by configuring the PullHttpChangeIngestor in their bootstrap.conf.

Configuration Providers:

There are two ConfigurationProvider implementations provided out of the box.

  1. The CacheConfigurationProvider looks at a directory on the filesystem or in an Amazon S3 bucket. Which backend storage is used can be selected in minifi-c2-context.xml via the constructors to CacheConfigurationProvider.
  2. The DelegatingConfigurationProvider delegates to another C2 server to allow for hierarchical C2 structures to help with scaling and/or bridging networks.

Example network diagram:

Below is a network diagram showing the different configurations tested by our hierarchical integration test docker-compose file. It consists of a "cluster" network where real processing might occur as well as 3 "edge" networks that can get configuration from the cluster network a few different ways. The edge1 instance can directly access the authoritative C2 server via HTTPS. The edge2 instance is representative of a segmented network where the MiNiFi agents can talk to a local delegating C2 server over HTTP which asks the authoritative C2 server over HTTPS. The edge 3 instance can talk to the authoritative C2 server through a Squid proxy over HTTPS.

Network diagram