NiFi 授权配置
通过证书授权
下载nifi-toolkit
证书文件生成及其配置
启动授权中心服务
root@machine001:
${toolkit_installed_dir}/bin/tls-toolkit.sh server -c machine001 -t myTokenToUseToPreventMITM -p 9999
# server 制定此进程为授权服务
# -c 制定授权中心地址
# -t 证书token指令,后面客户端生成证书请求中需要用到该token
# -p 制定授权中心所在端口,供客户端调用
You can use the following command line options with the
tls-toolkit
in server mode:
-a
,--keyAlgorithm <arg>
Algorithm to use for generated keys (default:RSA
)--configJsonIn <arg>
The place to read configuration info from (defaults to the value of configJson), implies useConfigJson if set (default:configJson
value)-d
,--days <arg>
Number of days issued certificate should be valid for (default:1095
)-D
,--dn <arg>
The dn to use for the CA certificate (default:CN=YOUR_CA_HOSTNAME,OU=NIFI
)-f
,--configJson <arg>
The place to write configuration info (default:config.json
)-F
,--useConfigJson
Flag specifying that all configuration is read fromconfigJson
to facilitate automated use (otherwiseconfigJson
will only be written to)-g
,--differentKeyAndKeystorePasswords
Use different generated password for the key and the keystore-h
,--help
Print help and exit-k
,--keySize <arg>
Number of bits for generated keys (default:2048
)-p
,--PORT <arg>
The port for the Certificate Authority to listen on (default:8443
)-s
,--signingAlgorithm <arg>
Algorithm to use for signing certificates (default:SHA256WITHRSA
)-T
,--keyStoreType <arg>
The type of keystores to generate (default:jks
)-t
,--token <arg>
The token to use to prevent MITM (required and must be same as one used by clients)
生成集群各节点授权证书及其配置
以下为NiFi集群各节点授权
root@machine001/2/3:
${toolkit_installed_dir}/bin/tls-toolkit.sh client -c machine001 -t myTokenToUseToPreventMITM -p 9999
# client 制定此进程为授权请求客户端
# -c 制定授权中心地址
# -t 证书token指令,确保与前面服务器启动的token一致
# -p 制定授权中心服务所在端口
各节点生成的证书相关文件有:
config.json
keystore.jks
nifi-cert.pem
truststore.jks
#将文件拷贝到${NIFI_HOME}/conf/
调整各节点NiFi配置
set nifi.cluster.protocol.is.secure=true #更新
set nifi.cluster.is.node=true #更新
set nifi.cluster.node.address=machine001
#set nifi.cluster.node.address=machine002
#set nifi.cluster.node.address=machine003
set nifi.cluster.node.protocol.port=9998
set nifi.remote.input.host=machine001
#set nifi.remote.input.host=machine002
#set nifi.remote.input.host=machine003
set nifi.remote.input.secure=true #更新
set nifi.remote.input.socket.port=9997 #更新
set nifi.web.https.host=machine001 #更新(http配置的host和port需要屏蔽)
#set nifi.web.https.host=machine002
#set nifi.web.https.host=machine003
set nifi.web.https.port=9443 #更新
# 以下为证书文件相关配置(keystore.jks、truststore.jks、config.json中提供的密钥信息)
nifi.security.keystore=/opt/nifi-1.6.0/conf/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=68Hm1lfA1QAX2q3xK+CM+PYTqby5hXeIWDra+ReBQwM
nifi.security.keyPasswd=68Hm1lfA1QAX2q3xK+CM+PYTqby5hXeIWDra+ReBQwM
nifi.security.truststore=/opt/nifi-1.6.0/conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=r9gZJ6/v0ro3SyWeQ7AdD0bYu4Y7vPjL2A8UkRoIODQ
nifi.security.needClientAuth=true
客户端访问授权
root@machine001/2/3:
${toolkit_installed_dir}/bin/tls-toolkit.sh client -c node-3 -t myTokenToUseToPreventMITM -p 9999 -D "CN=pvillard,OU=NIFI" -T PKCS12
# client 指定此进程为授权请求客户端
# -c 制定授权中心地址
# -t 证书token指令,确保与前面服务器启动的token一致
# -p 制定授权中心服务所在端口
# -D "CN=pvillard,OU=NIFI" 注:此DN后面用作超级用户,注意生成证书时的日志,以证书生成日志中的格式为准!
# -T PKCS12 制定证书类型,用于导入浏览器
以上指令将生成以下文件:
keystore.pkcs12 #证书文件,可导入浏览器
config.json #提供导入证书文件时需要的密码
nifi-cert.pem
truststore.jks
配置集群授权文件
权限配置文件为: ${NIFI_HOME}/conf/authorizers.xml
<authorizer>
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.FileAuthorizer</class>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Users File">./conf/users.xml</property>
<property name="Initial Admin Identity">CN=pvillard, OU=NIFI</property>
<property name="Legacy Authorized Users File"/>
<property name="Node Identity 1">CN=machine001, OU=NIFI</property>
<property name="Node Identity 2">CN=machine002, OU=NIFI</property>
<property name="Node Identity 3">CN=machine003, OU=NIFI</property>
</authorizer>
Basically if the <u>users.xml and authorizations.xml</u>** files already exist, the file-provider will do nothing. If you <u>remove or rename these two files</u> and restart your NiFi instance, the authorization will build new versions of these files based on the current configuration in your authorizers.xml file.
重启服务
/opt/nifi-1.6.0/bin/nifi.sh restart && tail -f /opt/nifi-1.6.0/logs/nifi-app.log #重启服务查看日志
tail -f /opt/nifi-1.6.0/logs/nifi-user.log
tail -f /opt/nifi-1.6.0/logs/nifi-app.log
tail -f /opt/nifi-1.6.0/logs/nifi-bootstrap.log
netstat -nltp |grep 9443
客户端登陆
浏览器导入证书文件
Chrom
--> 设置 --> 高级 --> 管理证书 --> 导入 。。。
keystore.pkcs12 #证书文件,可导入浏览器
config.json #提供导入证书文件时需要的密码
nifi-cert.pem
truststore.jks
访问集群验证证书有效性
访问:https://machine001:9443/nifi/
左上角可以看到超级用户DN,Global菜单中增加了用户及权限设置相关功能;
注意事项:
问题
场景
集群启动不了,或者访问页面提示applicant异常
解决办法
查看启动日志,查看Warn级别输出记录,大多数时候是配置有无,比如配置host时machine001
多了各空格,有没法直接看出来等。
问题:
场景
访问NiFi页面时, 提示Unknown user with identity 'admin'. Contact the system administrator.
参考
The log is telling you that authentication for your login user "admin" was successful; however, the authorization for that user was not.
-
There is nothing that stands out to me in your basic authorizers.xml file configuration. So my thought here is that this is not the original configuration of the authorizers.xml file.
The file-provider is used to initially generate the users.xml and authorizations.xml files. Once these files exist they will not be re-generated or modified if you later make changes to this configuration xml. Basically if the <u>users.xml and authorizations.xml</u>** files already exist, the file-provider will do nothing.-
I suggest taking a look at what is currently in your users.xml and authorizations.xml files. My guess here is that you will find that a user entry does not exist for "admin" in the users.xml file.
-
If you <u>remove or rename these two files</u> and restart your NiFi instance, the authorization will build new versions of these files based on the current configuration in your authorizers.xml file.
-
Thank you,
Matt
问题:
场景
页面报错: No applicable policies could be found. Contact the system administrator.
user.log日志信息:
2018-08-20 16:13:51,791 INFO [NiFi Web Server-19] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response.
2018-08-20 16:13:51,944 INFO [NiFi Web Server-18] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: OpenId Connect is not configured.. Returning Conflict response.
2018-08-20 16:13:52,009 INFO [NiFi Web Server-24] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=CZ, OU=NiFi) GET https://machine001:9443/nifi-api/flow/current-user (source ip: 124.79.116.93)
2018-08-20 16:13:52,010 INFO [NiFi Web Server-24] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=CZ, OU=NiFi
2018-08-20 16:13:52,012 INFO [NiFi Web Server-24] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=CZ, OU=NiFi], groups[] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response.
参考
The problem is a whitespace issue...
If you look at your log you can see "CN=BrowserClient, OU=GUI, O="Test Inc "" with a space before the OU.
If you look at the Initial Admin and users.xml there is no space "CN=Browser Client,OU=GUI,O="Test Inc " so its not lining up.
You can fix this by stopping NiFi, updating authorizers.xml so the Initial Admin has the <u>exact value from the logs</u>,** and then deleting users.xml and authorizations.xml, and restart.
参考链接:
Apache-NiFi授权与用户认证(仅作参考理解证书配置流程,该博文为standalone模式)
Apache NiFi 1.1.0 – Secured cluster setup(使用nifi-toolkit工具的Server/Client模式生成证书,集群配置较为繁琐,但是实用)Apache Mail Archives(用户邮件,提供多个连接处理,多种授权模式)
网友评论