Versions Compared

Old Version 1

changes.mady.by.user Ferenc Gerlits

Saved on

compared with

New Version 2

changes.mady.by.user Ferenc Gerlits

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Download the latest version of nifi-toolkit from https://nifi.apache.org/download.html

  2. Unpack the contents: 

    Code Block
    tar xzvf nifi-toolkit-1.12.1-bin.tar.gz -C /opt/nifi/


  3. Create a directory for the certificate files:

    Code Block
    mkdir -p /opt/nifi/data/ssl


  4. Determine the hostname (s) that will be used to access NiFi from web browsers and from MiNiFi. Then generate the certificates using tls-toolkit:

    Code Block
    # Set the location of Java; the executable should be ${JAVA_HOME}/bin/java
export JAVA_HOME=...
# Replace <hostname> with the comma-separate list of hostnameshostname used to access NiFi
/opt/nifi/nifi-toolkit-1.12.1/bin/tls-toolkit.sh standalone -n '<hostname>' -C 'CN=minifi, OU=NIFI' -o /opt/nifi/data/ssl

# Unpack the certificate and key from the .p12 bundle
# Enter the contents of CN=minifi_OU=NIFI.password as the password when prompted (both times)
openssl pkcs12 -in /opt/nifi/data/ssl/CN=minifi_OU=NIFI.p12 -out /opt/nifi/data/ssl/nifi-rest.key -nocerts -nodes
openssl pkcs12 -in /opt/nifi/data/ssl/CN=minifi_OU=NIFI.p12 -out /opt/nifi/data/ssl/nifi-rest.crt -clcerts -nokeys


  5. Protect the files by ensuring that only the current user have access to them:

    Code Block
    chmod 755 /opt/nifi/data/ssl
chmod 600 /opt/nifi/data/ssl/CN\=minifi_OU\=NIFI.*
chmod 700 /opt/nifi/data/ssl/<hostname>


  6. Copy the value of the properties in the nifi.remote, nifi.web, nifi.security sections from /opt/nifi/data/ssl/<hostname>/nifi.properties to your NiFi installation's nifi.properties file, except the for the following two, which should be set like this:

    Code Block
    nifi.security.keystore=/opt/nifi/data/ssl/<hostname>/keystore.jks
nifi.security.truststore=/opt/nifi/data/ssl/<hostname>/truststore.jks

    and add the following settings to your NiFi installation's nifi.properties file:

    Code Block
    # Replace <keystore-password> with the contents of /opt/nifi/data/ssl/CN=minifi_OU=NIFI.password
nifi.rest.host=<hostname>
nifi.rest.keystorePath=/opt/nifi/data/ssl/CN=minifi_OU=NIFI.p12
nifi.rest.keystorePassword=<keystore-password>
nifi.rest.keystoreType=PKCS12


  7. Uncomment the file-provider section of authorizers.xml in your NiFi installation, and set the Initial Admin Identity:

    Code Block
        <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">CN=minifi, OU=NIFI</property>
        <property name="Legacy Authorized Users File"></property>

        <!-- Provide the identity (typically a DN) of each node when clustered, see above description of Node Identity.
        <property name="Node Identity 1"></property>
        -->
    </authorizer>

    and restart NiFi; it will create a new user with your Initial Admin Identity name in users.xml .

  8. Add authorization to your user to access the /site-to-site API in authorizations.xml in your NiFi installation:

    Code Block
      <!-- generate some UUIDs for the policy identifiers -->
  <!-- copy the user identifier from users.xml -->
  <policy identifier="1f6ae57a-08bc-11eb-9242-bf69163fde10" resource="/site-to-site" action="R">
    <user identifier="9cd6ec42-b3da-3a3a-8405-7264746e0e42"/>
  </policy>
  <policy identifier="282818e0-08bc-11eb-8508-2b51c9d70d42" resource="/site-to-site" action="W">
    <user identifier="9cd6ec42-b3da-3a3a-8405-7264746e0e42"/>
  </policy>

    TODO: I think more authorizations are needed.

...