Versions Compared

Old Version 15

changes.mady.by.user Ferenc Gerlits

Saved on

compared with

New Version 16

changes.mady.by.user Ferenc Gerlits

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Create a self-signed certificate; there are many how-tos on the internet.  Below, we'll assume that your generated files are /opt/certs/agent-cert.pem and /opt/certs/agent-key.pem; the CN of the certificate is "my-agent-ID".

  2. Install NiFi.  When you a access https://<hostname>:94438443/nifi/ the first time in your browser, you will get a "Potential Security Risk Ahead" warning about NiFi's self-signed certificate, but you can click Advanced → Accept the Risk and Continue.

  3. Add the following settings to your NiFi installation's nifi.properties file:

    Code Block
    # Site to Site properties
nifi.remote.input.host=localhost
nifi.remote.input.secure=true
nifi.remote.input.socket.port=7777
nifi.remote.input.http.enabled=true


  4. Export the NiFi certificate from the NiFi trust store, and import the MiNiFi agent certificate into the NiFi trust store: 

    Code Block
    keytool -exportcert -alias nifi-cert -rfc -keystore truststore.p12 > /opt/certs/nifi-cert.pem
keytool -importcert -alias agent-cert -file /opt/certs/agent-cert.pem -keystore truststore.p12

    keytool will prompt you for the truststore password; you can get this from the nifi.properties file.

  5. Add the agent ID (which is the CN of the agent certificate) as the "Initial User Identity 1" value in the "userGroupProvider" section of authorizers.xml in your NiFi installation:

    Code Block
        <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial User Identity 1">my-agent-ID</property>
    </userGroupProvider>

    and restart NiFi; it will create a new user in users.xml which looks like this:

    Code Block
    <tenants>
    <groups/>
    <users>
        <user identifier="9a889e09-6e86-360a-a324-8f3ee341842a" identity="my-agent-ID"/>
    </users>
</tenants>


  6. Add authorizations for your user in authorizations.xml in your NiFi installation, copying the user identifier from users.xml:

    Code Block
    <authorizations>
    <policies>
        <policy identifier="1f6ae57a-08bc-11eb-9242-bf69163fde10" resource="/site-to-site" action="R">
          <!-- copy the user identifier from users.xml -->
          <user identifier="9a889e09-6e86-360a-a324-8f3ee341842a"/>
        </policy>
        <policy identifier="282818e0-08bc-11eb-8508-2b51c9d70d42" resource="/site-to-site" action="W">
          <user identifier="9a889e09-6e86-360a-a324-8f3ee341842a"/>
        </policy>
         
        <!-- copy the port identifier from Remotethe Process Groups/Input Ports/idPort in NiFi into the minifiresource config.ymlstring -->
        <policy identifier="f512f796-7afb-4c9f-ab68-b5eaf6d5d0cf" resource="/data-transfer/input-ports/1342ea64c171f9da-018d689f-100041e2-a5cf98c4-7bda6830909b9d785c59c306" action="R">
          <user identifier="9a889e09-6e86-360a-a324-8f3ee341842a"/>
        </policy>
        <policy identifier="b4e836ee-d526-4e16-8bf3-ee1d8fa3d5e6" resource="/data-transfer/input-ports/1342ea64c171f9da-018d689f-100041e2-a5cf98c4-7bda6830909b9d785c59c306" action="W">
          <user identifier="9a889e09-6e86-360a-a324-8f3ee341842a"/>
        </policy>
  
        <!-- you will also need a pair of policies for resource="/data-transfer/output-ports/..." if you want S2S data transfer from NiFi to MiNiFi -->
   </policies>
</authorizations>


...