It is fairly easy to set up an unencrypted data flow from MiNiFi to NiFi: https://nifi.apache.org/minifi/getting-started.html.
If you want the data flow to use HTTPS, that is a bit more complicated; below is a description of how to do it. (TODO: this doesn't quite work, yet, complete it)
Step-by-step guide
First, go to https://kylo.readthedocs.io/en/v0.10.0/security/ConfigureNiFiWithSSL.html and create a self-signed certificate as described there:
- Download the latest version of
nifi-toolkit
from https://nifi.apache.org/download.html Unpack the contents:
tar xzvf nifi-toolkit-1.12.1-bin.tar.gz -C /opt/nifi/
Create a directory for the certificate files:
mkdir -p /opt/nifi/data/ssl
Determine the hostname that will be used to access NiFi from web browsers and from MiNiFi. Then generate the certificates using tls-toolkit:
# Set the location of Java; the executable should be ${JAVA_HOME}/bin/java export JAVA_HOME=... # Replace <hostname> with the hostname used to access NiFi /opt/nifi/nifi-toolkit-1.12.1/bin/tls-toolkit.sh standalone -n '<hostname>' -C 'CN=minifi, OU=NIFI' -o /opt/nifi/data/ssl # Unpack the certificate and key from the .p12 bundle # Enter the contents of CN=minifi_OU=NIFI.password as the password when prompted (both times) openssl pkcs12 -in /opt/nifi/data/ssl/CN=minifi_OU=NIFI.p12 -out /opt/nifi/data/ssl/nifi-rest.key -nocerts -nodes openssl pkcs12 -in /opt/nifi/data/ssl/CN=minifi_OU=NIFI.p12 -out /opt/nifi/data/ssl/nifi-rest.crt -clcerts -nokeys
Protect the files by ensuring that only the current user have access to them:
chmod 755 /opt/nifi/data/ssl chmod 600 /opt/nifi/data/ssl/CN\=minifi_OU\=NIFI.* chmod 700 /opt/nifi/data/ssl/<hostname>
Copy the value of the properties in the
nifi.remote
,nifi.web
,nifi.security
sections from/opt/nifi/data/ssl/<hostname>/nifi.properties
to your NiFi installation'snifi.properties
file, except the for the following two, which should be set like this:nifi.security.keystore=/opt/nifi/data/ssl/<hostname>/keystore.jks nifi.security.truststore=/opt/nifi/data/ssl/<hostname>/truststore.jks
and add the following settings to your NiFi installation's
nifi.properties
file:# Replace <keystore-password> with the contents of /opt/nifi/data/ssl/CN=minifi_OU=NIFI.password nifi.rest.host=<hostname> nifi.rest.keystorePath=/opt/nifi/data/ssl/CN=minifi_OU=NIFI.p12 nifi.rest.keystorePassword=<keystore-password> nifi.rest.keystoreType=PKCS12
Uncomment the
file-provider
section ofauthorizers.xml
in your NiFi installation, and set the Initial Admin Identity:<authorizer> <identifier>file-provider</identifier> <class>org.apache.nifi.authorization.FileAuthorizer</class> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Users File">./conf/users.xml</property> <property name="Initial Admin Identity">CN=minifi, OU=NIFI</property> <property name="Legacy Authorized Users File"></property> <!-- Provide the identity (typically a DN) of each node when clustered, see above description of Node Identity. <property name="Node Identity 1"></property> --> </authorizer>
and restart NiFi; it will create a new user with your Initial Admin Identity name in
users.xml
.Add authorizations for your user in
authorizations.xml
in your NiFi installation:<!-- generate UUIDs for the policy identifiers --> <policy identifier="1f6ae57a-08bc-11eb-9242-bf69163fde10" resource="/site-to-site" action="R"> <!-- copy the user identifier from users.xml --> <user identifier="9cd6ec42-b3da-3a3a-8405-7264746e0e42"/> </policy> <policy identifier="282818e0-08bc-11eb-8508-2b51c9d70d42" resource="/site-to-site" action="W"> <user identifier="9cd6ec42-b3da-3a3a-8405-7264746e0e42"/> </policy> <!-- copy the port identifier from Remote Process Groups/Input Ports/id in the minifi config.yml --> <policy identifier="f512f796-7afb-4c9f-ab68-b5eaf6d5d0cf" resource="/data-transfer/input-ports/1ca9d943-0175-1000-2188-4d25f7418459" action="R"> <user identifier="9cd6ec42-b3da-3a3a-8405-7264746e0e42"/> </policy> <policy identifier="b4e836ee-d526-4e16-8bf3-ee1d8fa3d5e6" resource="/data-transfer/input-ports/1ca9d943-0175-1000-2188-4d25f7418459" action="W"> <user identifier="9cd6ec42-b3da-3a3a-8405-7264746e0e42"/> </policy> <!-- you will also need a pair of policies for resource="/data-transfer/output-ports/..." if you want S2S data transfer from NiFi to MiNiFi -->
For Mac, https://kylo.readthedocs.io/en/v0.10.0/security/ConfigureNiFiWithSSL.html has instructions on how to tell your browser to trust this self-signed certificate. TODO: add instructions for Linux and Windows, as well.
Then restart NiFi again, and test that you can connect to it using https:
# This should give a large HTML response curl -k --key /opt/nifi/data/ssl/nifi-rest.key --cert /opt/nifi/data/ssl/nifi-rest.crt https://<hostname>:9443/nifi/ # This should give a JSON response curl -k --key /opt/nifi/data/ssl/nifi-rest.key --cert /opt/nifi/data/ssl/nifi-rest.crt https://<hostname>:9443/nifi-api/site-to-site/
If everything is OK so far, then configure MiNiFi to use the certificate:
Set up the certificate in
minifi.properties
:nifi.remote.input.secure=true nifi.security.need.ClientAuth=false nifi.security.client.certificate=/opt/nifi/data/ssl/nifi-rest.crt nifi.security.client.private.key=/opt/nifi/data/ssl/nifi-rest.key nifi.security.client.pass.phrase=/opt/nifi/data/ssl/CN=minifi_OU=NIFI.password nifi.security.client.ca.certificate=/opt/nifi/data/ssl/nifi-cert.pem # These are not needed #nifi.rest.api.user.name= #nifi.rest.api.password=
Update the NiFi address in
config.yml
by changinghttp
tohttps
and changing the port from 8080 to 9443 in the Remote Process Group:... Remote Process Groups: - id: c171f9da-689f-41e2-98c4-9d785c59c306 name: https://<hostname>:9443/nifi/ url: https://<hostname>:9443/nifi/ comment: '' ...
And restart MiNiFi.
Related articles