You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

It is fairly easy to set up an unencrypted data flow from MiNiFi c++ to NiFi: https://nifi.apache.org/minifi/getting-started.html.

If you want the data flow to use HTTPS, that is a bit more complicated; below is a description of how to do it.  (Tested with NiFi 2.0.0-M1 and MiNiFi c++ 0.15.0.)

Step-by-step guide

  1. Create a self-signed certificate; there are many how-tos on the internet.  Below, we'll assume that your generated files are /opt/certs/agent-cert.pem and /opt/certs/agent-key.pem; the CN of the certificate is "my-agent-ID".

  2. Install NiFi.  When you a access https://<hostname>:8443/nifi/ the first time in your browser, you will get a "Potential Security Risk Ahead" warning about NiFi's self-signed certificate, but you can click Advanced → Accept the Risk and Continue.

  3. Add the following settings to your NiFi installation's nifi.properties file:

    # Site to Site properties
nifi.remote.input.host=localhost
nifi.remote.input.secure=true
nifi.remote.input.socket.port=7777
nifi.remote.input.http.enabled=true

  4. Export the NiFi certificate from the NiFi trust store, and import the MiNiFi agent certificate into the NiFi trust store: 

    keytool -exportcert -alias nifi-cert -rfc -keystore truststore.p12 > /opt/certs/nifi-cert.pem
keytool -importcert -alias agent-cert -file /opt/certs/agent-cert.pem -keystore truststore.p12

    keytool will prompt you for the truststore password; you can get this from the nifi.properties file.

  5. Add the agent ID (which is the CN of the agent certificate) as the "Initial User Identity 1" value in the "userGroupProvider" section of authorizers.xml in your NiFi installation:

        <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial User Identity 1">my-agent-ID</property>
    </userGroupProvider>

    and restart NiFi; it will create a new user in users.xml which looks like this:

    <tenants>
    <groups/>
    <users>
        <user identifier="9a889e09-6e86-360a-a324-8f3ee341842a" identity="my-agent-ID"/>
    </users>
</tenants>

  6. Add authorizations for your user in authorizations.xml in your NiFi installation, copying the user identifier from users.xml:

    <authorizations>
    <policies>
        <policy identifier="1f6ae57a-08bc-11eb-9242-bf69163fde10" resource="/site-to-site" action="R">
          <!-- copy the user identifier from users.xml -->
          <user identifier="9a889e09-6e86-360a-a324-8f3ee341842a"/>
        </policy>
        <policy identifier="282818e0-08bc-11eb-8508-2b51c9d70d42" resource="/site-to-site" action="W">
          <user identifier="9a889e09-6e86-360a-a324-8f3ee341842a"/>
        </policy>
         
        <!-- copy the port identifier from the Input Port in NiFi into the resource string -->
        <policy identifier="f512f796-7afb-4c9f-ab68-b5eaf6d5d0cf" resource="/data-transfer/input-ports/c171f9da-689f-41e2-98c4-9d785c59c306" action="R">
          <user identifier="9a889e09-6e86-360a-a324-8f3ee341842a"/>
        </policy>
        <policy identifier="b4e836ee-d526-4e16-8bf3-ee1d8fa3d5e6" resource="/data-transfer/input-ports/c171f9da-689f-41e2-98c4-9d785c59c306" action="W">
          <user identifier="9a889e09-6e86-360a-a324-8f3ee341842a"/>
        </policy>
  
        <!-- you will also need a pair of policies for resource="/data-transfer/output-ports/..." if you want S2S data transfer from NiFi to MiNiFi -->
   </policies>
</authorizations>

Then restart NiFi again, and test that you can connect to it using https:

# This should give a large HTML response
curl -k --key /opt/certs/agent-key.pem --cert /opt/certs/agent-cert.pem https://<hostname>:8443/nifi/

# This should give a JSON response
curl -k --key /opt/certs/agent-key.pem --cert /opt/certs/agent-cert.pem https://<hostname>:8443/nifi-api/site-to-site/


If everything is OK so far, then configure MiNiFi to use secure site-to-site:

  1. Set up the certificates in minifi.properties:

    nifi.remote.input.secure=true
nifi.security.need.ClientAuth=true
nifi.security.client.certificate=/opt/certs/agent-cert.pem
nifi.security.client.private.key=/opt/certs/agent-key.pem
nifi.security.client.pass.phrase=<key passphrase if any>
nifi.security.client.ca.certificate=/opt/certs/nifi-cert.pem

# These are not needed
#nifi.rest.api.user.name=
#nifi.rest.api.password=

  2. Update the NiFi address in config.yml by changing http  to https and changing the port to 8443 in the Remote Process Group:

    Remote Process Groups:
- id: 1ca9d943-0175-1000-2188-4d25f7418459
  name: https://<hostname>:8443/nifi/
  url: https://<hostname>:8443/nifi/
  comment: ''
  timeout: 30 secs
  yield period: 10 sec
  transport protocol: RAW
  proxy host: ''
  proxy port: ''
  proxy user: ''
  proxy password: ''
  local network interface: ''
  Input Ports:
  - id: c171f9da-689f-41e2-98c4-9d785c59c306
    name: c171f9da-689f-41e2-98c4-9d785c59c306
    comment: ''
    max concurrent tasks: 1
    use compression: true
  Output Ports: []

    And restart MiNiFi.  Note that the site-to-site port you configured in NiFi will be used for communication, but in the MiNiFi config.yml you need to specify the main NiFi port 8443, NOT the site-to-site port (7777 in the example above).



  • No labels