You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

It is fairly easy to set up an unencrypted data flow from MiNiFi to NiFi: https://nifi.apache.org/minifi/getting-started.html.

If you want the data flow to use HTTPS, that is a bit more complicated; below is a description of how to do it.  (Tested with NiFi 1.12.1 and MiNiFi 0.7.0.)

Step-by-step guide

First, go to https://kylo.readthedocs.io/en/v0.10.0/security/ConfigureNiFiWithSSL.html and create a self-signed certificate as described there:

  1. Download the latest version of nifi-toolkit from https://nifi.apache.org/download.html

  2. Unpack the contents: 

    tar xzvf nifi-toolkit-1.12.1-bin.tar.gz -C /opt/nifi/

  3. Create a directory for the certificate files:

    mkdir -p /opt/nifi/data/ssl

  4. Determine the hostname that will be used to access NiFi from web browsers and from MiNiFi. Then generate the certificates using tls-toolkit:

    # Set the location of Java; the executable should be ${JAVA_HOME}/bin/java
export JAVA_HOME=...
# Replace <hostname> with the hostname used to access NiFi
/opt/nifi/nifi-toolkit-1.12.1/bin/tls-toolkit.sh standalone -n '<hostname>' -C 'CN=minifi, OU=NIFI' -o /opt/nifi/data/ssl

# Unpack the certificate and key from the .p12 bundle
# Enter the contents of CN=minifi_OU=NIFI.password as the password when prompted (both times)
openssl pkcs12 -in /opt/nifi/data/ssl/CN=minifi_OU=NIFI.p12 -out /opt/nifi/data/ssl/nifi-rest.key -nocerts -nodes
openssl pkcs12 -in /opt/nifi/data/ssl/CN=minifi_OU=NIFI.p12 -out /opt/nifi/data/ssl/nifi-rest.crt -clcerts -nokeys

  5. Protect the files by ensuring that only the current user have access to them:

    chmod 755 /opt/nifi/data/ssl
chmod 600 /opt/nifi/data/ssl/CN\=minifi_OU\=NIFI.*
chmod 700 /opt/nifi/data/ssl/<hostname>

  6. Copy the value of the properties in the nifi.remote, nifi.web, nifi.security sections from /opt/nifi/data/ssl/<hostname>/nifi.properties to your NiFi installation's nifi.properties file, except the for the following two, which should be set like this:

    nifi.security.keystore=/opt/nifi/data/ssl/<hostname>/keystore.jks
nifi.security.truststore=/opt/nifi/data/ssl/<hostname>/truststore.jks

    and add the following settings to your NiFi installation's nifi.properties file:

    nifi.rest.host=<hostname>
nifi.rest.keystorePath=/opt/nifi/data/ssl/CN=minifi_OU=NIFI.p12
nifi.rest.keystorePassword=/opt/nifi/data/ssl/CN=minifi_OU=NIFI.password
nifi.rest.keystoreType=PKCS12

  7. Uncomment the file-provider section of authorizers.xml in your NiFi installation, and set the Initial Admin Identity:

        <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">CN=minifi, OU=NIFI</property>
        <property name="Legacy Authorized Users File"></property>

        <!-- Provide the identity (typically a DN) of each node when clustered, see above description of Node Identity.
        <property name="Node Identity 1"></property>
        -->
    </authorizer>

    and restart NiFi; it will create a new user with your Initial Admin Identity name in users.xml .

  8. Add authorizations for your user in authorizations.xml in your NiFi installation:

      <!-- generate UUIDs for the policy identifiers -->
  <policy identifier="1f6ae57a-08bc-11eb-9242-bf69163fde10" resource="/site-to-site" action="R">
    <!-- copy the user identifier from users.xml -->
    <user identifier="9cd6ec42-b3da-3a3a-8405-7264746e0e42"/>
  </policy>
  <policy identifier="282818e0-08bc-11eb-8508-2b51c9d70d42" resource="/site-to-site" action="W">
    <user identifier="9cd6ec42-b3da-3a3a-8405-7264746e0e42"/>
  </policy>

  <!-- copy the port identifier from Remote Process Groups/Input Ports/id in the minifi config.yml -->
  <policy identifier="f512f796-7afb-4c9f-ab68-b5eaf6d5d0cf" resource="/data-transfer/input-ports/c171f9da-689f-41e2-98c4-9d785c59c306" action="R">
    <user identifier="9cd6ec42-b3da-3a3a-8405-7264746e0e42"/>
  </policy>
  <policy identifier="b4e836ee-d526-4e16-8bf3-ee1d8fa3d5e6" resource="/data-transfer/input-ports/c171f9da-689f-41e2-98c4-9d785c59c306" action="W">
    <user identifier="9cd6ec42-b3da-3a3a-8405-7264746e0e42"/>
  </policy>

  <!-- you will also need a pair of policies for resource="/data-transfer/output-ports/..." if you want S2S data transfer from NiFi to MiNiFi -->

Then restart NiFi again, and test that you can connect to it using https:

# This should give a large HTML response
curl -k --key /opt/nifi/data/ssl/nifi-rest.key --cert /opt/nifi/data/ssl/nifi-rest.crt https://<hostname>:9443/nifi/

# This should give a JSON response
curl -k --key /opt/nifi/data/ssl/nifi-rest.key --cert /opt/nifi/data/ssl/nifi-rest.crt https://<hostname>:9443/nifi-api/site-to-site/


For Mac, https://kylo.readthedocs.io/en/v0.10.0/security/ConfigureNiFiWithSSL.html has instructions on how to tell your browser to trust this self-signed certificate.  On Firefox/Windows, follow these steps: https://support.globalsign.com/digital-certificates/digital-certificate-installation/install-client-digital-certificate-firefox-windows.  On Firefox/Linux, the steps are similar; the View Certificates dialog is at Preferences → Privacy & Security (scroll to the bottom).  After you have added the CN=minifi_OU=NIFI.p12 client certificate under Your Certificates (enter the contents of CN=minifi_OU=NIFI.password when prompted), and you try to access https://<hostname>:9443/nifi/, you will still get a "Potential Security Risk Ahead" warning about the certificate, but now you can click Advanced → Accept the Risk and Continue (you only need to do this the first time).


If everything is OK so far, then configure MiNiFi to use the certificate:

  1. Set up the certificate in minifi.properties:

    nifi.remote.input.secure=true
nifi.security.need.ClientAuth=false
nifi.security.client.certificate=/opt/nifi/data/ssl/nifi-rest.crt
nifi.security.client.private.key=/opt/nifi/data/ssl/nifi-rest.key
nifi.security.client.pass.phrase=/opt/nifi/data/ssl/CN=minifi_OU=NIFI.password
nifi.security.client.ca.certificate=/opt/nifi/data/ssl/nifi-cert.pem

# These are not needed
#nifi.rest.api.user.name=
#nifi.rest.api.password=

  2. Update the NiFi address in config.yml by changing http  to https and changing the port from 8080 to 9443 in the Remote Process Group:

    Remote Process Groups:
- id: 1ca9d943-0175-1000-2188-4d25f7418459
  name: https://<hostname>:9443/nifi/
  url: https://<hostname>:9443/nifi/
  comment: ''
  timeout: 30 secs
  yield period: 10 sec
  transport protocol: RAW
  proxy host: ''
  proxy port: ''
  proxy user: ''
  proxy password: ''
  local network interface: ''
  Input Ports:
  - id: c171f9da-689f-41e2-98c4-9d785c59c306
    name: c171f9da-689f-41e2-98c4-9d785c59c306
    comment: ''
    max concurrent tasks: 1
    use compression: true
  Output Ports: []

    And restart MiNiFi.



  • No labels