[ https://issues.apache.org/jira/browse/NIFI-4022?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16109588#comment-16109588 ]
ASF GitHub Bot commented on NIFI-4022: -------------------------------------- GitHub user YolandaMDavis opened a pull request: https://github.com/apache/nifi/pull/2046 NIFI-4022 - Enabled SASL auth scheme/ACL support for Curator use Enhancement allows user to enable SASL based ACL's for nodes created via Curator for cluster management (e.g. leader election nodes, Cluster Coordinator/Primary Nodes). For testing would recommend the following actions: 1) Follow the updated administrator guide (included in PR as a separate commit) for enabling kerberos on Zookeeper (external or embedded) and NiFi 2)Testing with nifi nodes where principals vary across servers. For example nifi/instan...@realm.com vs nifi/instan...@realm.com. In this case the kerberos.removeHostFromPrincipal would need to be true (in both zookeeper.properties and nifi.properties) to ensure that the user will be normalized as n...@realm.com for acls. 3) Ensuring leader election scenarios work as expected with acls in place on the /nifi path (acl should be 'sasl', <user> cdrwa and 'world', anyone r). Recommended scenario is removal of Cluster Coordinator from a cluster to ensure new coordinator is elected. Thank you for submitting a contribution to Apache NiFi. In order to streamline the review of the contribution we ask you to ensure the following steps have been taken: ### For all changes: - [x] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [x] Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. - [ ] Has your PR been rebased against the latest commit within the target branch (typically master)? - [ ] Is your initial contribution a single, squashed commit? ### For code changes: - [ ] Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder? - [x] Have you written or updated unit tests to verify your changes? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [ ] If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly? - [ ] If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly? - [ ] If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties? ### For documentation related changes: - [x] Have you ensured that format looks appropriate for the output in which it is rendered? ### Note: Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible. You can merge this pull request into a Git repository by running: $ git pull https://github.com/YolandaMDavis/nifi NIFI-4022 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi/pull/2046.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #2046 ---- commit 9e43229ed409527ffe3bab0b3bdb7584e64ce98e Author: Yolanda M. Davis <yolanda.m.da...@gmail.com> Date: 2017-07-31T17:27:48Z NIFI-4022 - Initial update for SASL support for cluster management in Zookeeper commit 588a5ca995c46f94e893b249a787be7c8104e060 Author: Yolanda M. Davis <yolanda.m.da...@gmail.com> Date: 2017-08-01T18:31:15Z NIFI-4022 - adding sasl documentation update and update to test ---- > Use SASL Auth Scheme For Secured Zookeeper Client Interaction > ------------------------------------------------------------- > > Key: NIFI-4022 > URL: https://issues.apache.org/jira/browse/NIFI-4022 > Project: Apache NiFi > Issue Type: Bug > Affects Versions: 1.2.0 > Reporter: Yolanda M. Davis > Assignee: Yolanda M. Davis > > NiFi uses Zookeeper to assist in cluster orchestration including leader > elections for Primary Node and Cluster Coordinator and to store state for > various processors (such as MonitorActivity). In secured Zookeeper > environments (supported by SASL + Kerberos) NiFi should protect the zNodes it > creates to prevent users or hosts, outside of a NiFi cluster, from accessing > or modifying entries. In its current implementation security can be enforced > for processors that store state information in Zookeeper, however zNodes used > for managing Primary Node and Cluster Coordinator data are left open and > susceptible to change from any user. Also when zNodes are secured for > processor state, a “Creator Only” policy is used which allows the system to > determine the identification of the NiFi node and protect any zNodes created > with that node id using Zookeeper’s “auth” scheme. The challenge with this > scheme is that it limits the ability for other NiFi nodes in the cluster to > access that zNode if needed (since it is specifically binds that zNode to the > unique id of its creator). > > To best protect zNodes created in Zookeeper by NiFi while maximizing NiFi’s > ability to share information across the cluster I propose that we move to > using Zookeeper’s SASL authentication scheme, which will allow the use of > Kerberos principals for securing zNode with the appropriate permissions. For > maximum flexibility, these principals can be mapped appropriately in > Zookeeper, using auth-to-local rules, to ensure that nodes across the cluster > can share zNodes as needed. > > Potential Concerns/Challenges for Discussion: > > 1) For existing NiFi users how will we migrate Zookeeper entries from > the old security scheme to the new scheme? > 2) How should zNodes be reverted to open if kerberos is disabled? > 3) What will the performance impact be on the cluster once SASL scheme > is enabled (since we’d be moving from open to protected)? Would require > investigation > 4) Currently users can control authentication scheme via state > management configuration for processors yet not for clusters. Should we > still maintain the practice of allowing schemes to be configurable for > processors (with SASL being the new default)? -- This message was sent by Atlassian JIRA (v6.4.14#64029)