Hi I'm sorry if this is a repeated question (I posted it on this site " http://bryanbende.com/development/2016/08/30/apache-nifi-1.0.0-secure-site-to-site";), and I added another question to it:
I read this article " http://bryanbende.com/development/2016/08/30/apache-nifi-1.0.0-secure-site-to-site"; about secure NIFI site-to-site setup, and I'm sorry if the following questions look silly, this "security" thing is all new for me. In the part: ' In nifi-2 create a user with the DN of the certificate being used by nifi-1, in my case this is “CN=localhost, OU=NIFI” ' By looking at the "tls" command: ./bin/tls-toolkit.sh standalone -c ca.nifi.apache.org -C 'CN=bbende, OU=ApacheNiFi' -n 'localhost(2)' 1. I can see that hostnames are specified by "localhost", but the "OU=NIFI", not "ApacheNiFi". Is this a typo? if not, how can I get the generated DN for specified hosts? 2. If I generate certificates for 2 hosts. Later, I want to add a third host, should I run the "tls" command again for the 3 hosts (I assume the generated truststore has the certificates for the 3 hosts)? or can I just run the "tls" for the third host, but how to add the certificate of the third host to the other 2 hosts, and vice versa? 3. The "initial-admin-identity", should it always be specified by "certificate", or can I setup LDAP first, and use one of the LDAP entries as the "initial admin" without certificate? 4. In this article, each site is considered as a user trying to access the workflow at the other site. If I have LDAP it "site_1", then a "user_1" login to "site_1" using password, then "user_1" wants to send some request to "site_2" using secure site_to_site, "site_2" also has another "LDAP", "user_1" has another account at "site_2", and I want "site_2" to respond to "user_1" request depending on "user_1" authentication and authorization, not "site_1" certificate. "user_1" does not want to login to each site, "user_1" wants to login to only to "site_1", then "user_1" accounts at "site_1" and "site_2" should be mapped to each other (I think the account mapping in NIFI docs talks only about mapping on the same site, not through different sites). I wonder what is the best way to implement the previous scenario? "site_1" can authenticate "user_1" using LDAP, but can "site_1" extract "user_1" credentials from "LDAP" and pass them through secure site-to-site to "site_2", then "site_2" authenticates "user_1" using its own "LDAP"? 5. According to Bryan's article " http://bryanbende.com/development/2016/08/22/apache-nifi-1.0.0-using-the-apache-ranger-authorizer";, authorization can be done by "Apache ranger", but as I understood, "Apache ranger" works only on hadoop ecosystem. I wonder if you can suggest other open source central security tools like apache ranger that can work with NIFI site-to-site and not limited to hadoop ecosystem? Sorry for the many questions. Regards -- Mohammed
