Hum OK, I will give it a try. But one more thing...
If I only set the group node; How NiFi will connect the node with the nodeId in the LDAP ? Where does it take the nodeid value ? Is it the value we set in the keystore / truststore, by default cn=localhost, dc=NIFI (something like this) ? Etienne Le lun. 23 nov. 2020 à 17:54, Bryan Bende <bbe...@gmail.com> a écrit : > I don't really know the LDAP specifics too well, so I'm not actually sure. > > You just need the nodes to come back from the LDAP UserGroupProvider > as if they were regular users and members of some group "foo", which > you then put "foo" into the "Node Group". > > On Mon, Nov 23, 2020 at 11:50 AM Etienne Jouvin <lapinoujou...@gmail.com> > wrote: > > > > Thanks Bryan. > > > > With your answer.... I will go to the Node Group and assign node > identities. > > Better for deployment and setup on the fly, I guess. > > > > One more point, you said "creating ldap entries for your nodes and > assigning them group membership in ldap". What type of objectClass would > you assign to the node in LDAP ? > > This is not inetOrgPerson. The node should not have password. > > If I create groupOfMembers for each node, is it correct ? > > > > > > Thanks > > > > Etienne > > > > > > > > Le lun. 23 nov. 2020 à 17:27, Bryan Bende <bbe...@gmail.com> a écrit : > >> > >> Hello, > >> > >> "Node Identity" is similar to the "Initial Admin" concept, in that it > >> sets up the policies for the initial nodes to have permissions to > >> proxy. > >> > >> If you are creating ldap entries for your nodes and assigning them > >> group membership in ldap, then yes you could put that group name as > >> the "Node Group" and then you don't need to specify the "Node > >> Identities". > >> > >> If you are creating the node users in NiFi's file-based user group > >> provider then you need to use node identities, and when adding a new > >> node to the cluster you'd have to add the user first through the > >> UI/REST API and grant it proxy, then actually connect it to the > >> cluster. > >> > >> Thanks, > >> > >> Bryan > >> > >> > >> On Mon, Nov 23, 2020 at 7:58 AM Etienne Jouvin <lapinoujou...@gmail.com> > wrote: > >> > > >> > Hello all. > >> > > >> > > >> > I am currently setting up a NiFi, 1.12.1, Cluster with LDAP > authentication. > >> > For now the accessPolicyProvider is the default one with the > configuration template : > >> > <accessPolicyProvider> > >> > <identifier>file-access-policy-provider</identifier> > >> > > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> > >> > <property name="User Group > Provider">file-user-group-provider</property> > >> > <property name="Authorizations > File">./conf/authorizations.xml</property> > >> > <property name="Initial Admin Identity"></property> > >> > <property name="Legacy Authorized Users File"></property> > >> > <property name="Node Identity 1"></property> > >> > <property name="Node Group"></property> > >> > </accessPolicyProvider> > >> > > >> > But I do not really understand the purpose of the Node Identity X > property. > >> > If I well understood, all nodes should have the same configuration > file, and I should register all nodes identity. > >> > > >> > But what about if I want to add a new node in the cluster on the fly ? > >> > Should I register a new node identity, and then I should change all > nodes configurations ? > >> > The comment, in the configuration file, mentions the configuration > Node Group, The name of a group containing NiFi cluster nodes. The typical > use for this is when nodes are dynamically added/removed from the cluster. > >> > Should I just put a Node group name and this will do the trick ? > >> > > >> > What should I put ? At the following link, > https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.0.3/bk_administration/content/cluster-node-identities.html, > it is said something like : cn=nifi-1,ou=people,dc=example,dc=com > >> > In that case, what should be the obejct class for the node cn=nifi-1 > in the LDAP ? > >> > > >> > Any documentation links will be appreciated. > >> > > >> > Regards. > >> > > >> > Etienne Jouvin >
