Hello. I made some progress yesterday. I did setup in LDAP groups and person
Groups : cn=administrators,ou=groups,ou=nifi,dc=amexio,dc=ch : for administrators cn=supervisors,ou=groups,ou=nifi,dc=amexio,dc=ch : for supervisors cn=nodes,ou=groups,ou=nifi,dc=amexio,dc=ch : group where I put all "person" representing NiFi nodes. Users : cn=migX.amexio.ch,ou=users,ou=nifi,dc=amexio,dc=ch : for each node, replacing X by the index, and with object class person uid=mig-admin,ou=users,ou=nifi,dc=amexio,dc=ch : example of "real" user used to connect on the platform, with object class inetOrgperson In NiFi configuration. I did activate a userGroupProvider linked to the LDAP <userGroupProvider> <identifier>amexio-ldap-user-group-provider</identifier> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">uid=admin,ou=system</property> <property name="Manager Password">secret</property> <property name="TLS - Keystore"></property> <property name="TLS - Keystore Password"></property> <property name="TLS - Keystore Type"></property> <property name="TLS - Truststore"></property> <property name="TLS - Truststore Password"></property> <property name="TLS - Truststore Type"></property> <property name="TLS - Client Auth"></property> <property name="TLS - Protocol"></property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://localhost:10389</property> <property name="Page Size">50</property> <!-- <property name="Sync Interval">30 mins</property> --> <property name="Sync Interval">30 seconds</property> <property name="Group Membership - Enforce Case Sensitivity">false</property> <property name="User Search Base">ou=users,ou=nifi,dc=amexio,dc=ch</property> <property name="User Object Class">person</property> <property name="User Search Scope">ONE_LEVEL</property> <property name="User Search Filter"></property> <property name="User Identity Attribute"></property> <property name="User Group Name Attribute"></property> <property name="User Group Name Attribute - Referenced Group Attribute"></property> <property name="Group Search Base">ou=groups,ou=nifi,dc=amexio,dc=ch</property> <property name="Group Object Class">groupOfNames</property> <property name="Group Search Scope">ONE_LEVEL</property> <property name="Group Search Filter"></property> <property name="Group Name Attribute">cn</property> <property name="Group Member Attribute">member</property> <property name="Group Member Attribute - Referenced User Attribute"></property> </userGroupProvider> Of course, register it inside the accessPolicyProvider <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <!-- <property name="User Group Provider">file-user-group-provider</property> --> <property name="User Group Provider">amexio-ldap-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <!-- <property name="Initial Admin Identity"></property> --> <property name="Initial Admin Identity">uid=mig-admin,ou=users,ou=nifi,dc=amexio,dc=ch</property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 1"></property> <property name="Node Group">nodes</property> </accessPolicyProvider> I am able to connect with the initial administrator account, when the first node is started. And all nodes are synchronized in the NiFi instance. As soon as I start an additional node, I can not connect to the first node Erreur message Untrusted proxy CN=mig1.amexio.ch, OU=users, OU=nifi, DC=amexio, DC=ch But I can connect on the second node. So all this is about the certificate I guess. for reminder, I use nls-toolkit to generate certificate on all nodes with something like : tls-toolkit.bat standalone -f "C:\nifi-1.12.1\node1\conf\nifi.properties" -o "C:\nifi-1.12.1\node1\conf\secured" -n mig1.amexio.ch --nifiDnPrefix cn= --nifiDnSuffix ou=users,ou=nifi,dc=amexio,dc=ch Proxy is untrusted, ok fine. So may be I should not use the standalone function of toolkit, but using server and client. In that case, I have to stay alive the server from toolkit ? Also, it seems I did not add certificate from node1 inside node2 trutstore, and node2 certificate inside node1 truststore ? But in this case, if I have to add a new node, let's say node4, I would have to push the certificate from node4 inside all existing nodes ? I continue to search, but any idea / input will be appreciated. Etienne Le lun. 23 nov. 2020 à 18:39, Bryan Bende <bbe...@gmail.com> a écrit : > Yes it will be the DN of the server's certificate which comes from the > keystore. > > NiFi will get an incoming request, see that there is an X509 cert, > take the DN and go to the user group provider and ask for the user > with this identity. > > On Mon, Nov 23, 2020 at 12:01 PM Etienne Jouvin <lapinoujou...@gmail.com> > wrote: > > > > Hum OK, > > > > I will give it a try. > > But one more thing... > > > > If I only set the group node; > > How NiFi will connect the node with the nodeId in the LDAP ? > > Where does it take the nodeid value ? > > Is it the value we set in the keystore / truststore, by default > cn=localhost, dc=NIFI (something like this) ? > > > > Etienne > > > > > > Le lun. 23 nov. 2020 à 17:54, Bryan Bende <bbe...@gmail.com> a écrit : > >> > >> I don't really know the LDAP specifics too well, so I'm not actually > sure. > >> > >> You just need the nodes to come back from the LDAP UserGroupProvider > >> as if they were regular users and members of some group "foo", which > >> you then put "foo" into the "Node Group". > >> > >> On Mon, Nov 23, 2020 at 11:50 AM Etienne Jouvin < > lapinoujou...@gmail.com> wrote: > >> > > >> > Thanks Bryan. > >> > > >> > With your answer.... I will go to the Node Group and assign node > identities. > >> > Better for deployment and setup on the fly, I guess. > >> > > >> > One more point, you said "creating ldap entries for your nodes and > assigning them group membership in ldap". What type of objectClass would > you assign to the node in LDAP ? > >> > This is not inetOrgPerson. The node should not have password. > >> > If I create groupOfMembers for each node, is it correct ? > >> > > >> > > >> > Thanks > >> > > >> > Etienne > >> > > >> > > >> > > >> > Le lun. 23 nov. 2020 à 17:27, Bryan Bende <bbe...@gmail.com> a écrit > : > >> >> > >> >> Hello, > >> >> > >> >> "Node Identity" is similar to the "Initial Admin" concept, in that it > >> >> sets up the policies for the initial nodes to have permissions to > >> >> proxy. > >> >> > >> >> If you are creating ldap entries for your nodes and assigning them > >> >> group membership in ldap, then yes you could put that group name as > >> >> the "Node Group" and then you don't need to specify the "Node > >> >> Identities". > >> >> > >> >> If you are creating the node users in NiFi's file-based user group > >> >> provider then you need to use node identities, and when adding a new > >> >> node to the cluster you'd have to add the user first through the > >> >> UI/REST API and grant it proxy, then actually connect it to the > >> >> cluster. > >> >> > >> >> Thanks, > >> >> > >> >> Bryan > >> >> > >> >> > >> >> On Mon, Nov 23, 2020 at 7:58 AM Etienne Jouvin < > lapinoujou...@gmail.com> wrote: > >> >> > > >> >> > Hello all. > >> >> > > >> >> > > >> >> > I am currently setting up a NiFi, 1.12.1, Cluster with LDAP > authentication. > >> >> > For now the accessPolicyProvider is the default one with the > configuration template : > >> >> > <accessPolicyProvider> > >> >> > <identifier>file-access-policy-provider</identifier> > >> >> > > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> > >> >> > <property name="User Group > Provider">file-user-group-provider</property> > >> >> > <property name="Authorizations > File">./conf/authorizations.xml</property> > >> >> > <property name="Initial Admin Identity"></property> > >> >> > <property name="Legacy Authorized Users File"></property> > >> >> > <property name="Node Identity 1"></property> > >> >> > <property name="Node Group"></property> > >> >> > </accessPolicyProvider> > >> >> > > >> >> > But I do not really understand the purpose of the Node Identity X > property. > >> >> > If I well understood, all nodes should have the same configuration > file, and I should register all nodes identity. > >> >> > > >> >> > But what about if I want to add a new node in the cluster on the > fly ? > >> >> > Should I register a new node identity, and then I should change > all nodes configurations ? > >> >> > The comment, in the configuration file, mentions the configuration > Node Group, The name of a group containing NiFi cluster nodes. The typical > use for this is when nodes are dynamically added/removed from the cluster. > >> >> > Should I just put a Node group name and this will do the trick ? > >> >> > > >> >> > What should I put ? At the following link, > https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.0.3/bk_administration/content/cluster-node-identities.html, > it is said something like : cn=nifi-1,ou=people,dc=example,dc=com > >> >> > In that case, what should be the obejct class for the node > cn=nifi-1 in the LDAP ? > >> >> > > >> >> > Any documentation links will be appreciated. > >> >> > > >> >> > Regards. > >> >> > > >> >> > Etienne Jouvin >