Hello.
I made some progress yesterday.
I did setup in LDAP groups and person
Groups :
cn=administrators,ou=groups,ou=nifi,dc=amexio,dc=ch : for administrators
cn=supervisors,ou=groups,ou=nifi,dc=amexio,dc=ch : for supervisors
cn=nodes,ou=groups,ou=nifi,dc=amexio,dc=ch : group where I put all "person"
representing NiFi nodes.
Users :
cn=migX.amexio.ch,ou=users,ou=nifi,dc=amexio,dc=ch : for each node,
replacing X by the index, and with object class person
uid=mig-admin,ou=users,ou=nifi,dc=amexio,dc=ch : example of "real" user
used to connect on the platform, with object class inetOrgperson
In NiFi configuration.
I did activate a userGroupProvider linked to the LDAP
<userGroupProvider>
<identifier>amexio-ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">uid=admin,ou=system</property>
<property name="Manager Password">secret</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://localhost:10389</property>
<property name="Page Size">50</property>
<!-- <property name="Sync Interval">30 mins</property> -->
<property name="Sync Interval">30 seconds</property>
<property name="Group Membership - Enforce Case
Sensitivity">false</property>
<property name="User Search
Base">ou=users,ou=nifi,dc=amexio,dc=ch</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter"></property>
<property name="User Identity Attribute"></property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group
Attribute"></property>
<property name="Group Search
Base">ou=groups,ou=nifi,dc=amexio,dc=ch</property>
<property name="Group Object Class">groupOfNames</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User
Attribute"></property>
</userGroupProvider>
Of course, register it inside the accessPolicyProvider
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<!-- <property name="User Group
Provider">file-user-group-provider</property> -->
<property name="User Group
Provider">amexio-ldap-user-group-provider</property>
<property name="Authorizations
File">./conf/authorizations.xml</property>
<!-- <property name="Initial Admin Identity"></property> -->
<property name="Initial Admin
Identity">uid=mig-admin,ou=users,ou=nifi,dc=amexio,dc=ch</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
<property name="Node Group">nodes</property>
</accessPolicyProvider>
I am able to connect with the initial administrator account, when the first
node is started.
And all nodes are synchronized in the NiFi instance.
As soon as I start an additional node, I can not connect to the first node
Erreur message
Untrusted proxy CN=mig1.amexio.ch, OU=users, OU=nifi, DC=amexio, DC=ch
But I can connect on the second node.
So all this is about the certificate I guess.
for reminder, I use nls-toolkit to generate certificate on all nodes with
something like :
tls-toolkit.bat standalone -f "C:\nifi-1.12.1\node1\conf\nifi.properties"
-o "C:\nifi-1.12.1\node1\conf\secured" -n mig1.amexio.ch --nifiDnPrefix cn=
--nifiDnSuffix ou=users,ou=nifi,dc=amexio,dc=ch
Proxy is untrusted, ok fine. So may be I should not use the standalone
function of toolkit, but using server and client. In that case, I have to
stay alive the server from toolkit ?
Also, it seems I did not add certificate from node1 inside node2 trutstore,
and node2 certificate inside node1 truststore ?
But in this case, if I have to add a new node, let's say node4, I would
have to push the certificate from node4 inside all existing nodes ?
I continue to search, but any idea / input will be appreciated.
Etienne
Le lun. 23 nov. 2020 à 18:39, Bryan Bende <bbe...@gmail.com> a écrit :
> Yes it will be the DN of the server's certificate which comes from the
> keystore.
>
> NiFi will get an incoming request, see that there is an X509 cert,
> take the DN and go to the user group provider and ask for the user
> with this identity.
>
> On Mon, Nov 23, 2020 at 12:01 PM Etienne Jouvin <lapinoujou...@gmail.com>
> wrote:
> >
> > Hum OK,
> >
> > I will give it a try.
> > But one more thing...
> >
> > If I only set the group node;
> > How NiFi will connect the node with the nodeId in the LDAP ?
> > Where does it take the nodeid value ?
> > Is it the value we set in the keystore / truststore, by default
> cn=localhost, dc=NIFI (something like this) ?
> >
> > Etienne
> >
> >
> > Le lun. 23 nov. 2020 à 17:54, Bryan Bende <bbe...@gmail.com> a écrit :
> >>
> >> I don't really know the LDAP specifics too well, so I'm not actually
> sure.
> >>
> >> You just need the nodes to come back from the LDAP UserGroupProvider
> >> as if they were regular users and members of some group "foo", which
> >> you then put "foo" into the "Node Group".
> >>
> >> On Mon, Nov 23, 2020 at 11:50 AM Etienne Jouvin <
> lapinoujou...@gmail.com> wrote:
> >> >
> >> > Thanks Bryan.
> >> >
> >> > With your answer.... I will go to the Node Group and assign node
> identities.
> >> > Better for deployment and setup on the fly, I guess.
> >> >
> >> > One more point, you said "creating ldap entries for your nodes and
> assigning them group membership in ldap". What type of objectClass would
> you assign to the node in LDAP ?
> >> > This is not inetOrgPerson. The node should not have password.
> >> > If I create groupOfMembers for each node, is it correct ?
> >> >
> >> >
> >> > Thanks
> >> >
> >> > Etienne
> >> >
> >> >
> >> >
> >> > Le lun. 23 nov. 2020 à 17:27, Bryan Bende <bbe...@gmail.com> a écrit
> :
> >> >>
> >> >> Hello,
> >> >>
> >> >> "Node Identity" is similar to the "Initial Admin" concept, in that it
> >> >> sets up the policies for the initial nodes to have permissions to
> >> >> proxy.
> >> >>
> >> >> If you are creating ldap entries for your nodes and assigning them
> >> >> group membership in ldap, then yes you could put that group name as
> >> >> the "Node Group" and then you don't need to specify the "Node
> >> >> Identities".
> >> >>
> >> >> If you are creating the node users in NiFi's file-based user group
> >> >> provider then you need to use node identities, and when adding a new
> >> >> node to the cluster you'd have to add the user first through the
> >> >> UI/REST API and grant it proxy, then actually connect it to the
> >> >> cluster.
> >> >>
> >> >> Thanks,
> >> >>
> >> >> Bryan
> >> >>
> >> >>
> >> >> On Mon, Nov 23, 2020 at 7:58 AM Etienne Jouvin <
> lapinoujou...@gmail.com> wrote:
> >> >> >
> >> >> > Hello all.
> >> >> >
> >> >> >
> >> >> > I am currently setting up a NiFi, 1.12.1, Cluster with LDAP
> authentication.
> >> >> > For now the accessPolicyProvider is the default one with the
> configuration template :
> >> >> > <accessPolicyProvider>
> >> >> > <identifier>file-access-policy-provider</identifier>
> >> >> >
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> >> >> > <property name="User Group
> Provider">file-user-group-provider</property>
> >> >> > <property name="Authorizations
> File">./conf/authorizations.xml</property>
> >> >> > <property name="Initial Admin Identity"></property>
> >> >> > <property name="Legacy Authorized Users File"></property>
> >> >> > <property name="Node Identity 1"></property>
> >> >> > <property name="Node Group"></property>
> >> >> > </accessPolicyProvider>
> >> >> >
> >> >> > But I do not really understand the purpose of the Node Identity X
> property.
> >> >> > If I well understood, all nodes should have the same configuration
> file, and I should register all nodes identity.
> >> >> >
> >> >> > But what about if I want to add a new node in the cluster on the
> fly ?
> >> >> > Should I register a new node identity, and then I should change
> all nodes configurations ?
> >> >> > The comment, in the configuration file, mentions the configuration
> Node Group, The name of a group containing NiFi cluster nodes. The typical
> use for this is when nodes are dynamically added/removed from the cluster.
> >> >> > Should I just put a Node group name and this will do the trick ?
> >> >> >
> >> >> > What should I put ? At the following link,
> https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.0.3/bk_administration/content/cluster-node-identities.html,
> it is said something like : cn=nifi-1,ou=people,dc=example,dc=com
> >> >> > In that case, what should be the obejct class for the node
> cn=nifi-1 in the LDAP ?
> >> >> >
> >> >> > Any documentation links will be appreciated.
> >> >> >
> >> >> > Regards.
> >> >> >
> >> >> > Etienne Jouvin
>
