nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy LoPresto <alopresto.apa...@gmail.com>
Subject Re: NiFi Registry over HTTPS
Date Sat, 03 Nov 2018 02:57:21 GMT
Adam,

This probably isn’t easily accomplished. You might be able to deploy with an “accept all”
truststore so that any certificate is accepted, and provide a keystore that doesn’t have
a private key to try and satisfy the properties loading without actually enabling HTTPS security
on NiFi and the authentication mechanisms therein. I haven’t tried this, as we haven’t
seen this request before. 

If that doesn’t work, we might need to do some more exploration. I don’t think we would
want to enable HTTPS without authentication as a normal use case, as some users would probably
configure this accidentally and have a false sense of security. 

Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Nov 3, 2018, at 10:24, Martini, Adam <Adam.Martini@nike.com> wrote:
> 
> Hello all,
> 
> We have NiFi Registry 0.2.0 spun up with an nginx proxy and SSL termination such that
our services is being served over https without using NiFi’s builtin security configurations.
> 
> We are able to add the registry service to NiFi using our HTTPS endpoint and everything
works perfectly.  However, we see errors when we restart NiFi:
> org.apache.nifi.controller.serialization.FlowSynchronizationException: java.lang.IllegalStateException:
Failed to create Flow Registry for URI https://nifi-registry.test.streams.nikecloud.com/ because
this NiFi is not configured with a Keystore/Truststore, so it is not capable of communicating
with a secure Registry. Please populate NiFi's Keystore/Truststore properties or connect to
a NiFi Registry over http instead of https.
> 
> Is there a work around that will allow us to use this nginx proxy architecture with NiFi
Registry? HTTPS is historically an important requirement for us but we do not need, or desire,
the complexity of a NiFi’s builtin security.
> 
> Thanks,
> 
> Adam Martini
> 
> Senior Software Engineer
> Nike Digital
> Adam.Martini@nike.com<mailto:Adam.Martini@nike.com>
> 
> 
> 
> 

Mime
  • Unnamed multipart/alternative (inline, 7-Bit, 0 bytes)
View raw message