nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre Villard <pierre.villard...@gmail.com>
Subject Re: Nifi Cluster & LDAP
Date Fri, 09 Nov 2018 10:55:14 GMT
I believe that in your access policy provider, you need to change
<property name="User Group Provider">ldap-user-group-provider</property>
with
<property name="User Group Provider"
>composite-configurable-user-group-provider</property>

So that you have both the File and LDAP providers.

Be sure to remove
/home/faureciarun/nifi-data/configuration-resources/users.xml on all nodes
before restarting because once it's been generated with the initial
users/identities, it's not updated on next restarts.

Pierre

Le ven. 9 nov. 2018 à 11:42, DEHAY Aurelien <aurelien.dehay@faurecia.com> a
écrit :

> Hello Pierre.
>
>
>
> https://gist.github.com/zorel/3655188026b0355c8860030932884fa9
>
>
>
> I’ve tried to comment edge2 and 3, but I have now the error for edge1,
> which is the node I try to launch.
>
>
>
>
>
>
>
>
> *Aurélien DEHAY *Big Data Architect
> +33 616 815 441
>
> aurelien.dehay@faurecia.com
>
> 23/27 avenue des Champs Pierreux
> 92735 Nanterre Cedex – France
>
> [image: Faurecia_inspiring_mobility_logo-RVB_150]
>
>
>
> *From:* Pierre Villard [mailto:pierre.villard.fr@gmail.com]
> *Sent:* vendredi 9 novembre 2018 11:34
> *To:* users@nifi.apache.org
> *Subject:* Re: Nifi Cluster & LDAP
>
>
>
> Hi Aurélien,
>
>
>
> Based on the error, I'm pretty sure it's located in the authorizers.xml
> file. Do you mind sharing it (after removing anything sensitive)?
>
> No need to add the nodes in the LDAP and it's definitely not related to
> keystores.
>
>
>
> Pierre
>
>
>
> Le ven. 9 nov. 2018 à 11:30, DEHAY Aurelien <aurelien.dehay@faurecia.com>
> a écrit :
>
> Hello.
>
> I'm struggling to configure the very first node of my 3 nodes nifi 1.8.0
> cluster.
>
> I've used the toolkit to create the jks:
> bin/tls-toolkit.sh standalone -n 'par01prdedge[1-3].fqdn' -C
> "CN=admin,OU=nifi" -c "par01prdedge1" -d 3650 -o ~/nifi-data/toolkit -O
>
> I have then 3 directories, with a keystore (with Owner:
> CN=par01prdedge1.fqdn), a truststore and nifi.properties.
> I've doublechecked spaces & uppercases in the DN, and it's ok everywhere.
>
> Configured login provider to use the ldap configuration (which is working
> on other nifi instance)
> Configure authorizers.xml to use:
> - A ldap group provider
> - A file user group provider with initial users identity for the 3 nodes
> of cluster
> - A composite user group provider to use the 2 previous user group
> providers
> - A file access policy with 3 nodes identity and the initial admin identity
>
> I don't have ldap entries for my nodes, and I get the following error when
> I run the server on edge1.
> Caused by:
> org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable
> to locate node CN=par01prdedge2.fqdn, OU=NIFI to seed policies.
>         at
> org.apache.nifi.authorization.FileAccessPolicyProvider.populateNodes(FileAccessPolicyProvider.java:639)
>
> It seems to find correctly is own identity, but not identity of others
> nodes.
>
> I wonder how nifi locate node identity, do I have to create an entry for
> the nodes in the LDAP? I'd like to avoid it. DO I have to "merge" the jks
> of the 3 nodes?
>
> I wonder if I should use the tls-toolkit in server mode?
>
> I've read blogs post from
>
> https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/
>
> https://bryanbende.com/development/2018/10/23/apache-nifi-secure-cluster-setup
> (but this one does not document how to create the jks)
> with no luck, still wonder where is the problem.
>
> Thanks for any pointer.
>
>
> AurélienAurélien DEHAY
> Big Data Architect
> +33 616 815 441
> aurelien.dehay@faurecia.com
>
> 23/27 avenue des Champs Pierreux
> 92735 Nanterre Cedex - France
>
>
>
> This electronic transmission (and any attachments thereto) is intended
> solely for the use of the addressee(s). It may contain confidential or
> legally privileged information. If you are not the intended recipient of
> this message, you must delete it immediately and notify the sender. Any
> unauthorized use or disclosure of this message is strictly prohibited.
> Faurecia does not guarantee the integrity of this transmission and shall
> therefore never be liable if the message is altered or falsified nor for
> any virus, interception or damage to your system.
>
>
> This electronic transmission (and any attachments thereto) is intended
> solely for the use of the addressee(s). It may contain confidential or
> legally privileged information. If you are not the intended recipient of
> this message, you must delete it immediately and notify the sender. Any
> unauthorized use or disclosure of this message is strictly prohibited.
> Faurecia does not guarantee the integrity of this transmission and shall
> therefore never be liable if the message is altered or falsified nor for
> any virus, interception or damage to your system.
>

Mime
View raw message