nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From DEHAY Aurelien <aurelien.de...@faurecia.com>
Subject Nifi Cluster & LDAP
Date Fri, 09 Nov 2018 10:30:19 GMT
Hello.

I'm struggling to configure the very first node of my 3 nodes nifi 1.8.0 cluster.

I've used the toolkit to create the jks:
bin/tls-toolkit.sh standalone -n 'par01prdedge[1-3].fqdn' -C "CN=admin,OU=nifi" -c "par01prdedge1"
-d 3650 -o ~/nifi-data/toolkit -O

I have then 3 directories, with a keystore (with Owner: CN=par01prdedge1.fqdn), a truststore
and nifi.properties.
I've doublechecked spaces & uppercases in the DN, and it's ok everywhere.

Configured login provider to use the ldap configuration (which is working on other nifi instance)
Configure authorizers.xml to use:
- A ldap group provider
- A file user group provider with initial users identity for the 3 nodes of cluster
- A composite user group provider to use the 2 previous user group providers
- A file access policy with 3 nodes identity and the initial admin identity

I don't have ldap entries for my nodes, and I get the following error when I run the server
on edge1.
Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to
locate node CN=par01prdedge2.fqdn, OU=NIFI to seed policies.
        at org.apache.nifi.authorization.FileAccessPolicyProvider.populateNodes(FileAccessPolicyProvider.java:639)

It seems to find correctly is own identity, but not identity of others nodes.

I wonder how nifi locate node identity, do I have to create an entry for the nodes in the
LDAP? I'd like to avoid it. DO I have to "merge" the jks of the 3 nodes?

I wonder if I should use the tls-toolkit in server mode?

I've read blogs post from 
https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/
https://bryanbende.com/development/2018/10/23/apache-nifi-secure-cluster-setup (but this one
does not document how to create the jks)
with no luck, still wonder where is the problem.

Thanks for any pointer.


AurélienAurélien DEHAY
Big Data Architect
+33 616 815 441
aurelien.dehay@faurecia.com 

23/27 avenue des Champs Pierreux
92735 Nanterre Cedex - France



This electronic transmission (and any attachments thereto) is intended solely for the use
of the addressee(s). It may contain confidential or legally privileged information. If you
are not the intended recipient of this message, you must delete it immediately and notify
the sender. Any unauthorized use or disclosure of this message is strictly prohibited.  Faurecia
does not guarantee the integrity of this transmission and shall therefore never be liable
if the message is altered or falsified nor for any virus, interception or damage to your system.


Mime
View raw message