nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chad Woodhead <chadwoodh...@gmail.com>
Subject Re: Setting zookeeper.sasl.client=false
Date Mon, 05 Aug 2019 19:00:15 GMT
Bryan,

I don’t have anything set for nifi.zookeeper.auth.type, so then by default by the Z-Nodes
aren’t created with SASL and therefore have ACL open to everyone. I agree, in my cluster
setting zookeeper.sasl.client=false won’t affect my current setup and flows. Wanted to make
sure I wasn’t breaking anything and also understood correctly that if I needed to one day
connect to Z-Nodes that do have SASL, I would then impact the flows that connect to Z-Nodes
without SASL.

I have a feeling you are correct (haven’t had time to test either) that if nifi.zookeeper.auth.type=sasl
and zookeeper.sasl.client=false, NiFi would fail to read its own Z-Nodes.

-Chad

> On Aug 2, 2019, at 2:57 PM, Bryan Bende <bbende@gmail.com> wrote:
> 
> Chad,
> 
> I was looking into something related to this recently and I think your
> description is accurate. Unfortunately ZooKeeper client relies heavily
> on system properties which isn't great for talking to a bunch of
> different systems like NiFi.
> 
> One thing I would be curious about, what value do you have in
> nifi.properties for nifi.zookeeper.auth.type= ?
> 
> If it is not set, or is set to default, then the Z-Nodes created by
> NiFi would not be created with SASL and would have an ACL open to
> everyone, so then setting zookeeper.sasl.client=false probably doesn't
> impact anything with your NiFi cluster.
> 
> If nifi.zookeeper.auth.type=sasl then I wonder if you set
> zookeeper.sasl.client=false, would your NiFi cluster fail to read its
> own Z-Nodes on next restart?
> 
> I've been wanting to try this for a while, but haven't had time.
> 
> -Bryan
> 
> On Fri, Aug 2, 2019 at 3:09 PM Chad Woodhead <chadwoodhead@gmail.com> wrote:
>> 
>> I’m building a flow that uses ExecuteSQL to query data from Phoenix on top of a
Kerberized Ambari Metrics’ HBase (it hits the AMS Zookeeper). I ran into issues and the
logs showed NiFi (also kerberized) was getting auth failed when connecting to ZNode.
>> 
>> To confirm I had all my proper AMS conf files and phoenix jars, I tried tweaking
the DBCP and customizing the phoenix-client.jar for this specific Hbase (using many links
online of people doing this same thing), but unfortunately didn’t resolve the Znode error.
>> 
>> I realized that by default AMS does not create the Znode on Zookeeper secure with
SASL, and by default NiFi has zookeeper.sasl.client=true causing NiFi to use SASL for zookeeper
client connections. So I tested setting ‘java.arg.X=-Dzookeeper.sasl.client=false’ in
my bootstrap.conf file and finally NiFi was able to successfully connect and query the data.
>> 
>> I don’t have much experience with SASL and Znodes, so I wanted to know if there
are any issues I can run into by setting it to false? Or even just going against security
recommendations?
>> 
>> Am I understanding it correctly that if zookeeper.sasl.client=true then NiFi can
ONLY connect to Znodes that use SASL, and if zookeeper.sasl.client=false then NiFi can ONLY
connect to Znodes that do not use SASL?
>> 
>> Any help would be appreciated!
>> 
>> Thanks,
>> Chad


Mime
View raw message