nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Bende <bbe...@gmail.com>
Subject Re: site-to-site configuration
Date Thu, 23 Feb 2017 17:50:08 GMT
Hi Mark,

There are two policies needed for secure site-to-site...

In the global policies there needs to be a policy for "retrieve
site-to-site details" with the user of the server added.

In the policies for the port (from the palette on the left when the
port is selected) there needs to be a policy for "receive data via
site-to-site" with user of the server added.

Thanks,

Bryan

On Thu, Feb 23, 2017 at 12:34 PM, Mark Bean <mark.o.bean@gmail.com> wrote:
> I am attempting to setup secure site-to-site using NiFi 1.1.1. I have
> secured NiFi, and am able to access the UI securely via HTTPS. I have set
> the following security-related properties:
>
> nifi.sensitive.props.key=<key-value>
> nifi.sensitive.props.key.protected=
> nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
> nifi.sensitive.props.provider=BC
> nifi.sensitive.props.aditional.keys=
>
> nifi.security.keystore=<keystore-file>
> nifi.security.keystoreType=JKS
> nifi.security.keystorePasswd=<password>
> nifi.security.keyPasswd=<password>
> nifi.security.truststore=<truststore-file>
> nifi.security.truststoreType=JKS
> nifi.security.trsustorePasswd=<password>
> nifi.security.needClientAuth=true
> nifi.security.user.authorizer=file-provider
> nifi.security.user.login.identity.provider=
>
> I also set the site-to-site properties:
> nifi.remote.input.host=<host-fqdn>
> nifi.remote.input.secure=true
> nifi.remote.input.socket.port=<port, different from https UI port>
> nifi.remote.input.http.enabled=true
> nifi.remote.input.http.tansaction.ttl=30 sec
>
> The authorizers.xml has been setup to import the legacy
> authorized-users.xml. And, this correctly populated the users.xml to
> include the remote server for the site-to-site. It also added users to the
> authorizations.xml file to include the user (i.e.server ) with site-to-site
> resource (both R and W).
>
> Despite this setup, the Input Port on the UI does not show an Access
> Control tab as in NiFi 0.x. I am not sure how to authorize the remote
> server such that the Input Port will be displayed in the remote server's
> Remote Process Group's list of ports.
>
> Have I missed a step in the security and/or user authentication setup?
>
> Thanks,
> Mark

Mime
View raw message