nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From nifi-san <nairsande...@gmail.com>
Subject Nifi Site-to-Site pre-existing deployments do not work after enabling TLS and Ldap
Date Mon, 24 Jul 2017 10:46:56 GMT
Hello Team,

We have two environments of Nifi ,one whihc is a standalone and the other
whihc is a cluster.

I have upgraded the Nifi (standalone as well as cluster) in our non prod
environment from 1.1.1 to 1.3.0 ,Implement TLS and also integrate with LDAP.

I followed the process mentioned in the documentation and infact had a
complete parallel set up for Nifi-1.3.0 with its own repositories and
configuration.

In other words, the high level steps followed were:-

Installed Nifi-1.3.0 on a different path.
Installed toolkit and generated all the certificates.
Made all the necessary changes in the nifi.properties files on the
Nifi-1.3.0 cluster for SSL. 
Stopped the old cluster and copied over the repositories and the
authorizers.xml file.Added the Initial DN and the Initial Identity to the
authorizers.xml file.
Started the new Nifi-1.3.0 cluster and logged in using the Initial Admin and
created the users specific to each of the node DN's
Imported the client certificate onto the Browser and logged into the UI.
Made the necessary confguration to include LDAP integration.Created all the
users in LDAP within Nifi (since there is no way to sync Ldap and Nifi user
list).


Post this,I was able to login into the UI of Nifi using the username and
password and get the authentication/authorization done through Nifi
successfully.

I tried doing a new site -to site deployment which worked successfully.
Source :- GetFile ->(Using IP1 ) ->RPG
Destination :- Input Port(IP1) -PutFile

For this to work,I ensured that all the users were added to the policy
"Retrieve Site-to-Site" on the destination node.Also, enabled "Receive
Site-to-Site" policy on the Input Port on the destination IP1.

However , when I take a look at the previously present Site-to-Site
deployments that existed prior to TLS and LDAP ,I see that the input ports
do not show up the policy "Receive Site-to-Site" as it is grayed out.

We are in the process of performing this in production and have the below
concerns:-

1)What will happen to the Site-to-Site deployments that existed prior to
securing the cluster and integration with LDAP?We do not have any user
authentication on the cluster in Prod right now.For site-to-site deployment
to work, we need to enable the policy on the input port "Receive
Site-to-Site".Will the pre-existing site-to-site deployment start failing?

2)How can we get the pre-existing site-to-site deployment to work as I can
see that the policy "Receive Site-to-Site" deployment is grayed out?

Appreciate any inputs!




--
View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/Nifi-Site-to-Site-pre-existing-deployments-do-not-work-after-enabling-TLS-and-Ldap-tp16486.html
Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.

Mime
View raw message