NiFi 授權(quán)配置

通過(guò)證書授權(quán)

下載nifi-toolkit

nifi-toolkit-1.6.0-bin.tar.gz

證書文件生成及其配置

啟動(dòng)授權(quán)中心服務(wù)

root@machine001:
${toolkit_installed_dir}/bin/tls-toolkit.sh server -c machine001 -t myTokenToUseToPreventMITM -p 9999
# server 制定此進(jìn)程為授權(quán)服務(wù)
# -c 制定授權(quán)中心地址
# -t 證書token指令,后面客戶端生成證書請(qǐng)求中需要用到該token
# -p 制定授權(quán)中心所在端口，供客戶端調(diào)用

You can use the following command line options with the tls-toolkit in server mode:

• -a,--keyAlgorithm <arg> Algorithm to use for generated keys (default: RSA)
• --configJsonIn <arg> The place to read configuration info from (defaults to the value of configJson), implies useConfigJson if set (default: configJson value)
• -d,--days <arg> Number of days issued certificate should be valid for (default: 1095)
• -D,--dn <arg> The dn to use for the CA certificate (default: CN=YOUR_CA_HOSTNAME,OU=NIFI)
• -f,--configJson <arg> The place to write configuration info (default: config.json)
• -F,--useConfigJson Flag specifying that all configuration is read from configJson to facilitate automated use (otherwise configJson will only be written to)
• -g,--differentKeyAndKeystorePasswords Use different generated password for the key and the keystore
• -h,--help Print help and exit
• -k,--keySize <arg> Number of bits for generated keys (default: 2048)
• -p,--PORT <arg> The port for the Certificate Authority to listen on (default: 8443)
• -s,--signingAlgorithm <arg> Algorithm to use for signing certificates (default: SHA256WITHRSA)
• -T,--keyStoreType <arg> The type of keystores to generate (default: jks)
• -t,--token <arg> The token to use to prevent MITM (required and must be same as one used by clients)

生成集群各節(jié)點(diǎn)授權(quán)證書及其配置

以下為NiFi集群各節(jié)點(diǎn)授權(quán)

root@machine001/2/3:
${toolkit_installed_dir}/bin/tls-toolkit.sh client -c machine001 -t myTokenToUseToPreventMITM -p 9999
# client 制定此進(jìn)程為授權(quán)請(qǐng)求客戶端
# -c 制定授權(quán)中心地址
# -t 證書token指令,確保與前面服務(wù)器啟動(dòng)的token一致
# -p 制定授權(quán)中心服務(wù)所在端口

各節(jié)點(diǎn)生成的證書相關(guān)文件有：

config.json
keystore.jks
nifi-cert.pem
truststore.jks
#將文件拷貝到${NIFI_HOME}/conf/

調(diào)整各節(jié)點(diǎn)NiFi配置

set nifi.cluster.protocol.is.secure=true  #更新
set nifi.cluster.is.node=true   #更新
set nifi.cluster.node.address=machine001
#set nifi.cluster.node.address=machine002
#set nifi.cluster.node.address=machine003
set nifi.cluster.node.protocol.port=9998
set nifi.remote.input.host=machine001
#set nifi.remote.input.host=machine002
#set nifi.remote.input.host=machine003
set nifi.remote.input.secure=true   #更新
set nifi.remote.input.socket.port=9997  #更新
set nifi.web.https.host=machine001  #更新(http配置的host和port需要屏蔽)
#set nifi.web.https.host=machine002
#set nifi.web.https.host=machine003
set nifi.web.https.port=9443    #更新

# 以下為證書文件相關(guān)配置（keystore.jks县好、truststore.jks煤痕、config.json中提供的密鑰信息）
nifi.security.keystore=/opt/nifi-1.6.0/conf/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=68Hm1lfA1QAX2q3xK+CM+PYTqby5hXeIWDra+ReBQwM
nifi.security.keyPasswd=68Hm1lfA1QAX2q3xK+CM+PYTqby5hXeIWDra+ReBQwM
nifi.security.truststore=/opt/nifi-1.6.0/conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=r9gZJ6/v0ro3SyWeQ7AdD0bYu4Y7vPjL2A8UkRoIODQ
nifi.security.needClientAuth=true

客戶端訪問(wèn)授權(quán)

root@machine001/2/3:
${toolkit_installed_dir}/bin/tls-toolkit.sh client -c node-3 -t myTokenToUseToPreventMITM -p 9999 -D "CN=pvillard,OU=NIFI" -T PKCS12
# client 指定此進(jìn)程為授權(quán)請(qǐng)求客戶端
# -c 制定授權(quán)中心地址
# -t 證書token指令,確保與前面服務(wù)器啟動(dòng)的token一致
# -p 制定授權(quán)中心服務(wù)所在端口
# -D "CN=pvillard,OU=NIFI" 注：此DN后面用作超級(jí)用戶佩微，注意生成證書時(shí)的日志，以證書生成日志中的格式為準(zhǔn)尿招！
# -T PKCS12 制定證書類型，用于導(dǎo)入瀏覽器

以上指令將生成以下文件：

keystore.pkcs12 #證書文件，可導(dǎo)入瀏覽器
config.json #提供導(dǎo)入證書文件時(shí)需要的密碼
nifi-cert.pem
truststore.jks

配置集群授權(quán)文件

權(quán)限配置文件為： ${NIFI_HOME}/conf/authorizers.xml

<authorizer> 
    <identifier>file-provider</identifier>
    <class>org.apache.nifi.authorization.FileAuthorizer</class>
    <property name="Authorizations File">./conf/authorizations.xml</property>
    <property name="Users File">./conf/users.xml</property>
    <property name="Initial Admin Identity">CN=pvillard, OU=NIFI</property>
    <property name="Legacy Authorized Users File"/>
    <property name="Node Identity 1">CN=machine001, OU=NIFI</property>
    <property name="Node Identity 2">CN=machine002, OU=NIFI</property>
    <property name="Node Identity 3">CN=machine003, OU=NIFI</property> 
</authorizer>

Basically if the <u>users.xml and authorizations.xml</u>** files already exist, the file-provider will do nothing. If you <u>remove or rename these two files</u> and restart your NiFi instance, the authorization will build new versions of these files based on the current configuration in your authorizers.xml file.

重啟服務(wù)

/opt/nifi-1.6.0/bin/nifi.sh restart && tail -f /opt/nifi-1.6.0/logs/nifi-app.log #重啟服務(wù)查看日志
tail -f /opt/nifi-1.6.0/logs/nifi-user.log 
tail -f /opt/nifi-1.6.0/logs/nifi-app.log
tail -f /opt/nifi-1.6.0/logs/nifi-bootstrap.log
netstat -nltp |grep 9443

客戶端登陸

瀏覽器導(dǎo)入證書文件

Chrom --> 設(shè)置 --> 高級(jí) --> 管理證書 --> 導(dǎo)入 鲫寄。。疯淫。

keystore.pkcs12 #證書文件地来，可導(dǎo)入瀏覽器
config.json #提供導(dǎo)入證書文件時(shí)需要的密碼
nifi-cert.pem
truststore.jks

訪問(wèn)集群驗(yàn)證證書有效性

訪問(wèn)：https://machine001:9443/nifi/

左上角可以看到超級(jí)用戶DN，Global菜單中增加了用戶及權(quán)限設(shè)置相關(guān)功能熙掺；

注意事項(xiàng)：

問(wèn)題

場(chǎng)景

集群?jiǎn)?dòng)不了未斑，或者訪問(wèn)頁(yè)面提示applicant異常

解決辦法

查看啟動(dòng)日志，查看Warn級(jí)別輸出記錄币绩，大多數(shù)時(shí)候是配置有無(wú)蜡秽，比如配置host時(shí)machine001多了各空格，有沒(méi)法直接看出來(lái)等缆镣。

問(wèn)題：

場(chǎng)景

訪問(wèn)NiFi頁(yè)面時(shí)芽突， 提示Unknown user with identity 'admin'. Contact the system administrator.

參考

The log is telling you that authentication for your login user "admin" was successful; however, the authorization for that user was not.
-
There is nothing that stands out to me in your basic authorizers.xml file configuration. So my thought here is that this is not the original configuration of the authorizers.xml file.
The file-provider is used to initially generate the users.xml and authorizations.xml files. Once these files exist they will not be re-generated or modified if you later make changes to this configuration xml. Basically if the <u>users.xml and authorizations.xml</u>** files already exist, the file-provider will do nothing.

-
I suggest taking a look at what is currently in your users.xml and authorizations.xml files. My guess here is that you will find that a user entry does not exist for "admin" in the users.xml file.
-
If you <u>remove or rename these two files</u> and restart your NiFi instance, the authorization will build new versions of these files based on the current configuration in your authorizers.xml file.
-
Thank you,
Matt

問(wèn)題：

場(chǎng)景

頁(yè)面報(bào)錯(cuò)： No applicable policies could be found. Contact the system administrator.

user.log日志信息：

2018-08-20 16:13:51,791 INFO [NiFi Web Server-19] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response.
2018-08-20 16:13:51,944 INFO [NiFi Web Server-18] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: OpenId Connect is not configured.. Returning Conflict response.
2018-08-20 16:13:52,009 INFO [NiFi Web Server-24] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=CZ, OU=NiFi) GET https://machine001:9443/nifi-api/flow/current-user (source ip: 124.79.116.93)
2018-08-20 16:13:52,010 INFO [NiFi Web Server-24] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=CZ, OU=NiFi
2018-08-20 16:13:52,012 INFO [NiFi Web Server-24] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=CZ, OU=NiFi], groups[] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response.

參考

The problem is a whitespace issue...
If you look at your log you can see "CN=BrowserClient, OU=GUI, O="Test Inc "" with a space before the OU.
If you look at the Initial Admin and users.xml there is no space "CN=Browser Client,OU=GUI,O="Test Inc " so its not lining up.
You can fix this by stopping NiFi, updating authorizers.xml so the Initial Admin has the <u>exact value from the logs</u>,** and then deleting users.xml and authorizations.xml, and restart.

參考鏈接:

Apache-NiFi授權(quán)與用戶認(rèn)證(僅作參考理解證書配置流程，該博文為standalone模式)
Apache NiFi 1.1.0 – Secured cluster setup(使用nifi-toolkit工具的Server/Client模式生成證書董瞻，集群配置較為繁瑣寞蚌，但是實(shí)用)

Apache Mail Archives(用戶郵件，提供多個(gè)連接處理钠糊，多種授權(quán)模式)