NiFi 授权配置

NiFi 授权配置

通过证书授权

下载nifi-toolkit

nifi-toolkit-1.6.0-bin.tar.gz

证书文件生成及其配置

启动授权中心服务

root@machine001:
${toolkit_installed_dir}/bin/tls-toolkit.sh server -c machine001 -t myTokenToUseToPreventMITM -p 9999
# server 制定此进程为授权服务
# -c 制定授权中心地址
# -t 证书token指令,后面客户端生成证书请求中需要用到该token
# -p 制定授权中心所在端口，供客户端调用

You can use the following command line options with the tls-toolkit in server mode:

• -a,--keyAlgorithm Algorithm to use for generated keys (default: RSA)
• --configJsonIn The place to read configuration info from (defaults to the value of configJson), implies useConfigJson if set (default: configJson value)
• -d,--days Number of days issued certificate should be valid for (default: 1095)
• -D,--dn The dn to use for the CA certificate (default: CN=YOUR_CA_HOSTNAME,OU=NIFI)
• -f,--configJson The place to write configuration info (default: config.json)
• -F,--useConfigJson Flag specifying that all configuration is read from configJson to facilitate automated use (otherwise configJson will only be written to)
• -g,--differentKeyAndKeystorePasswords Use different generated password for the key and the keystore
• -h,--help Print help and exit
• -k,--keySize Number of bits for generated keys (default: 2048)
• -p,--PORT The port for the Certificate Authority to listen on (default: 8443)
• -s,--signingAlgorithm Algorithm to use for signing certificates (default: SHA256WITHRSA)
• -T,--keyStoreType The type of keystores to generate (default: jks)
• -t,--token The token to use to prevent MITM (required and must be same as one used by clients)

生成集群各节点授权证书及其配置

以下为NiFi集群各节点授权

root@machine001/2/3:
${toolkit_installed_dir}/bin/tls-toolkit.sh client -c machine001 -t myTokenToUseToPreventMITM -p 9999
# client 制定此进程为授权请求客户端
# -c 制定授权中心地址
# -t 证书token指令,确保与前面服务器启动的token一致
# -p 制定授权中心服务所在端口

各节点生成的证书相关文件有：

config.json
keystore.jks
nifi-cert.pem
truststore.jks
#将文件拷贝到${NIFI_HOME}/conf/

调整各节点NiFi配置

set nifi.cluster.protocol.is.secure=true  #更新
set nifi.cluster.is.node=true   #更新
set nifi.cluster.node.address=machine001
#set nifi.cluster.node.address=machine002
#set nifi.cluster.node.address=machine003
set nifi.cluster.node.protocol.port=9998
set nifi.remote.input.host=machine001
#set nifi.remote.input.host=machine002
#set nifi.remote.input.host=machine003
set nifi.remote.input.secure=true   #更新
set nifi.remote.input.socket.port=9997  #更新
set nifi.web.https.host=machine001  #更新(http配置的host和port需要屏蔽)
#set nifi.web.https.host=machine002
#set nifi.web.https.host=machine003
set nifi.web.https.port=9443    #更新

# 以下为证书文件相关配置（keystore.jks、truststore.jks、config.json中提供的密钥信息）
nifi.security.keystore=/opt/nifi-1.6.0/conf/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=68Hm1lfA1QAX2q3xK+CM+PYTqby5hXeIWDra+ReBQwM
nifi.security.keyPasswd=68Hm1lfA1QAX2q3xK+CM+PYTqby5hXeIWDra+ReBQwM
nifi.security.truststore=/opt/nifi-1.6.0/conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=r9gZJ6/v0ro3SyWeQ7AdD0bYu4Y7vPjL2A8UkRoIODQ
nifi.security.needClientAuth=true

客户端访问授权

root@machine001/2/3:
${toolkit_installed_dir}/bin/tls-toolkit.sh client -c node-3 -t myTokenToUseToPreventMITM -p 9999 -D "CN=pvillard,OU=NIFI" -T PKCS12
# client 指定此进程为授权请求客户端
# -c 制定授权中心地址
# -t 证书token指令,确保与前面服务器启动的token一致
# -p 制定授权中心服务所在端口
# -D "CN=pvillard,OU=NIFI" 注：此DN后面用作超级用户，注意生成证书时的日志，以证书生成日志中的格式为准！
# -T PKCS12 制定证书类型，用于导入浏览器

以上指令将生成以下文件：

keystore.pkcs12 #证书文件，可导入浏览器
config.json #提供导入证书文件时需要的密码
nifi-cert.pem
truststore.jks

配置集群授权文件

权限配置文件为： ${NIFI_HOME}/conf/authorizers.xml

 
    file-provider
    org.apache.nifi.authorization.FileAuthorizer
    ./conf/authorizations.xml
    ./conf/users.xml
    CN=pvillard, OU=NIFI
    
    CN=machine001, OU=NIFI
    CN=machine002, OU=NIFI
    CN=machine003, OU=NIFI 

Basically if the users.xml and authorizations.xml** files already exist, the file-provider will do nothing. If you remove or rename these two files and restart your NiFi instance, the authorization will build new versions of these files based on the current configuration in your authorizers.xml file.

重启服务

/opt/nifi-1.6.0/bin/nifi.sh restart && tail -f /opt/nifi-1.6.0/logs/nifi-app.log #重启服务查看日志
tail -f /opt/nifi-1.6.0/logs/nifi-user.log 
tail -f /opt/nifi-1.6.0/logs/nifi-app.log
tail -f /opt/nifi-1.6.0/logs/nifi-bootstrap.log
netstat -nltp |grep 9443

客户端登陆

浏览器导入证书文件

Chrom --> 设置 --> 高级 --> 管理证书 --> 导入 。。。

keystore.pkcs12 #证书文件，可导入浏览器
config.json #提供导入证书文件时需要的密码
nifi-cert.pem
truststore.jks

访问集群验证证书有效性

访问：https://machine001:9443/nifi/

左上角可以看到超级用户DN，Global菜单中增加了用户及权限设置相关功能；

注意事项：

问题

场景

集群启动不了，或者访问页面提示applicant异常

解决办法

查看启动日志，查看Warn级别输出记录，大多数时候是配置有无，比如配置host时machine001多了各空格，有没法直接看出来等。

问题：

场景

访问NiFi页面时， 提示Unknown user with identity 'admin'. Contact the system administrator.

参考

The log is telling you that authentication for your login user "admin" was successful; however, the authorization for that user was not.
-
There is nothing that stands out to me in your basic authorizers.xml file configuration. So my thought here is that this is not the original configuration of the authorizers.xml file.
The file-provider is used to initially generate the users.xml and authorizations.xml files. Once these files exist they will not be re-generated or modified if you later make changes to this configuration xml. Basically if the users.xml and authorizations.xml** files already exist, the file-provider will do nothing.

-
I suggest taking a look at what is currently in your users.xml and authorizations.xml files. My guess here is that you will find that a user entry does not exist for "admin" in the users.xml file.
-
If you remove or rename these two files and restart your NiFi instance, the authorization will build new versions of these files based on the current configuration in your authorizers.xml file.
-
Thank you,
Matt

问题：

场景

页面报错： No applicable policies could be found. Contact the system administrator.

user.log日志信息：

2018-08-20 16:13:51,791 INFO [NiFi Web Server-19] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response.
2018-08-20 16:13:51,944 INFO [NiFi Web Server-18] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: OpenId Connect is not configured.. Returning Conflict response.
2018-08-20 16:13:52,009 INFO [NiFi Web Server-24] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=CZ, OU=NiFi) GET https://machine001:9443/nifi-api/flow/current-user (source ip: 124.79.116.93)
2018-08-20 16:13:52,010 INFO [NiFi Web Server-24] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=CZ, OU=NiFi
2018-08-20 16:13:52,012 INFO [NiFi Web Server-24] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=CZ, OU=NiFi], groups[] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response.

参考

The problem is a whitespace issue...
If you look at your log you can see "CN=BrowserClient, OU=GUI, O="Test Inc "" with a space before the OU.
If you look at the Initial Admin and users.xml there is no space "CN=Browser Client,OU=GUI,O="Test Inc " so its not lining up.
You can fix this by stopping NiFi, updating authorizers.xml so the Initial Admin has the exact value from the logs,** and then deleting users.xml and authorizations.xml, and restart.

参考链接:

Apache-NiFi授权与用户认证(仅作参考理解证书配置流程，该博文为standalone模式)
Apache NiFi 1.1.0 – Secured cluster setup(使用nifi-toolkit工具的Server/Client模式生成证书，集群配置较为繁琐，但是实用)

Apache Mail Archives(用户邮件，提供多个连接处理，多种授权模式)