Nifi After the security access mode is turned on , You need two levels of authentication to be accessed , The first layer is identity authentication , The other layer is authority authentication .

1. Turn on secure access mode

To put it simply, use SSL Agreement to access .

1.1 Download and install toolkit

The official website provides this tool , Can quickly generate the required information , Eliminate complicated steps .

1.1.1 download

Address ：https://nifi.apache.org/download.html
At present nifi-toolkit-1.11.3-bin.tar.gz [42 MB] ( asc, sha256, sha512） For example

1.1.2 Move

Using tools or SCP CMD Move the installation package to the corresponding machine

1.1.3 decompression

CMD：tar -zxvf Package name

1.2 Production documents

Get into toolkit Under main directory , Perform the following CMD

# According to the domain name and IP The address is generated by domain name and IP Directory of addresses , The files inside have Keystore.jks,Truststore.jks,nifi.properties. The difference between the two directories is nifi.properties Inside host One of the values is the domain name , One is IP, Just choose one of them , It is recommended to choose the directory of domain name , such IP It won't expose .

./bin/tls-toolkit.sh standalone -n ' domain name ','IP Address , If the front single quotation mark is filled with the domain name , You can also ignore , The specific reasons are as follows ' -O -S ' Replace with the one you want to set truststore password ' -P ' Set up a keystore password ' -c 'hostname of NiFi Certificate Authority (default: localhost)'

NOTE: If the cluster is set up, authentication is also required , A machine is also used to generate certificates , Then migrate .

1.3 Move the file to the appropriate location

Just generated Keystore.jks,Truststore.jks,nifi.properties Move to NIFI Of ./conf Under the table of contents （ notes ： If ./conf There are already nifi.properties, Compare whether to keep , If it is reserved, you need to configure it yourself nifi.properties Information in , It is recommended not to keep direct overwriting , Then modify it according to your own needs nifi.properties Other information in , For example, the cluster configuration information ）

 Copy of the CMD:cp  Path before move   The path after moving 

2. Identity Authentication

Many services provide identity authentication , Here we use LDAP explain .

2.1 edit nifi.properties

edit CMD:vi nifi.properties

# Default blank , Configuration and use LDAP
nifi.security.user.login.identity.provider=ldap-provider

2.2 edit ./conf/login-identity-provider.xml

stay NIFI Under main directory , edit CMD:vi /conf/login-identity-provider.xml

   <provider>
        <identifier>ldap-provider</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>
        <property name="Manager DN"> Actual DN , for example ：CN=Users,OU=abc,DC=example,DC=com</property>
        <property name="Manager Password"> Real password </property>
        <property name="Url">ldap:// Actual IP:PORT</property>
    
        #Base DN for searching for users (i.e. CN=Users,DC=example,DC=com).
        <property name="User Search Base"> for example OU=abc,DC=example,DC=com</property>
      
        #Filter for searching for users against the User Search Base. (i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'.
        <property name="User Search Filter">sAMAccountName={0}</property>
        <property name="User Object Class">person</property>
        <property name="Identity Strategy">USE_USERNAME</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>

2.3 Check whether the identity is configured successfully

2.3.1 Turn on NIFI
Enter into NIFI Under main directory , start-up NIFI Of CMD:./bin/nifi.sh start

2.3.2 Get into NIFI UI
a. Login using browser https:// What you configured before IP: stay nifi.proerties Configuration information nifi.web.https.port Value /nifi, Such as
https://10.123.123.12:1234/nifi

b. Find the following picture , Enter your LDAP Account secret

c. The following screen appears to represent that the identity authentication has passed

Next, perform permission authentication

3. Permission authentication

After using the authentication mechanism , You must configure who can access the system , And their level of access . Authority authentication is performed by UserGroupProvider and AccessPolicyProvider form

3.1 UserGroupProvider

3.1.1 Put authorized users in a provider Inside management ,provider Yes LdapUserGroupProvider and FileUserGroupProvider, Here you choose the default FileUserGroupProvider

3.1.2 authorizers.xml Responsible for managing these provider, stay NIFI Under main directory , edit authorizers.xml Of CMD：vi ./conf/authorizers.xml

<userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        #The identity of a users and systems to seed the Users File
        <property name="Initial User Identity 1"> Previously passed the identity authentication in DN, Such as cn= Kobayashi ,ou= Brick handling personnel ,dc= Brick moving company ,dc=com</property>
        # Here you can add multiple initial users , use Initial User Identity 1、2、3、4····n Format , as follows 
         <property name="Initial User Identity 2"> The type is the same as above , But don't repeat DN</property>
    </userGroupProvider>

3.2 AccessPolicyProvider

3.2.1 AccessPolicyProvider Manage different types of permissions of related users ,
AccessPolicyProvider The default is FileAccessPolicyProvider.

3.2.2 authorizers.xml In charge of this provider, stay NIFI Under main directory , edit authorizers.xml Of CMD：vi ./conf/authorizers.xml

<accessPolicyProvider>
    <identifier>file-access-policy-provider</identifier>
    <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
    <property name="User Group Provider">file-user-group-provider</property>
    <property name="Authorizations File">./conf/authorizations.xml</property>
    # When you first log in , You need to set an administrator identity to enter NIFI, Then you can go to NIFI Of UI Set the permissions of other users in 
    <property name="Initial Admin Identity"> Previously passed the identity authentication in DN, Such as cn= Kobayashi ,ou= Brick handling personnel ,dc= Brick moving company ,dc=com</property>
    <property name="Legacy Authorized Users File"></property>
    <property name="Node Identity 1"></property>
</accessPolicyProvider>

<authorizer>
    <identifier>managed-authorizer</identifier>
    <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
    <property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>

nifi.security.user.authorizer=managed-authorizer

3.3.3 Get into NIFI UI

a. Login using browser https:// What you configured before IP: stay nifi.proerties Configuration information nifi.web.https.port Value /nifi, Such as
https://10.123.123.12:1234/nifi

b. Then log in as the administrator you just set

c. The following screen is displayed for success

d. The red box in the above figure represents adding other users and authorizations , The specific page is as follows

4. Encrypt password

/opt/nifi-toolkit-1.x/bin/encrypt-config.sh -n /opt/nifi-1.xx/conf/nifi.properties -l /opt/nifi-1.xx/conf/login-identity-providers.xml -b /opt/nifi-1.xx/conf/bootstrap.conf