nifi(安全验证版)配置安装
1.证书
nifi在https连接的情况下才能进行授权和用户认证,因此首先需要一个keystore证书,。这里用nifi附带的一个证书生成工具nifi-toolkit来生成需要的证书。注意:nifi-toolkit要与安装的nifi版本匹配。
nifi-toolkit下载地址:https://www.apache.org/dyn/closer.lua?path=/nifi/1.12.1/nifi-toolkit-1.12.1-bin.tar.gz
执行以下命令,生成target文件夹如下:
./bin/tls-toolkit.sh standalone -n "localhost" -C "CN=user,OU=nifi" -o target
target/
├── CN=xx_OU=xx.p12
├── CN=xx_OU=xx.password
├── localhost
│ ├── keystore.jks
│ ├── nifi.properties
│ └── truststore.jks
├── nifi-cert.pem
└── nifi-key.key
2.修改配置
-
复制localhost文件夹下的keystore.jks、nifi.properties、truststore.jks文件到nifi/conf路径下。
-
修改authorizers.xml文件
<authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.authorization.FileAuthorizer</class> <property name='Authorizations File'>./conf/authorizations.xml</property> <property name="Users File">./conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity">CN=user, OU=nifi</property> </authorizer>其中CN=user, OU=nifi为执行nifi-toolkit命令时的参数
-
修改users.xml文件
<tenants> <groups/> <users> <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c" identity="CN=user, OU=nifi"/> </users> </tenants> -
修改authorizations.xml文件
<authorizations> <policies> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R"> <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/> </policy> <policy identifier="bb8f03ca-de27-3f4a-9499-562a6c743fb0" resource="/data/process-groups/7b350728-016c-1000-8510-e66d31774eed" action="R"> <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/> </policy> <policy identifier="395c506d-1368-3989-b2f2-6ea7218eb46e" resource="/data/process-groups/7b350728-016c-1000-8510-e66d31774eed" action="W"> <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/> </policy> <policy identifier="ee1b66ee-7dac-3f09-8090-2b6803bd15c1" resource="/process-groups/7b350728-016c-1000-8510-e66d31774eed" action="R"> <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/> </policy> <policy identifier="033157d8-93bd-3eea-8660-e3764d1017a2" resource="/process-groups/7b350728-016c-1000-8510-e66d31774eed" action="W"> <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/> </policy> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W"> <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/> </policy> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R"> <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/> </policy> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W"> <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/> </policy> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R"> <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/> </policy> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W"> <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/> </policy> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R"> <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/> </policy> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W"> <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/> </policy> </policies> </authorizations>
其中users.xml、authorizations.xml第一次运行时没有,尝试连接时界面报policy不存在、联系管理员之类的错误。配置以上内容后解决。
3.安装证书
在客户端运行CN=xx_OU=xx.p12安装证书,密码为xx.password里的内容。
4.启动
后台启动命令:./bin/nifi.sh start
前端启动命令:./bin/nifi.sh run
关闭命令:./bin/nifi.sh stop
可以通过nifi/logs文件夹下日志查看启动状况
访问https://localhost:9443/nifi,选择安全证书后进入nifi页面。
参考文章:https://blog.csdn.net/Shaun_luotao/article/details/71940973
https://stackoverflow.com/questions/57447542/nifi-client-certificate-authorization-error
浙公网安备 33010602011771号