NiFi LDAP 集成

Posted on |
Symbols count in article: 11k | Reading time ≈ 0:11

NiFi 默认是不开启用户和权限认证的,但在企业中多租户隔离是不可或缺的,NiFi 提供了多租户权限认证,支持 LDAP、Kerberos、OpenID、knox 多种外部认证方式,本文主要介绍 NiFi 与 OpenLDAP 的集成

配置 HTTPS

NiFi 要求配置 HTTPS 才能开启用户管理的功能,所以我们首先要开启 HTTPS

NiFi 官方提供了工具包供我们创建证书,通过 https://nifi.apache.org/download.html 下载 nifi-toolkit-1.8.0-bin.tar.gz

$ pwd 
root

$ tar xf nifi-toolkit-1.8.0-bin.tar.gz

$ cd nifi-toolkit-1.8.0

$ ./bin/tls-toolkit.sh server -c streaming -t myTokenToUseToPreventMITM -p 9999

新启动一个窗口

$ pwd
root

$ cd nifi-toolkit-1.8.0
./bin/tls-toolkit.sh client -c streaming -t myTokenToUseToPreventMITM -p 9999

tls-toolkit.sh: JAVA_HOME not set; results may vary
2019/01/07 08:16:11 INFO [main] org.apache.nifi.toolkit.tls.service.client.TlsCertificateAuthorityClient: Requesting new certificate from streaming:9999
2019/01/07 08:16:11 INFO [main] org.apache.nifi.toolkit.tls.service.client.TlsCertificateSigningRequestPerformer: Requesting certificate with dn CN=streaming,OU=NIFI from streaming:9999
2019/01/07 08:16:12 INFO [main] org.apache.nifi.toolkit.tls.service.client.TlsCertificateSigningRequestPerformer: Got certificate with dn CN=streaming, OU=NIFI

$ ls # 会生成 config.json、keystore.jks、nifi-ca-keystore.jks、nifi-cert.pem、truststore.jks 等文件
bin  classpath  conf  config.json  keystore.jks  lib  LICENSE  nifi-ca-keystore.jks  nifi-cert.pem  NOTICE  truststore.jks

$ mkdir /etc/nifi

$ cp keystore.jks keystore.jks /etc/nifi

$ cat config.json
{
  "days" : 1095,
  "keySize" : 2048,
  "keyPairAlgorithm" : "RSA",
  "signingAlgorithm" : "SHA256WITHRSA",
  "dn" : "CN=streaming,OU=NIFI",
  "domainAlternativeNames" : null,
  "keyStore" : "keystore.jks",
  "keyStoreType" : "jks",
  "keyStorePassword" : "Prku1XS7/DGpsnTMpgowSggkjv+j8U/ZifEjKp80/6o",
  "keyPassword" : "Prku1XS7/DGpsnTMpgowSggkjv+j8U/ZifEjKp80/6o",
  "token" : "myTokenToUseToPreventMITM",
  "caHostname" : "streaming",
  "port" : 9999,
  "dnPrefix" : "CN=",
  "dnSuffix" : ", OU=NIFI",
  "reorderDn" : true,
  "additionalCACertificate" : "",
  "trustStore" : "truststore.jks",
  "trustStorePassword" : "l1uiYCEY53iwUFnffRW+OkmzfZNwv7qgywG9Ih9ifhI",
  "trustStoreType" : "jks"
  
  
$ vi <nifi-config-directory>/nifi.properties # 根据 config.json 修改以下字段

nifi.remote.input.secure=true
nifi.remote.input.socket.port=9997
nifi.web.https.port=8443

nifi.security.keystore=/etc/nifi/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=Prku1XS7/DGpsnTMpgowSggkjv+j8U/ZifEjKp80/6o
nifi.security.keyPasswd=Prku1XS7/DGpsnTMpgowSggkjv+j8U/ZifEjKp80/6o
nifi.security.truststore=/etc/nifi/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=l1uiYCEY53iwUFnffRW+OkmzfZNwv7qgywG9Ih9ifhI
nifi.security.user.authorizer=managed-authorizer
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=

重启 NiFi 即可

配置 LDAP 登录

NiFi 中配置第三方认证的配置文件的参数为 nifi.login.identity.provider.configuration.file

默认指向是 ./conf/login-identity-providers.xml

我们修改这个文件即可

填写 LDAP 连接参数即可

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<loginIdentityProviders>
    <provider>
        <identifier>ldap-provider</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>

        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">cn=admin,dc=example,dc=com,dc=cn</property>
        <property name="Manager Password">password</property>

        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>



        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldap://13.20.0.68</property>
        <property name="User Search Base">ou=People,dc=example,dc=com,dc=cn</property>
        <property name="User Search Filter">uid={0}</property>

        <property name="Identity Strategy">USE_USERNAME</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>
</loginIdentityProviders>

还需要修改 NiFi 的配置文件

nifi.security.user.login.identity 指向 ldap-provider

nifi.security.user.login.identity.provider=ldap-provider

授权配置

配置完 NiFi LDAP 登录之后,我们还需要配置谁有权访问系统,以及访问权限,所以我们还需要配置 NiFi 多租户授权

NiFi 授权的配置文件由 nifi.authorizer.configuration.file 指定

默认是 nifi.authorizer.configuration.file=./conf/authorizers.xml

除了 LDAP 的连接和查询参数以外,<property name="Initial Admin Identity">linxi</property> 这个配置也很重要,是默认赋予了管理员权限用户

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
  <userGroupProvider>
    <identifier>file-user-group-provider</identifier>
    <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
    <property name="Users File">./conf/users.xml</property>
    <property name="Legacy Authorized Users File"></property>
    <property name="Initial User Identity 1"></property>
  </userGroupProvider>
    <userGroupProvider>
        <identifier>ldap-user-group-provider</identifier>
        <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">cn=admin,dc=example,dc=com,dc=cn</property>
        <property name="Manager Password">passwd1Q</property>

        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>

        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldap://13.20.0.68</property>
        <property name="Page Size"></property>
        <property name="Sync Interval">30 mins</property>

        <property name="User Search Base">ou=People,dc=example,dc=com,dc=cn</property>
        <property name="User Object Class">posixAccount</property>
        <property name="User Search Scope">ONE_LEVEL</property>
        <property name="User Search Filter"></property>
        <property name="User Identity Attribute">cn</property>
        <property name="User Group Name Attribute">gidNumber</property>
        <property name="User Group Name Attribute - Referenced Group Attribute"></property>

        <property name="Group Search Base">ou=Groups,dc=example,dc=com,dc=cn</property>
        <property name="Group Object Class">posixGroup</property>
        <property name="Group Search Scope">ONE_LEVEL</property>
        <property name="Group Search Filter"></property>
        <property name="Group Name Attribute">cn</property>
        <property name="Group Member Attribute">memberUid</property>
        <property name="Group Member Attribute - Referenced User Attribute">uid</property>
    </userGroupProvider>
  <userGroupProvider>

    <identifier>composite-configurable-user-group-provider</identifier>
    <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
    <property name="Configurable User Group Provider">file-user-group-provider</property>
    <property name="User Group Provider 1">ldap-user-group-provider</property>
  </userGroupProvider>

  <accessPolicyProvider>
    <identifier>file-access-policy-provider</identifier>
    <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
    <property name="User Group Provider">composite-configurable-user-group-provider</property>
    <property name="Authorizations File">./conf/authorizations.xml</property>
    <property name="Initial Admin Identity">linxi</property>
    <property name="Legacy Authorized Users File"></property>
    <property name="Node Identity 1"></property>
 </accessPolicyProvider>

  <authorizer>
    <identifier>managed-authorizer</identifier>
    <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
    <property name="Access Policy Provider">file-access-policy-provider</property>
  </authorizer>
</authorizers>

测试

重启 NiFi 后登陆我们的管理员用户

可以看到 users 选项

image-20190107164708504

进入之后可以看到所有的用户和组

image-20190107164759488

通过 Policies 可以对用户的权限进行管理

image-20190107164907889