NiFi 설치 - tobyseo/open GitHub Wiki

  1. Ambari로 HDP 설치 (knox 포함), Start Demo LDAP 클릭

  2. www.tinycert.org 에서 인증서 발급

  1. 인증서 다운로드
  • CA는 그대로
  • demo는 PKCS12로 다운(cert.pfx) 받은 뒤 cert-browser.pfx로 변경
  • server는 PKCS12로 다운(cert.pfx)
  1. 인증서 등록(?)
[root@node1 scripts]# pwd
/root/scripts

[root@node1 scripts]# ls
cacert.pem  cert.pfx

[root@node1 scripts]# mv cert.pfx cert.p12
[root@node1 scripts]# openssl x509 -outform der -in cacert.pem -out cacert.der
[root@node1 scripts]# keytool -import -keystore cacert.jks -file cacert.der

키 저장소 비밀번호 입력:
새 비밀번호 다시 입력:
소유자: CN=TobySeo CA, OU=Secure Digital Certificate Signing, O=TobySeo, L=Seoul, ST=Seoul, C=KR
발행자: CN=TobySeo CA, OU=Secure Digital Certificate Signing, O=TobySeo, L=Seoul, ST=Seoul, C=KR
일련 번호: 0
적합한 시작 날짜: Tue Dec 27 11:15:11 KST 2016, 종료 날짜: Fri Dec 25 11:15:11 KST 2026
인증서 지문:
   MD5: 4D:4A:67:DB ... XX:XX
   SHA1: 0C:2F:EA:CB ... XX:XX
   SHA256: BC:F2:75:43 ... XX:XX
   서명 알고리즘 이름: SHA256withRSA
   버전: 3

확장:

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

#2: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
   [URIName: http://crl.tinycert.org/ca-XXXX.crl]
]]

#3: ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
RFC822Name: [email protected]
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
Key_Agreement
Key_CertSign
]

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
RFC822Name: [email protected]
]

#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 18 ED 74 B7 F2 A3 2A 9D   XX XX XX XX XX XX XX XX  ..x...*..x..x.O.
0010: F2 D2 F9 5C                                        ...\
]
]

이 인증서를 신뢰합니까? [아니오]:  y
인증서가 키 저장소에 추가되었습니다.
  1. nifi.properties 설정
[root@node1 nifi-1.1.0.2.1.1.0-2]# pwd
/root/nifi-1.1.0.2.1.1.0-2

[root@node1 nifi-1.1.0.2.1.1.0-2]# vim conf/nifi.properties

nifi.web.http.host=192.168.1.50
nifi.web.http.port=8081
nifi.web.https.host=
nifi.web.https.port=9090
nifi.security.keystore=/root/scripts/cert.p12
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=password486
nifi.security.keyPasswd=password486
nifi.security.truststore=/root/scripts/cacert.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=hadoop
nifi.login.identity.provider.configuration.file=./conf/login-identity-providers.xml
nifi.security.user.login.identity.provider=ldap-provider
  1. authorizers.xml 설정
[root@node1 nifi-1.1.0.2.1.1.0-2]# vim conf/authorizers.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
  <authorizer>
      <identifier>file-provider</identifier>
      <class>org.apache.nifi.authorization.FileAuthorizer</class>
      <property name="Authorizations File">./conf/authorizations.xml</property>
      <property name="Users File">./conf/users.xml</property>
      <property name="Initial Admin Identity">CN=Demo, OU=demo, O=TobySeo, L=Seoul, ST=Seoul, C=KR</property>
      <property name="Legacy Authorized Users File"></property>
  </authorizer>
</authorizers>
  1. login-identity-providers.xml 설정
[root@node1 nifi-1.1.0.2.1.1.0-2]# vim ./conf/login-identity-providers.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<loginIdentityProviders>
  <provider>
      <identifier>ldap-provider</identifier>
      <class>org.apache.nifi.ldap.LdapProvider</class>
      <property name="Authentication Strategy">SIMPLE</property>

      <property name="Manager DN">uid=admin,ou=people,dc=hadoop,dc=apache,dc=org</property>
      <property name="Manager Password">admin-password</property>

      <property name="TLS - Keystore">/root/scripts/cert.p12</property>
      <property name="TLS - Keystore Password">password486</property>
      <property name="TLS - Keystore Type">PKCS12</property>
      <property name="TLS - Truststore">/root/scripts/cacert.jks</property>
      <property name="TLS - Truststore Password">hadoop</property>
      <property name="TLS - Truststore Type">JKS</property>
      <property name="TLS - Client Auth"></property>
      <property name="TLS - Protocol">TLS</property>
      <property name="TLS - Shutdown Gracefully"></property>

      <property name="Referral Strategy">FOLLOW</property>
      <property name="Connect Timeout">10 secs</property>
      <property name="Read Timeout">10 secs</property>

      <property name="Url">ldap://localhost:33389</property>
      <property name="User Search Base">ou=people,dc=hadoop,dc=apache,dc=org</property>
      <property name="User Search Filter">uid={0}</property>

      <property name="Identity Strategy">USE_DN</property>
      <property name="Authentication Expiration">12 hours</property>
  </provider>
</loginIdentityProviders>
  1. 기존 파일 삭제
[root@node1 nifi-1.1.0.2.1.1.0-2]# rm ./conf/users.xml
[root@node1 nifi-1.1.0.2.1.1.0-2]# rm ./conf/authorizations.xml
  1. NiFi 서버 재시작
[root@node1 nifi-1.1.0.2.1.1.0-2]# bin/nifi.sh restart

-- 참고 자료

Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️