Configuring NiFi Authentication and Proxying with Apache Knox

Similar documents
Hortonworks DataFlow

Configuring Apache Knox SSO

Configuring Apache Knox SSO

Security 3. NiFi Authentication. Date of Publish:

Installation 1. DLM Installation. Date of Publish:

Installing Apache Knox

Knox Implementation with AD/LDAP

Installation and Upgrade 1. Installing DataPlane. Date of Publish:

Installation 1. Installing DPS. Date of Publish:

Accessing clusters 2. Accessing Clusters. Date of Publish:

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Developers Integration Lab (DIL) Certificate Installation Instructions. Version 1.6

Configure DNA Center Assurance for Cisco ISE Integration

SAML with ADFS Setup Guide

Wildcard Certificates

ADFS Setup (SAML Authentication)

Configure Cisco DNA Assurance

Upgrading Big Data Management to Version Update 2 for Hortonworks HDP

Hortonworks DataFlow

Installing SmartSense on HDP

SSL Configuration: an example. July 2016

Data Analytics Studio Installation

Apache Directory Studio. User's Guide

SSL or TLS Configuration for Tomcat Oracle FLEXCUBE Universal Banking Release [December] [2016]

Update authorizers.xml file under conf directory of nifi with new authorizer given below:

Installing Apache Atlas

StreamServe Persuasion SP4 StreamStudio

OIOIDWS Integration testing

Hortonworks Data Platform

Apache NiFi System Administration

eroaming platform Secure Connection Guide

Ambari Managed HDF Upgrade

Public Key Enabling Oracle Weblogic Server

Hortonworks DataFlow

HDP Security Overview

HDP Security Overview

1 Configuring SSL During Installation

Configuring SAML-based Single Sign-on for Informatica Web Applications

Installing Apache Zeppelin

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

SSL/TLS Certificate Generation

SAML-Based SSO Configuration

Hortonworks Data Platform

Electronic Signature Version March Administrator Guide

VIRTUAL GPU LICENSE SERVER VERSION , , AND 5.1.0

Getting Started 1. Getting Started. Date of Publish:

Installing and Configuring vcloud Connector

How to use an EPR certificate with the MESH client

SSL/TLS Certificate Generation

Provisioning Certificates

Configuring Ambari Authentication with LDAP/AD

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Oracle Cloud Using Oracle Big Data Cloud. Release 18.1

IMPLEMENTING HTTPFS & KNOX WITH ISILON ONEFS TO ENHANCE HDFS ACCESS SECURITY

Installing an HDF cluster

Xcalar Installation Guide

Configuring CA WA Agent for Application Services to Work with IBM WebSphere Application Server 8.x

Installing and Configuring vcloud Connector

Oracle Insurance Policy Administration Configuration of SAML 1.1 Between OIPA and OIDC

Hortonworks Technical Preview for Apache Falcon

How to convert.crt SSL Certificate to.pfx format (with openssl Linux command) and Import newly generated.pfx to Windows IIS Webserver

Assuming you have Icinga 2 installed properly, and the API is not enabled, the commands will guide you through the basics:

SSL/TLS Certificate Generation

Best Practices for Security Certificates w/ Connect

Hortonworks Data Platform

Hortonworks Data Platform

AirWatch Mobile Device Management

VMware vsphere Big Data Extensions Administrator's and User's Guide

Enterprise Steam Installation and Setup

TIM TAM Integration. Planning to install the Tivoli Access Manager Combo Adapter

Hortonworks SmartSense

Enabling SAML Authentication in an Informatica 10.2.x Domain

Configuring Ambari Authentication with LDAP/AD

Enabling Secure Sockets Layer for a Microsoft SQL Server JDBC Connection

BlackBerry UEM Configuration Guide

User Guide NetIQ Identity Manager Home and Provisioning Dashboard

Director and Certificate Authority Issuance

Perceptive Experience Content Apps

Configuring Ambari Authentication with LDAP/AD

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Installing HDF Services on an Existing HDP Cluster

Installing Prime Home

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Server Installation Guide

Introduction to Cloudbreak

Red Hat CloudForms 4.6

On-demand target, up and running

Novell Identity Manager

Infor LN HTML5 Workbench Administration Guide

Application notes for supporting third-party certificate in Avaya Aura System Manager 6.3.x and 7.0.x. Issue 1.3. November 2017

Contents Overview... 5 Upgrading Primavera Gateway... 7 Using Gateway Configuration Utilities... 9

Configuration Guide. BlackBerry UEM. Version 12.9

Configuring Proxy with Apache Knox

Hadoop Integration User Guide. Functional Area: Hadoop Integration. Geneos Release: v4.9. Document Version: v1.0.0

VMware AirWatch Integration with RSA PKI Guide

IBM Security Identity Governance and Intelligence. SDI-based IBM Security Privileged Identity Manager adapter Installation and Configuration Guide IBM

Load Balancing Nginx Web Servers with OWASP Top 10 WAF in Azure

X-road MISP2 installation and configuration guide. Version 1.20

Configuring Confluence

SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 12.0(1)

Transcription:

3 Configuring NiFi Authentication and Proxying with Apache Knox Date of Publish: 2018-08-13 http://docs.hortonworks.com

Contents...3 Configuring NiFi for Knox Authentication... 3 Configuring Knox for NiFi... 3 Preparing to Generate Knox Certificates using the TLS Toolkit...4 Generating Knox Certificates Using the TLS Toolkit... 5 Configuring the Knox SSO Topology... 6 Creating an Advanced Topology...6 Configuring Knox SSO... 8 Adding a NiFi Policy for Knox... 10 Adding a Policy Using NiFi...10 Adding a Policy Using Ranger... 10 Accessing NiFi Using Knox...10

Configuring NiFi Authentication and Proxying with Apache Knox You can use the Apache Knox Gateway to provide authentication access security for your NiFi services. The Apache Knox Gateway (Knox) enables you to extend Apache Hadoop services to users outside of a Hadoop cluster without reducing Hadoop security. Knox also simplifies Hadoop security for users who access the cluster data and execute jobs. Knox integrates with identity management and single sign-on (SSO) systems used in enterprises, enabling you to use identities from these systems to access Hadoop clusters. For more information about Knox, see Apache Knox Gateway Overview. Note: If you are using Hortonworks Data Platform (HDP) 2.6.4 or earlier, HA proxying of NiFi is not supported. Configuring NiFi for Knox Authentication After you install NiFi, you must update the NiFi configurations in Apache Ambari. About this task Important: We recommend that NiFi is installed on a different host than Knox. 1. In Advanced nifi-ambari-ssl-config, the Initial Admin Identity value must specify a user that Apache Knox can authenticate. 2. In Advanced nifi-ambari-ssl-config, add a node identity for the Knox node: <property name="node Identity 1">CN=$NIFI_HOSTNAME, OU=NIFI</property> <property name="node Identity 2">CN=$NIFI_HOSTNAME, OU=NIFI</property> <property name="node Identity 3">CN=$NIFI_HOSTNAME, OU=NIFI</property> <property name="node Identity 4">CN=$KNOX_HOSTNAME, OU=KNOX</property> 3. Update the nifi.web.proxy.context.path property in Advanced nifi-properties: nifi.web.proxy.context.path=/$gateway_context/flow-management/nifi-app $GATEWAY_CONTEXT is the value in the Advanced gateway-site gateway.path field in the Ambari Configs for Knox. 4. Update the nifi.web.proxy.host property in Advanced nifi-properties with a comma-separated list of the host name and port for each Knox host, if you are deploying in a container or cloud environment. For example: knox-host1:18443, knox-host2:443 Configuring Knox for NiFi 3

Preparing to Generate Knox Certificates using the TLS Toolkit Proxies must communicate securely with NiFi using two-way SSL. To set up two-way SSL, you must generate certificates for Knox to use when communicating with NiFi. You can do this by using the TLS Toolkit. Use these steps to create a configuration for the TLS Toolkit to generate the certificates for Knox. 1. As the Knox user, create a nifi-ca-config.json file on each Knox node, in a location accessible to Knox. For example, to create the file on a Knox node at /home/knox using the vi text editor, enter the following: sudo su - knox vi /home/knox/nifi-ca-config.json 2. Populate the nifi-ca-config.json file with the following information: { } "dn" : "CN=$KNOX_HOSTNAME, OU=KNOX", "keystore" : "/home/knox/knox-nifi-keystore.jks", "keystoretype" : "jks", "keystorepassword" : "$KEYSTORE_PASSWORD", "keypassword" : "$KEY_PASSWORD", "token" : "$NIFI_CA_TOKEN_VALUE", "cahostname" : "$NIFI_CA_HOSTNAME", "port" : $NIFI_CA_PORT, "truststore" : "/home/knox/knox-nifi-truststore.jks", "truststorepassword" : "$TRUSTSTORE_PASSWORD", "truststoretype" : "jks" where: $KNOX_HOSTNAME is the FQDN for the cluster node on which Knox is installed. $KEYSTORE_PASSWORD is the password you want the TLS Toolkit to use for the KeyStore and TrustStore for Knox when communicating with NiFi. $KEY_PASSWORD is required when SSL is enabled. If you are using the NiFi Certificate Authority (CA), this value is automatically generated if the field is left blank. You can find this value in the Key password field in the NiFi Advanced nifi-ambari-ssl-config configuration section. $NIFI_CA_TOKEN_VALUE is the token that NiFi CA uses to verify a NiFi node identity before issuing certificates. You can find this value in the NiFi CA Token field in the NiFi Advanced nifi-ambari-ssl-config configuration section. $NIFI_CA_HOSTNAME is the FQDN for the cluster node on which the NiFi CA is installed. $NIFI_CA_PORT is the port used by the NiFi CA. You can find this value in the NiFi Certificate Authority port field in the NiFi Advanced nifi-ambari-sslconfig configuration section. $TRUSTSTORE_PASSWORD is the truststore password. Example Note: You can set keystorepassword, keypassword, and truststorepassword to the Knox Master Secret to make it easier to import the keystore and truststore created by the NiFi Certificate Authority into the Knox keystore. Example nifi-ca-config.json file { "dn" : "CN=slo-hdf-test5.field.hortonworks.com, OU=KNOX", "domainalternativenames" : null, 4

} "keystore" : "/home/knox/knox-nifi-keystore.jks", "keystoretype" : "jks", "keystorepassword" : "admin", "keypassword" : "admin", "token" : "token", "cahostname" : "slo-hdf-test5.field.hortonworks.com", "port" : 10443, "dnprefix" : "CN=", "dnsuffix" : ", OU=NIFI", "reorderdn" : true, "truststore" : "/home/knox/knox-nifi-truststore.jks", "truststorepassword" : "admin", "truststoretype" : "jks" Generating Knox Certificates Using the TLS Toolkit You can generate the certificates used by Knox when proxying NiFi using the TLS Toolkit. Before you begin Ensure that Java is set correctly for your environment. 1. As the Knox user, start the TLS Toolkit. For the location of the TLS Toolkit, see the HDF Release Notes for release-specific download information. For example: /var/lib/ambari-agent/tmp/nifi-toolkit-1.7.0.3.2.0.0-520/bin/tlstoolkit.sh client --subjectalternativenames "CN=$KNOX_HOSTNAME, OU=KNOX" -F -f /home/knox/nifi-ca-config.json The toolkit requests a new certificate and creates two new files containing the keystore and truststore: /home/knox/knox-nifi-keystore.jks /home/knox/knox-nifi-truststore.jks 2. Import the Knox certificate for NiFi into the Knox gateway.jks file: keytool -importkeystore -srckeystore /home/knox/knox-nifi-keystore.jks -destkeystore /usr/hdf/current/knox-server/data/security/keystores/ gateway.jks -deststoretype JKS -srcstorepass $KEYSTORE_PASSWORD -deststorepass $KNOX_MASTER_PASSWORD The gateway.jks file now contains a PrivateKeyEntry for NiFi. 3. Import the NiFi CA truststore into the Knox gateway.jks file: keytool -importkeystore 5

-srckeystore /home/knox/knox-nifi-truststore.jks -destkeystore /usr/hdf/current/knox-server/data/security/keystores/ gateway.jks -deststoretype JKS -srcstorepass $TRUSTSTORE_PASSWORD -deststorepass $KNOX_MASTER_PASSWORD The gateway.jks file should now contain a trustedcertentry for NiFi. 4. Verify that the proper keys are in the gateway.jks file: keytool -keystore /usr/hdf/current/knox-server/data/security/keystores/gateway.jks -storepass $KEYSTORE_PASSWORD -list -v Results You see nifi-key and nifi-cert in addition to the gateway-identity key. Configuring the Knox SSO Topology If you are proxying NiFi and authenticating with Knox SSO, you must make several edits to the Knox SSO topology. If you not authenticating with Knox SSO, these steps are not necessary. 1. Navigate to Advanced knoxsso-topology and, in the KNOXSSO service definition, edit the Knox SSO token time-to-live value. For example, for a 10 hour time-to-live: <name>knoxsso.token.ttl</name> <value>36000000</value> 2. Update the knoxsso.redirect.whitelist.regex property with a regex value that represents the host or domain in which the NiFi host is running. If the knoxsso.redirect.whitelist.regex property does not exist, you must add it. For example: <name>knoxsso.redirect.whitelist.regex</name> <value>^https?:\/\/(hdf-test\.field\.hortonworks\.com localhost 127\.0\.0\.1 0:0:0:0:0:0:0:1 ::1):[0-9].*$</value> Creating an Advanced Topology 1. As the Knox user, create flow-management.xml in /usr/hdf/current/knox-server/conf/topologies. 2. Add the following content to flow-management.xml: 6

If you have modified the ShiroProvider in the topology specified in the Advanced Topology section of the Ambari Knox configs, and want to authenticate Flow Management topology users in the same manner as Advanced Topology users, ensure that those modifications are reflected in your added content. <?xml version="1.0" encoding="utf-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/license-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <topology> <gateway> <provider> <role>authentication</role> <name>shiroprovider</name> <enabled>true</enabled> <name>sessiontimeout</name> <value>30</value> <name>redirecttourl</name> <value>/gateway/knoxsso/knoxauth/login.html</value> <name>restrictedcookies</name> <value>rememberme,www-authenticate</value> <name>main.ldaprealm</name> <value>org.apache.hadoop.gateway.shirorealm.knoxldaprealm</value> <name>main.ldapcontextfactory</name> <value>org.apache.hadoop.gateway.shirorealm.knoxldapcontextfactory</ value> <name>main.ldaprealm.contextfactory</name> <value>$ldapcontextfactory</value> <name>main.ldaprealm.userdntemplate</name> <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value> <name>main.ldaprealm.contextfactory.url</name> <value>ldap://localhost:33389</value> 7

<name>main.ldaprealm.authenticationcachingenabled</name> <value>false</value> <name>main.ldaprealm.contextfactory.authenticationmechanism</name> <value>simple</value> <name>urls./**</name> <value>authcbasic</value> </provider> <provider> <role>identity-assertion</role> <name>default</name> <enabled>true</enabled> </provider> </gateway> <service> <role>nifi</role> <url>$nifi_http_scheme://$nifi_host:$nifi_http_scheme_port</url> <param name="usetwowayssl" value="true"/> </service> </topology> Where: $NIFI_HTTP_SCHEME specifies whether NiFi is communicating over HTTP or HTTPS. $NIFI_HOST is the FQDN of the host machine on which NiFi is running. $NIFI_HTTP_SCHEME_PORT specifies the port on which NiFi is running. This value varies depending on HTTP or HTTPS usage. In Advanced nifi-ambari-ssl-config, if Enable SSL? is selected, use the port specified by NiFi HTTP port (SSL), and if not, use the port specified by NiFi HTTP port (non-ssl). The port values are available in Advanced nifi-ambari-config. 3. Save the configuration and restart Knox, or continue by configuring Knox SSO. Configuring Knox SSO 1. If you want to use Knox SSO authentication, perform the following steps: a. On each cluster node with Knox installed, replace the ShiroProvider federation provider in the flowmanagement.xml file with the following content: <provider> <role>federation</role> <name>ssocookieprovider</name> <enabled>true</enabled> <name>sso.authentication.provider.url</name> <value>https://$knox_hostname:$knox_port/gateway/knoxsso/api/v1/ websso</value> </provider> where: $KNOX_HOSTNAME is the FQDN of the Knox host. $KNOX_PORT is the port Knox is using. 8

Your new flow-management.xml file looks similar to the following: <?xml version="1.0" encoding="utf-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/license-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <topology> <gateway> <provider> <role>federation</role> <name>ssocookieprovider</name> <enabled>true</enabled> <name>sso.authentication.provider.url</name> <value>https://hdf-test.field.hortonworks.com:8443/gateway/ knoxsso/api/v1/websso</value> </provider> <provider> <role>identity-assertion</role> <name>default</name> <enabled>true</enabled> </provider> </gateway> <service> <role>nifi</role> <url>https://hdf-test-nifi.field.hortonworks.com:9091</url> <name>usetwowayssl</name> <value>true</value> </service> </topology> b. If you want to access NiFi directly and still use Knox SSO: Export the Knox SSO certificate: $KNOX_INSTALL_DIR/bin/knoxcli.sh export-cert Set the following properties in the Advanced nifi-properties section in Ambari: nifi.security.user.knox.url=https://$knox_hostname:$knox_port/ gateway/knoxsso/api/v1/websso nifi.security.user.knox.publickey=<path-to>/gateway-identity.pem nifi.security.user.knox.cookiename=hadoop-jwt 9

nifi.security.user.knox.audiences= The cookiename property must align with what is configured in Knox. The audiences property is used to only accept tokens from a particular audience. The audiences value is configured as part of Knox SSO. 2. Save the configuration and restart Knox. Adding a NiFi Policy for Knox A new NiFi installation includes the policies necessary for Knox. If you are configuring an existing NiFi installation to be proxied by Knox, you must manually create NiFi policies for Knox. You can create and add these policies using either NiFi or Apache Ranger. Adding a Policy Using NiFi You must add the Knox user and proxy policies only if you did not add the Knox cert DN to the list of node identities in Advanced nifi-ambari-ssl-config when NiFi was installed. You also must manually edit policies for the users who are going to log in to Knox and for the Knox node itself to be authorized as a proxy. At a minimum, the Knox node should be added to the policy for proxying user requests and the users. 1. Create a user to represent the Knox identity in NiFi. Navigate to the NiFi Global Menu Users. Click Add User. The value for the identify of this new user is the DN from the cert that Knox is using to communicate with NiFi. 2. From the NiFi Global Menu Policies, select proxy user requests and add the Knox identity. 3. For component-level policies, on the root group, add permissions to "view the data" and to "modify the data" for the Knox identity. Adding a Policy Using Ranger If you are using Ranger, complete the following steps to add a policy for the Knox node user. 1. Create a user to represent Knox in NiFi by taking the DN from the cert that Knox is using to communicate with NiFi. 2. For the component level policies, on the root group, add permissions to "view the data " and to "modify the data" for the Knox user: Set WRITE to /proxy. Set READ and WRITE to /data/process-group/<root-group-id>. Accessing NiFi Using Knox 1. Enter the following URL in a browser: https://$knox_host:$knox_port/$gateway_context/default/nifi-app/nifi Where: $KNOX_HOST:KNOX_PORT is the Knox host:gateway port. $GATEWAY_CONTEXT is the gateway context, defined in the gateway-site configuration in Knox. 2. When prompted, enter your NiFi user name and password to be authenticated by Knox. 10

Results Knox proxies the NiFi UI. 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback