Configuring Knox for NiFi
Create a
config.json
file in a location accessible to Knox.For example, create the file on the Knox server at
/home/knox
.Populate the
config.json
file with the following information:Look up the NiFi CA port value before populating the
config.json
file which is in the Advanced nifi-ambari-ssl-config.{ "dn" : "CN=$KNOX_HOST_NAME, OU=KNOX", "keyStore" : "/home/knox/knox-nifi-keystore.jks", "keyStoreType" : "jks", "keyStorePassword" : "$KEY_STORE_PASSWORD", "keyPassword" : "$KEY_PASSWORD", "token" : "$NIFI_CA_TOKEN_VALUE", "caHostname" : "$NIFI_CA_HOSTNAME", "port" : $NIFI_CA_PORT, "trustStore" : "/home/knox/knox-nifi-truststore.jks", "trustStorePassword" : "$TRUSTSTORE_PASSWORD", "trustStoreType" : "jks" }
The keyStorePassword, keyPassword, and trustStorePassword can be set to the Knox Master Password to make it easier to import the keyStore and trustStore created by the NiFi Certificate Authority into Knox's keystore.
Confirm that the variables in the
json.config
file from step 2 are set to the values from the Advanced nifi-ambari-ssl-config.To create the keystore and truststore used by Knox when proxying NiFI, start the NiFi TLS Toolkit. For the location of the TLS Toolkit, see Release Notes for OS-specific information.
For example:
/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/files/nifi-toolkit-1.2.0.3.0.2.0-71/bin/tls-toolkit.sh client --subjectAlternativeNames "CN=$HOST_DN_NAME, OU=KNOX" -F -f /home/knox/config.json
The toolkit requests a new certificate and creates two new files containing the keystore and truststore:
/home/knox/knox-nifi-keystore.jks /home/knox/knox-nifi-truststore.jks
Import the Knox certificate for NiFi into Knox's
gateway.jks
file:keytool -importkeystore -srckeystore /home/knox/knox-nifi-keystore.jks -destkeystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks -deststoretype JKS -srcstorepass $KEYSTORE_PASSWORD -deststorepass $KNOX_MASTER_PASSWORD
The
gateway.jks
file should now contain a PrivateKeyEntry for NiFi.Import NiFi CA's truststore into Knox's
gateway.jks
file:keytool -importkeystore -srckeystore /home/knox/knox-nifi-truststore.jks -destkeystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks -deststoretype JKS -srcstorepass $KEYSTORE_PASSWORD -deststorepass $KNOX_MASTER_PASSWORD
The
gateway.jks
file should now contain a trustedCertEntry for NiFi.Knox uses the
gateway.jks
to look up certificates in the truststore that it can trust.If you have not already done so, verify the proper keys are in the
gateway.jks
file:keytool -keystore /usr/hdp/current/knox server/data/security/keystores/gateway.jks -storepass $KEYSTORE_PASSWORD -list -v
In the
/usr/hdp/current/$KNOX_SERVER/data/services/nifi/1.4.0/service.xml
file, make sure the dispatch element contains the following:<dispatch classname="org.apache.hadoop.gateway.dispatch.NiFiDispatch" use-two-way-ssl="true"/>
In the Advanced topology section in Ambari, add the following service definition. Add it to the list of services.
<service> <role>NIFI</role> <url>https://$NIFI_HOSTNAME:$NIFI_HTTPS_PORT/</url> <param name="useTwoWaySsl” value="true" /> </service>
Where:
<url>
Points to the host and port that NiFi is listening on from thenifi-properties
configuration site.
If you want to use Knox SSO authentication, perform the following steps:
In Ambari, replace the ShiroProvider with the KnoxSSO provider in the nifi.security.knox.url property.
The following information should be in the nifi.security.knox.url property:
<provider> <role>federation</role> <name>SSOCookieProvider</name> <enabled>true</enabled> <param> <name>sso.authentication.provider.url</name> <value>https://host:port/gateway/idp/api/v1/websso</value> </param> </provider>
where the values of the parameters are specific to your environment:
<name>sso.authentication.provider.url</name></value>https://host:port:/gateway/idp/api/v1/websso</value>
(Required) Indicates the location of the KnoxSSO endpoint and where to redirect the useragent when no SSO cookie is found in the incoming request.
This will indicate the location of the KnoxSSO endpoint and where to redirect the useragent when no SSO cookie is found in the incoming request.
If you want to access NiFi directly rather than through Knox, complete the following steps:
This step is not necessary if you plan to access NiFi through Knox and not use Knox's SSO.
Export the Knox SSO certificate using the following command:
$KNOX_INSTALL_DIR/bin/knoxcli.sh export-cert
Set the following properties in Advanced NiFi section in Ambari:
nifi.security.user.knox.url=https://localhost:8443/gateway/knoxsso/api/v1/websso nifi.security.user.knox.publicKey=<path-to>/gateway-identity.pem nifi.security.user.knox.cookieName=hadoop-jwt nifi.security.user.knox.audiences=
These properties assume that Knox is running locally on port 8443 and NiFi is secured and running on another port.
The cookieName property must align with what is configured in Knox. The audiences property is used to only accept tokens from a particular audience. The audiences value is configured as part of Knox SSO [1].
Save the configuration and restart Knox.