Security
Also available as:
PDF
loading table of contents...

Configuring Knox for NiFi

  1. Create a config.json file in a location accessible to Knox.

    For example, create the file on the Knox server at /home/knox.

  2. Populate the config.json file with the following information:

    Look up the NiFi CA port value before populating the config.json file which is in Advanced nifi-ambari-ssl-config.

    {
      "dn" : "CN=$KNOX_HOSTNAME, OU=KNOX",
      "keyStore" : "/home/knox/knox-nifi-keystore.jks",
      "keyStoreType" : "jks",
      "keyStorePassword" : "$KEY_STORE_PASSWORD",
      "keyPassword" : "$KEY_PASSWORD",
      "token" : "$NIFI_CA_TOKEN_VALUE",
      "caHostname" : "$NIFI_CA_HOSTNAME",
      "port" : $NIFI_CA_PORT,
      "trustStore" : "/home/knox/knox-nifi-truststore.jks",
      "trustStorePassword" : "$TRUSTSTORE_PASSWORD",
      "trustStoreType" : "jks"
    }
    

    The keyStorePassword, keyPassword, and trustStorePassword can be set to the Knox Master Secret to make it easier to import the keyStore and trustStore created by the NiFi Certificate Authority into Knox's keystore.

  3. Confirm that the variables in the config.json file from step 2 are set to the values from Advanced nifi-ambari-ssl-config.

  4. To create the keystore and truststore used by Knox when proxying NiFi, start the NiFi TLS Toolkit. For the location of the TLS Toolkit, see Release Notes for OS-specific information.

    For example:

    /var/lib/ambari-agent/tmp/nifi-toolkit-1.5.0.3.1.0.0-564/bin/tls-toolkit.sh client --subjectAlternativeNames "CN=$KNOX_HOSTNAME, OU=KNOX" -F -f /home/knox/config.json

    The toolkit requests a new certificate and creates two new files containing the keystore and truststore:

    /home/knox/knox-nifi-keystore.jks
    /home/knox/knox-nifi-truststore.jks
  5. Import the Knox certificate for NiFi into Knox's gateway.jks file:

    keytool -importkeystore -srckeystore /home/knox/knox-nifi-keystore.jks -destkeystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks -deststoretype JKS -srcstorepass $KEYSTORE_PASSWORD -deststorepass $KNOX_MASTER_PASSWORD

    The gateway.jks file should now contain a PrivateKeyEntry for NiFi.

  6. Import NiFi CA's truststore into Knox's gateway.jks file:

    keytool -importkeystore -srckeystore /home/knox/knox-nifi-truststore.jks -destkeystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks -deststoretype JKS -srcstorepass $KEYSTORE_PASSWORD -deststorepass $KNOX_MASTER_PASSWORD

    The gateway.jks file should now contain a trustedCertEntry for NiFi.

    Knox uses the gateway.jks to look up certificates in the truststore that it can trust.

  7. If you have not already done so, verify the proper keys are in the gateway.jks file:

    keytool -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks -storepass $KEYSTORE_PASSWORD -list -v

  8. In the /usr/hdp/current/knox-server/data/services/nifi/1.4.0/service.xml file, make sure the dispatch element contains the following:

    <dispatch classname="org.apache.hadoop.gateway.dispatch.NiFiDispatch" use-two-way-ssl="true"/>

  9. In the Advanced topology section in Ambari, add the following service definition. Add it to the list of services.

    <service>
        <role>NIFI</role>
        <url>https://$NIFI_HOSTNAME:$NIFI_HTTPS_PORT/</url>
        <param name="useTwoWaySsl” value="true" />
    </service>

    Where:

    • <url> Points to the host and port that NiFi is listening on from the nifi-properties configuration site.

  10. If you want to use Knox SSO authentication, perform the following steps:

    1. In Ambari, replace the ShiroProvider with the KnoxSSO provider in the nifi.security.knox.url property.

      The following information should be in the nifi.security.knox.url property:

      <provider>
              <role>federation</role>
              <name>SSOCookieProvider</name>
              <enabled>true</enabled>
              <param>
                  <name>sso.authentication.provider.url</name>
                  <value>https://host:port/gateway/idp/api/v1/websso</value>
              </param>
          </provider>

      where the values of the parameters are specific to your environment:

      • <name>sso.authentication.provider.url</name></value>https://host:port:/gateway/idp/api/v1/websso</value>

        (Required) Indicates the location of the KnoxSSO endpoint and where to redirect the useragent when no SSO cookie is found in the incoming request.

      This will indicate the location of the KnoxSSO endpoint and where to redirect the useragent when no SSO cookie is found in the incoming request.

    2. If you want to access NiFi directly rather than through Knox, complete the following steps:

      This step is not necessary if you plan to access NiFi through Knox and not use Knox's SSO.

      1. Export the Knox SSO certificate using the following command:

         $KNOX_INSTALL_DIR/bin/knoxcli.sh export-cert
      2. Set the following properties in Advanced NiFi section in Ambari:

        nifi.security.user.knox.url=https://localhost:8443/gateway/knoxsso/api/v1/websso
        nifi.security.user.knox.publicKey=<path-to>/gateway-identity.pem
        nifi.security.user.knox.cookieName=hadoop-jwt
        nifi.security.user.knox.audiences=

        These properties assume that Knox is running locally on port 8443 and NiFi is secured and running on another port.

        The cookieName property must align with what is configured in Knox. The audiences property is used to only accept tokens from a particular audience. The audiences value is configured as part of Knox SSO [1].

  11. Save the configuration and restart Knox.