Zookeeper Apache Nifi安全集群:找不到节点CN=< hostname>,OU=NIFI以植入策略

qf9go6mv  于 2022-12-09  发布在  Apache
关注(0)|答案(2)|浏览(187)

I am trying to set up a 2 node cluster which is secure. However, when starting Nifi, I get the following issue:

org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate node CN=<hostname_2>, OU=NIFI to seed policies.

=> Where hostname_2 is my second node.
The issue seems to be in authorizers, this is the code for that:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Initial User Identity 1">CN=nifi_admin, OU=nifi</property>
        <property name="Initial User Identity 2">CN=<hostname_1>, OU=nifi</property>
        <property name="Initial User Identity 3">CN=<hostname_2>, OU=nifi</property>
    </userGroupProvider>

    <userGroupProvider>
        <identifier>ldap-user-group-provider</identifier>
        <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">CN=srv-p-1004,OU=Users Sys,OU=prod,DC=prod,DC=company,DC=be</property>
        <property name="Manager Password">******</property>

        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>

        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldap://ad1.prod.company.be:389</property>
        <property name="Page Size"></property>
        <property name="Sync Interval">1 mins</property>

        <property name="User Search Base">OU=PROD, DC=prod, DC=company, DC=be</property>
        <property name="User Object Class">person</property>
        <property name="User Search Scope">SUBTREE</property>
        <property name="User Search Filter">(memberof=CN=(A) Nifi - Admin, OU=Groups TIM Application Entitlements, OU=PROD, DC=prod, DC=company, DC=be)</property>
        <property name="User Identity Attribute">CN</property>
        <property name="User Group Name Attribute"></property>
        <property name="User Group Name Attribute - Referenced Group Attribute"></property>

        <property name="Group Search Base">OU=Groups TIM Application Entitlements, OU=PROD, DC=prod, DC=company, DC=be</property>
        <property name="Group Object Class">group</property>
        <property name="Group Search Scope">ONE_LEVEL</property>
        <property name="Group Search Filter">(|(CN=*Nifi*)(CN=*Kafka*))</property>
        <property name="Group Name Attribute">CN</property>
        <property name="Group Member Attribute">member</property>
        <property name="Group Member Attribute - Referenced User Attribute"></property>
    </userGroupProvider>

    <userGroupProvider>
        <identifier>composite-configurable-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
        <property name="Configurable User Group Provider">file-user-group-provider</property>
        <property name="User Group Provider 1">ldap-user-group-provider</property>
    </userGroupProvider>

    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">composite-configurable-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">CN=nifi_admin, OU=nifi</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1">CN=hostname_1, OU=NIFI</property>
        <property name="Node Identity 1">CN=hostname_2, OU=NIFI</property>
        <property name="Node Group"></property>
    </accessPolicyProvider>

    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>

</authorizers>

Note: I changed the company name and hostnames for privacy reasons.
For the secure part, I used the tls-toolkit.
Can anyone assist me, as I seem to have checked all the boxes that should make it work.
Thanks in advance. K

apache-zookeeper

2条答案

按热度按时间
pgvzfuti

pgvzfuti1#

在策略提供方中指定节点标识时使用了“OU=NIFI”,指定初始用户标识时使用了“OU=nifi”。它区分大小写和空格,因此需要完全匹配。

赞(0)分享  回复(0)举报  2022-12-09
j0pj023g

j0pj023g2#

错误代码:找不到初始管理员some.ldapuser以植入策略。
如果我们没有在conf/authorizers.xml中指定“初始用户标识1”的值,也会导致此错误,如下所示:

<userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 1">some.ldapuser</property>
 </userGroupProvider>
赞(0)分享  回复(0)举报  2022-12-09
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com