Apache Nifi 安全集群:无法定位节点 CN=<hostname>,OU=NIFI 以播种策略
Apache Nifi secured cluster: Unable to locate node CN=<hostname>, OU=NIFI to seed policies
我正在尝试建立一个安全的 2 节点集群。
但是,当启动 Nifi 时,出现以下问题:
org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate node CN=<hostname_2>, OU=NIFI to seed policies.
=> 其中 hostname_2 是我的第二个节点。
问题似乎出在授权方,这是相关代码:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">CN=nifi_admin, OU=nifi</property>
<property name="Initial User Identity 2">CN=<hostname_1>, OU=nifi</property>
<property name="Initial User Identity 3">CN=<hostname_2>, OU=nifi</property>
</userGroupProvider>
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">CN=srv-p-1004,OU=Users Sys,OU=prod,DC=prod,DC=company,DC=be</property>
<property name="Manager Password">******</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://ad1.prod.company.be:389</property>
<property name="Page Size"></property>
<property name="Sync Interval">1 mins</property>
<property name="User Search Base">OU=PROD, DC=prod, DC=company, DC=be</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Search Filter">(memberof=CN=(A) Nifi - Admin, OU=Groups TIM Application Entitlements, OU=PROD, DC=prod, DC=company, DC=be)</property>
<property name="User Identity Attribute">CN</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base">OU=Groups TIM Application Entitlements, OU=PROD, DC=prod, DC=company, DC=be</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter">(|(CN=*Nifi*)(CN=*Kafka*))</property>
<property name="Group Name Attribute">CN</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>
<userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="Configurable User Group Provider">file-user-group-provider</property>
<property name="User Group Provider 1">ldap-user-group-provider</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">composite-configurable-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">CN=nifi_admin, OU=nifi</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1">CN=hostname_1, OU=NIFI</property>
<property name="Node Identity 1">CN=hostname_2, OU=NIFI</property>
<property name="Node Group"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
注意:出于隐私原因,我更改了公司名称和主机名。
对于安全部分,我使用了 tls-toolkit。
任何人都可以帮助我,因为我似乎已经勾选了所有应该让它工作的框。
提前致谢。
K
当您在您使用的策略提供程序中指定节点身份时,您使用 "OU=NIFI" 并且当您指定初始用户身份时,您使用 "OU=nifi"。它区分大小写和空格,因此需要完全匹配。
错误:org.apache.nifi.authorization.exception.AuthorizerCreationException:无法找到初始管理员 some.ldapuser 以播种策略。
如果我们没有在conf/authorizers.xml中指定“Initial User Identity 1”的值,也会导致此错误,如下所示:
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">some.ldapuser</property>
</userGroupProvider>
我正在尝试建立一个安全的 2 节点集群。 但是,当启动 Nifi 时,出现以下问题:
org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate node CN=<hostname_2>, OU=NIFI to seed policies.
=> 其中 hostname_2 是我的第二个节点。
问题似乎出在授权方,这是相关代码:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">CN=nifi_admin, OU=nifi</property>
<property name="Initial User Identity 2">CN=<hostname_1>, OU=nifi</property>
<property name="Initial User Identity 3">CN=<hostname_2>, OU=nifi</property>
</userGroupProvider>
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">CN=srv-p-1004,OU=Users Sys,OU=prod,DC=prod,DC=company,DC=be</property>
<property name="Manager Password">******</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://ad1.prod.company.be:389</property>
<property name="Page Size"></property>
<property name="Sync Interval">1 mins</property>
<property name="User Search Base">OU=PROD, DC=prod, DC=company, DC=be</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Search Filter">(memberof=CN=(A) Nifi - Admin, OU=Groups TIM Application Entitlements, OU=PROD, DC=prod, DC=company, DC=be)</property>
<property name="User Identity Attribute">CN</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base">OU=Groups TIM Application Entitlements, OU=PROD, DC=prod, DC=company, DC=be</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter">(|(CN=*Nifi*)(CN=*Kafka*))</property>
<property name="Group Name Attribute">CN</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>
<userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="Configurable User Group Provider">file-user-group-provider</property>
<property name="User Group Provider 1">ldap-user-group-provider</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">composite-configurable-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">CN=nifi_admin, OU=nifi</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1">CN=hostname_1, OU=NIFI</property>
<property name="Node Identity 1">CN=hostname_2, OU=NIFI</property>
<property name="Node Group"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
注意:出于隐私原因,我更改了公司名称和主机名。
对于安全部分,我使用了 tls-toolkit。
任何人都可以帮助我,因为我似乎已经勾选了所有应该让它工作的框。
提前致谢。 K
当您在您使用的策略提供程序中指定节点身份时,您使用 "OU=NIFI" 并且当您指定初始用户身份时,您使用 "OU=nifi"。它区分大小写和空格,因此需要完全匹配。
错误:org.apache.nifi.authorization.exception.AuthorizerCreationException:无法找到初始管理员 some.ldapuser 以播种策略。
如果我们没有在conf/authorizers.xml中指定“Initial User Identity 1”的值,也会导致此错误,如下所示:
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">some.ldapuser</property>
</userGroupProvider>