Added: nifi/site/trunk/docs/nifi-docs/html/administration-guide.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/docs/nifi-docs/html/administration-guide.html?rev=1794596&view=auto ============================================================================== --- nifi/site/trunk/docs/nifi-docs/html/administration-guide.html (added) +++ nifi/site/trunk/docs/nifi-docs/html/administration-guide.html Tue May 9 15:27:39 2017 @@ -0,0 +1,5747 @@ +<!DOCTYPE html> +<html lang="en"> +<head> +<meta charset="UTF-8"> +<!--[if IE]><meta http-equiv="X-UA-Compatible" content="IE=edge"><![endif]--> +<meta name="viewport" content="width=device-width, initial-scale=1.0"> +<meta name="generator" content="Asciidoctor 1.5.2"> +<meta name="author" content="Apache NiFi Team"> +<title>NiFi System Administrator’s Guide</title> +<style> +/* Asciidoctor default stylesheet | MIT License | http://asciidoctor.org */ +/* Copyright (C) 2012-2015 Dan Allen, Ryan Waldron and the Asciidoctor Project + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. */ +/* Remove the comments around the @import statement below when using this as a custom stylesheet */ +@import "https://fonts.googleapis.com/css?family=Open+Sans:300,300italic,400,400italic,600,600italic%7CNoto+Serif:400,400italic,700,700italic%7CDroid+Sans+Mono:400";; +article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block} +audio,canvas,video{display:inline-block} +audio:not([controls]){display:none;height:0} +[hidden],template{display:none} +script{display:none!important} +html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%} +body{margin:0} +a{background:transparent} +a:focus{outline:thin dotted} +a:active,a:hover{outline:0} +h1{font-size:2em;margin:.67em 0} +abbr[title]{border-bottom:1px dotted} +b,strong{font-weight:bold} +dfn{font-style:italic} +hr{-moz-box-sizing:content-box;box-sizing:content-box;height:0} +mark{background:#ff0;color:#000} +code,kbd,pre,samp{font-family:monospace;font-size:1em} +pre{white-space:pre-wrap} +q{quotes:"\201C" "\201D" "\2018" "\2019"} +small{font-size:80%} +sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline} +sup{top:-.5em} +sub{bottom:-.25em} +img{border:0} +svg:not(:root){overflow:hidden} +figure{margin:0} +fieldset{border:1px solid silver;margin:0 2px;padding:.35em .625em .75em} +legend{border:0;padding:0} +button,input,select,textarea{font-family:inherit;font-size:100%;margin:0} +button,input{line-height:normal} +button,select{text-transform:none} +button,html input[type="button"],input[type="reset"],input[type="submit"]{-webkit-appearance:button;cursor:pointer} +button[disabled],html input[disabled]{cursor:default} +input[type="checkbox"],input[type="radio"]{box-sizing:border-box;padding:0} +input[type="search"]{-webkit-appearance:textfield;-moz-box-sizing:content-box;-webkit-box-sizing:content-box;box-sizing:content-box} +input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none} +button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0} +textarea{overflow:auto;vertical-align:top} +table{border-collapse:collapse;border-spacing:0} +*,*:before,*:after{-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box} +html,body{font-size:100%} +body{background:#fff;color:rgba(0,0,0,.8);padding:0;margin:0;font-family:"Noto Serif","DejaVu Serif",serif;font-weight:400;font-style:normal;line-height:1;position:relative;cursor:auto} +a:hover{cursor:pointer} +img,object,embed{max-width:100%;height:auto} +object,embed{height:100%} +img{-ms-interpolation-mode:bicubic} +#map_canvas img,#map_canvas embed,#map_canvas object,.map_canvas img,.map_canvas embed,.map_canvas object{max-width:none!important} +.left{float:left!important} +.right{float:right!important} +.text-left{text-align:left!important} +.text-right{text-align:right!important} +.text-center{text-align:center!important} +.text-justify{text-align:justify!important} +.hide{display:none} +.antialiased,body{-webkit-font-smoothing:antialiased} +img{display:inline-block;vertical-align:middle} +textarea{height:auto;min-height:50px} +select{width:100%} +p.lead,.paragraph.lead>p,#preamble>.sectionbody>.paragraph:first-of-type p{font-size:1.21875em;line-height:1.6} +.subheader,.admonitionblock td.content>.title,.audioblock>.title,.exampleblock>.title,.imageblock>.title,.listingblock>.title,.literalblock>.title,.stemblock>.title,.openblock>.title,.paragraph>.title,.quoteblock>.title,table.tableblock>.title,.verseblock>.title,.videoblock>.title,.dlist>.title,.olist>.title,.ulist>.title,.qlist>.title,.hdlist>.title{line-height:1.45;color:#7a2518;font-weight:400;margin-top:0;margin-bottom:.25em} +div,dl,dt,dd,ul,ol,li,h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6,pre,form,p,blockquote,th,td{margin:0;padding:0;direction:ltr} +a{color:#2156a5;text-decoration:underline;line-height:inherit} +a:hover,a:focus{color:#1d4b8f} +a img{border:none} +p{font-family:inherit;font-weight:400;font-size:1em;line-height:1.6;margin-bottom:1.25em;text-rendering:optimizeLegibility} +p aside{font-size:.875em;line-height:1.35;font-style:italic} +h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{font-family:"Open Sans","DejaVu Sans",sans-serif;font-weight:300;font-style:normal;color:#ba3925;text-rendering:optimizeLegibility;margin-top:1em;margin-bottom:.5em;line-height:1.0125em} +h1 small,h2 small,h3 small,#toctitle small,.sidebarblock>.content>.title small,h4 small,h5 small,h6 small{font-size:60%;color:#e99b8f;line-height:0} +h1{font-size:2.125em} +h2{font-size:1.6875em} +h3,#toctitle,.sidebarblock>.content>.title{font-size:1.375em} +h4,h5{font-size:1.125em} +h6{font-size:1em} +hr{border:solid #ddddd8;border-width:1px 0 0;clear:both;margin:1.25em 0 1.1875em;height:0} +em,i{font-style:italic;line-height:inherit} +strong,b{font-weight:bold;line-height:inherit} +small{font-size:60%;line-height:inherit} +code{font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;font-weight:400;color:rgba(0,0,0,.9);padding-right: 1px;} +ul,ol,dl{font-size:1em;line-height:1.6;margin-bottom:1.25em;list-style-position:outside;font-family:inherit} +ul,ol,ul.no-bullet,ol.no-bullet{margin-left:1.5em} +ul li ul,ul li ol{margin-left:1.25em;margin-bottom:0;font-size:1em} +ul.square li ul,ul.circle li ul,ul.disc li ul{list-style:inherit} +ul.square{list-style-type:square} +ul.circle{list-style-type:circle} +ul.disc{list-style-type:disc} +ul.no-bullet{list-style:none} +ol li ul,ol li ol{margin-left:1.25em;margin-bottom:0} +dl dt{margin-bottom:.3125em;font-weight:bold} +dl dd{margin-bottom:1.25em} +abbr,acronym{text-transform:uppercase;font-size:90%;color:rgba(0,0,0,.8);border-bottom:1px dotted #ddd;cursor:help} +abbr{text-transform:none} +blockquote{margin:0 0 1.25em;padding:.5625em 1.25em 0 1.1875em;border-left:1px solid #ddd} +blockquote cite{display:block;font-size:.9375em;color:rgba(0,0,0,.6)} +blockquote cite:before{content:"\2014 \0020"} +blockquote cite a,blockquote cite a:visited{color:rgba(0,0,0,.6)} +blockquote,blockquote p{line-height:1.6;color:rgba(0,0,0,.85)} +@media only screen and (min-width:768px){h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{line-height:1.2} +h1{font-size:2.75em} +h2{font-size:2.3125em} +h3,#toctitle,.sidebarblock>.content>.title{font-size:1.6875em} +h4{font-size:1.4375em}}table{background:#fff;margin-bottom:1.25em;border:solid 1px #dedede} +table thead,table tfoot{background:#f7f8f7;font-weight:bold} +table thead tr th,table thead tr td,table tfoot tr th,table tfoot tr td{padding:.5em .625em .625em;font-size:inherit;color:rgba(0,0,0,.8);text-align:left} +table tr th,table tr td{padding:.5625em .625em;font-size:inherit;color:rgba(0,0,0,.8)} +table tr.even,table tr.alt,table tr:nth-of-type(even){background:#f8f8f7} +table thead tr th,table tfoot tr th,table tbody tr td,table tr td,table tfoot tr td{display:table-cell;line-height:1.6} +h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{line-height:1.2;word-spacing:-.05em} +h1 strong,h2 strong,h3 strong,#toctitle strong,.sidebarblock>.content>.title strong,h4 strong,h5 strong,h6 strong{font-weight:400} +.clearfix:before,.clearfix:after,.float-group:before,.float-group:after{content:" ";display:table} +.clearfix:after,.float-group:after{clear:both} +*:not(pre)>code{font-size:.9375em;font-style:normal!important;letter-spacing:0;word-spacing:-.15em;background-color:#f7f7f8;-webkit-border-radius:4px;border-radius:4px;line-height:1.45;text-rendering:optimizeSpeed} +pre,pre>code{line-height:1.45;color:rgba(0,0,0,.9);font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;font-weight:400;text-rendering:optimizeSpeed} +.keyseq{color:rgba(51,51,51,.8)} +kbd{display:inline-block;color:rgba(0,0,0,.8);font-size:.75em;line-height:1.4;background-color:#f7f7f7;border:1px solid #ccc;-webkit-border-radius:3px;border-radius:3px;-webkit-box-shadow:0 1px 0 rgba(0,0,0,.2),0 0 0 .1em white inset;box-shadow:0 1px 0 rgba(0,0,0,.2),0 0 0 .1em #fff inset;margin:-.15em .15em 0 .15em;padding:.2em .6em .2em .5em;vertical-align:middle;white-space:nowrap} +.keyseq kbd:first-child{margin-left:0} +.keyseq kbd:last-child{margin-right:0} +.menuseq,.menu{color:rgba(0,0,0,.8)} +b.button:before,b.button:after{position:relative;top:-1px;font-weight:400} +b.button:before{content:"[";padding:0 3px 0 2px} +b.button:after{content:"]";padding:0 2px 0 3px} +p a>code:hover{color:rgba(0,0,0,.9)} +#header,#content,#footnotes,#footer{width:100%;margin-left:auto;margin-right:auto;margin-top:0;margin-bottom:0;max-width:62.5em;*zoom:1;position:relative;padding-left:.9375em;padding-right:.9375em} +#header:before,#header:after,#content:before,#content:after,#footnotes:before,#footnotes:after,#footer:before,#footer:after{content:" ";display:table} +#header:after,#content:after,#footnotes:after,#footer:after{clear:both} +#content{margin-top:1.25em} +#content:before{content:none} +#header>h1:first-child{color:rgba(0,0,0,.85);margin-top:2.25rem;margin-bottom:0} +#header>h1:first-child+#toc{margin-top:8px;border-top:1px solid #ddddd8} +#header>h1:only-child,body.toc2 #header>h1:nth-last-child(2){border-bottom:1px solid #ddddd8;padding-bottom:8px} +#header .details{border-bottom:1px solid #ddddd8;line-height:1.45;padding-top:.25em;padding-bottom:.25em;padding-left:.25em;color:rgba(0,0,0,.6);display:-ms-flexbox;display:-webkit-flex;display:flex;-ms-flex-flow:row wrap;-webkit-flex-flow:row wrap;flex-flow:row wrap} +#header .details span:first-child{margin-left:-.125em} +#header .details span.email a{color:rgba(0,0,0,.85)} +#header .details br{display:none} +#header .details br+span:before{content:"\00a0\2013\00a0"} +#header .details br+span.author:before{content:"\00a0\22c5\00a0";color:rgba(0,0,0,.85)} +#header .details br+span#revremark:before{content:"\00a0|\00a0"} +#header #revnumber{text-transform:capitalize} +#header #revnumber:after{content:"\00a0"} +#content>h1:first-child:not([class]){color:rgba(0,0,0,.85);border-bottom:1px solid #ddddd8;padding-bottom:8px;margin-top:0;padding-top:1rem;margin-bottom:1.25rem} +#toc{border-bottom:1px solid #efefed;padding-bottom:.5em} +#toc>ul{margin-left:.125em} +#toc ul.sectlevel0>li>a{font-style:italic} +#toc ul.sectlevel0 ul.sectlevel1{margin:.5em 0} +#toc ul{font-family:"Open Sans","DejaVu Sans",sans-serif;list-style-type:none} +#toc a{text-decoration:none} +#toc a:active{text-decoration:underline} +#toctitle{color:#7a2518;font-size:1.2em} +@media only screen and (min-width:768px){#toctitle{font-size:1.375em} +body.toc2{padding-left:15em;padding-right:0} +#toc.toc2{margin-top:0!important;background-color:#f8f8f7;position:fixed;width:15em;left:0;top:0;border-right:1px solid #efefed;border-top-width:0!important;border-bottom-width:0!important;z-index:1000;padding:1.25em 1em;height:100%;overflow:auto} +#toc.toc2 #toctitle{margin-top:0;font-size:1.2em} +#toc.toc2>ul{font-size:.9em;margin-bottom:0} +#toc.toc2 ul ul{margin-left:0;padding-left:1em} +#toc.toc2 ul.sectlevel0 ul.sectlevel1{padding-left:0;margin-top:.5em;margin-bottom:.5em} +body.toc2.toc-right{padding-left:0;padding-right:15em} +body.toc2.toc-right #toc.toc2{border-right-width:0;border-left:1px solid #efefed;left:auto;right:0}}@media only screen and (min-width:1280px){body.toc2{padding-left:20em;padding-right:0} +#toc.toc2{width:20em} +#toc.toc2 #toctitle{font-size:1.375em} +#toc.toc2>ul{font-size:.95em} +#toc.toc2 ul ul{padding-left:1.25em} +body.toc2.toc-right{padding-left:0;padding-right:20em}}#content #toc{border-style:solid;border-width:1px;border-color:#e0e0dc;margin-bottom:1.25em;padding:1.25em;background:#f8f8f7;-webkit-border-radius:4px;border-radius:4px} +#content #toc>:first-child{margin-top:0} +#content #toc>:last-child{margin-bottom:0} +#footer{max-width:100%;background-color:rgba(0,0,0,.8);padding:1.25em} +#footer-text{color:rgba(255,255,255,.8);line-height:1.44} +.sect1{padding-bottom:.625em} +@media only screen and (min-width:768px){.sect1{padding-bottom:1.25em}}.sect1+.sect1{border-top:1px solid #efefed} +#content h1>a.anchor,h2>a.anchor,h3>a.anchor,#toctitle>a.anchor,.sidebarblock>.content>.title>a.anchor,h4>a.anchor,h5>a.anchor,h6>a.anchor{position:absolute;z-index:1001;width:1.5ex;margin-left:-1.5ex;display:block;text-decoration:none!important;visibility:hidden;text-align:center;font-weight:400} +#content h1>a.anchor:before,h2>a.anchor:before,h3>a.anchor:before,#toctitle>a.anchor:before,.sidebarblock>.content>.title>a.anchor:before,h4>a.anchor:before,h5>a.anchor:before,h6>a.anchor:before{content:"\00A7";font-size:.85em;display:block;padding-top:.1em} +#content h1:hover>a.anchor,#content h1>a.anchor:hover,h2:hover>a.anchor,h2>a.anchor:hover,h3:hover>a.anchor,#toctitle:hover>a.anchor,.sidebarblock>.content>.title:hover>a.anchor,h3>a.anchor:hover,#toctitle>a.anchor:hover,.sidebarblock>.content>.title>a.anchor:hover,h4:hover>a.anchor,h4>a.anchor:hover,h5:hover>a.anchor,h5>a.anchor:hover,h6:hover>a.anchor,h6>a.anchor:hover{visibility:visible} +#content h1>a.link,h2>a.link,h3>a.link,#toctitle>a.link,.sidebarblock>.content>.title>a.link,h4>a.link,h5>a.link,h6>a.link{color:#ba3925;text-decoration:none} +#content h1>a.link:hover,h2>a.link:hover,h3>a.link:hover,#toctitle>a.link:hover,.sidebarblock>.content>.title>a.link:hover,h4>a.link:hover,h5>a.link:hover,h6>a.link:hover{color:#a53221} +.audioblock,.imageblock,.literalblock,.listingblock,.stemblock,.videoblock{margin-bottom:1.25em} +.admonitionblock td.content>.title,.audioblock>.title,.exampleblock>.title,.imageblock>.title,.listingblock>.title,.literalblock>.title,.stemblock>.title,.openblock>.title,.paragraph>.title,.quoteblock>.title,table.tableblock>.title,.verseblock>.title,.videoblock>.title,.dlist>.title,.olist>.title,.ulist>.title,.qlist>.title,.hdlist>.title{text-rendering:optimizeLegibility;text-align:left;font-family:"Noto Serif","DejaVu Serif",serif;font-size:1rem;font-style:italic} +table.tableblock>caption.title{white-space:nowrap;overflow:visible;max-width:0} +.paragraph.lead>p,#preamble>.sectionbody>.paragraph:first-of-type p{color:rgba(0,0,0,.85)} +table.tableblock #preamble>.sectionbody>.paragraph:first-of-type p{font-size:inherit} +.admonitionblock>table{border-collapse:separate;border:0;background:none;width:100%} +.admonitionblock>table td.icon{text-align:center;width:80px} +.admonitionblock>table td.icon img{max-width:none} +.admonitionblock>table td.icon .title{font-weight:bold;font-family:"Open Sans","DejaVu Sans",sans-serif;text-transform:uppercase} +.admonitionblock>table td.content{padding-left:1.125em;padding-right:1.25em;border-left:1px solid #ddddd8;color:rgba(0,0,0,.6)} +.admonitionblock>table td.content>:last-child>:last-child{margin-bottom:0} +.exampleblock>.content{border-style:solid;border-width:1px;border-color:#e6e6e6;margin-bottom:1.25em;padding:1.25em;background:#fff;-webkit-border-radius:4px;border-radius:4px} +.exampleblock>.content>:first-child{margin-top:0} +.exampleblock>.content>:last-child{margin-bottom:0} +.sidebarblock{border-style:solid;border-width:1px;border-color:#e0e0dc;margin-bottom:1.25em;padding:1.25em;background:#f8f8f7;-webkit-border-radius:4px;border-radius:4px} +.sidebarblock>:first-child{margin-top:0} +.sidebarblock>:last-child{margin-bottom:0} +.sidebarblock>.content>.title{color:#7a2518;margin-top:0;text-align:center} +.exampleblock>.content>:last-child>:last-child,.exampleblock>.content .olist>ol>li:last-child>:last-child,.exampleblock>.content .ulist>ul>li:last-child>:last-child,.exampleblock>.content .qlist>ol>li:last-child>:last-child,.sidebarblock>.content>:last-child>:last-child,.sidebarblock>.content .olist>ol>li:last-child>:last-child,.sidebarblock>.content .ulist>ul>li:last-child>:last-child,.sidebarblock>.content .qlist>ol>li:last-child>:last-child{margin-bottom:0} +.literalblock pre,.listingblock pre:not(.highlight),.listingblock pre[class="highlight"],.listingblock pre[class^="highlight "],.listingblock pre.CodeRay,.listingblock pre.prettyprint{background:#f7f7f8} +.sidebarblock .literalblock pre,.sidebarblock .listingblock pre:not(.highlight),.sidebarblock .listingblock pre[class="highlight"],.sidebarblock .listingblock pre[class^="highlight "],.sidebarblock .listingblock pre.CodeRay,.sidebarblock .listingblock pre.prettyprint{background:#f2f1f1} +.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{-webkit-border-radius:4px;border-radius:4px;word-wrap:break-word;padding:1em;font-size:.8125em} +.literalblock pre.nowrap,.literalblock pre[class].nowrap,.listingblock pre.nowrap,.listingblock pre[class].nowrap{overflow-x:auto;white-space:pre;word-wrap:normal} +@media only screen and (min-width:768px){.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{font-size:.90625em}}@media only screen and (min-width:1280px){.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{font-size:1em}}.literalblock.output pre{color:#f7f7f8;background-color:rgba(0,0,0,.9)} +.listingblock pre.highlightjs{padding:0} +.listingblock pre.highlightjs>code{padding:1em;-webkit-border-radius:4px;border-radius:4px} +.listingblock pre.prettyprint{border-width:0} +.listingblock>.content{position:relative} +.listingblock code[data-lang]:before{display:none;content:attr(data-lang);position:absolute;font-size:.75em;top:.425rem;right:.5rem;line-height:1;text-transform:uppercase;color:#999} +.listingblock:hover code[data-lang]:before{display:block} +.listingblock.terminal pre .command:before{content:attr(data-prompt);padding-right:.5em;color:#999} +.listingblock.terminal pre .command:not([data-prompt]):before{content:"$"} +table.pyhltable{border-collapse:separate;border:0;margin-bottom:0;background:none} +table.pyhltable td{vertical-align:top;padding-top:0;padding-bottom:0} +table.pyhltable td.code{padding-left:.75em;padding-right:0} +pre.pygments .lineno,table.pyhltable td:not(.code){color:#999;padding-left:0;padding-right:.5em;border-right:1px solid #ddddd8} +pre.pygments .lineno{display:inline-block;margin-right:.25em} +table.pyhltable .linenodiv{background:none!important;padding-right:0!important} +.quoteblock{margin:0 1em 1.25em 1.5em;display:table} +.quoteblock>.title{margin-left:-1.5em;margin-bottom:.75em} +.quoteblock blockquote,.quoteblock blockquote p{color:rgba(0,0,0,.85);font-size:1.15rem;line-height:1.75;word-spacing:.1em;letter-spacing:0;font-style:italic;text-align:justify} +.quoteblock blockquote{margin:0;padding:0;border:0} +.quoteblock blockquote:before{content:"\201c";float:left;font-size:2.75em;font-weight:bold;line-height:.6em;margin-left:-.6em;color:#7a2518;text-shadow:0 1px 2px rgba(0,0,0,.1)} +.quoteblock blockquote>.paragraph:last-child p{margin-bottom:0} +.quoteblock .attribution{margin-top:.5em;margin-right:.5ex;text-align:right} +.quoteblock .quoteblock{margin-left:0;margin-right:0;padding:.5em 0;border-left:3px solid rgba(0,0,0,.6)} +.quoteblock .quoteblock blockquote{padding:0 0 0 .75em} +.quoteblock .quoteblock blockquote:before{display:none} +.verseblock{margin:0 1em 1.25em 1em} +.verseblock pre{font-family:"Open Sans","DejaVu Sans",sans;font-size:1.15rem;color:rgba(0,0,0,.85);font-weight:300;text-rendering:optimizeLegibility} +.verseblock pre strong{font-weight:400} +.verseblock .attribution{margin-top:1.25rem;margin-left:.5ex} +.quoteblock .attribution,.verseblock .attribution{font-size:.9375em;line-height:1.45;font-style:italic} +.quoteblock .attribution br,.verseblock .attribution br{display:none} +.quoteblock .attribution cite,.verseblock .attribution cite{display:block;letter-spacing:-.05em;color:rgba(0,0,0,.6)} +.quoteblock.abstract{margin:0 0 1.25em 0;display:block} +.quoteblock.abstract blockquote,.quoteblock.abstract blockquote p{text-align:left;word-spacing:0} +.quoteblock.abstract blockquote:before,.quoteblock.abstract blockquote p:first-of-type:before{display:none} +table.tableblock{max-width:100%;border-collapse:separate} +table.tableblock td>.paragraph:last-child p>p:last-child,table.tableblock th>p:last-child,table.tableblock td>p:last-child{margin-bottom:0} +table.spread{width:100%} +table.tableblock,th.tableblock,td.tableblock{border:0 solid #dedede} +table.grid-all th.tableblock,table.grid-all td.tableblock{border-width:0 1px 1px 0} +table.grid-all tfoot>tr>th.tableblock,table.grid-all tfoot>tr>td.tableblock{border-width:1px 1px 0 0} +table.grid-cols th.tableblock,table.grid-cols td.tableblock{border-width:0 1px 0 0} +table.grid-all *>tr>.tableblock:last-child,table.grid-cols *>tr>.tableblock:last-child{border-right-width:0} +table.grid-rows th.tableblock,table.grid-rows td.tableblock{border-width:0 0 1px 0} +table.grid-all tbody>tr:last-child>th.tableblock,table.grid-all tbody>tr:last-child>td.tableblock,table.grid-all thead:last-child>tr>th.tableblock,table.grid-rows tbody>tr:last-child>th.tableblock,table.grid-rows tbody>tr:last-child>td.tableblock,table.grid-rows thead:last-child>tr>th.tableblock{border-bottom-width:0} +table.grid-rows tfoot>tr>th.tableblock,table.grid-rows tfoot>tr>td.tableblock{border-width:1px 0 0 0} +table.frame-all{border-width:1px} +table.frame-sides{border-width:0 1px} +table.frame-topbot{border-width:1px 0} +th.halign-left,td.halign-left{text-align:left} +th.halign-right,td.halign-right{text-align:right} +th.halign-center,td.halign-center{text-align:center} +th.valign-top,td.valign-top{vertical-align:top} +th.valign-bottom,td.valign-bottom{vertical-align:bottom} +th.valign-middle,td.valign-middle{vertical-align:middle} +table thead th,table tfoot th{font-weight:bold} +tbody tr th{display:table-cell;line-height:1.6;background:#f7f8f7} +tbody tr th,tbody tr th p,tfoot tr th,tfoot tr th p{color:rgba(0,0,0,.8);font-weight:bold} +p.tableblock>code:only-child{background:none;padding:0} +p.tableblock{font-size:1em} +td>div.verse{white-space:pre} +ol{margin-left:1.75em} +ul li ol{margin-left:1.5em} +dl dd{margin-left:1.125em} +dl dd:last-child,dl dd:last-child>:last-child{margin-bottom:0} +ol>li p,ul>li p,ul dd,ol dd,.olist .olist,.ulist .ulist,.ulist .olist,.olist .ulist{margin-bottom:.625em} +ul.unstyled,ol.unnumbered,ul.checklist,ul.none{list-style-type:none} +ul.unstyled,ol.unnumbered,ul.checklist{margin-left:.625em} +ul.checklist li>p:first-child>.fa-square-o:first-child,ul.checklist li>p:first-child>.fa-check-square-o:first-child{width:1em;font-size:.85em} +ul.checklist li>p:first-child>input[type="checkbox"]:first-child{width:1em;position:relative;top:1px} +ul.inline{margin:0 auto .625em auto;margin-left:-1.375em;margin-right:0;padding:0;list-style:none;overflow:hidden} +ul.inline>li{list-style:none;float:left;margin-left:1.375em;display:block} +ul.inline>li>*{display:block} +.unstyled dl dt{font-weight:400;font-style:normal} +ol.arabic{list-style-type:decimal} +ol.decimal{list-style-type:decimal-leading-zero} +ol.loweralpha{list-style-type:lower-alpha} +ol.upperalpha{list-style-type:upper-alpha} +ol.lowerroman{list-style-type:lower-roman} +ol.upperroman{list-style-type:upper-roman} +ol.lowergreek{list-style-type:lower-greek} +.hdlist>table,.colist>table{border:0;background:none} +.hdlist>table>tbody>tr,.colist>table>tbody>tr{background:none} +td.hdlist1{padding-right:.75em;font-weight:bold} +td.hdlist1,td.hdlist2{vertical-align:top} +.literalblock+.colist,.listingblock+.colist{margin-top:-.5em} +.colist>table tr>td:first-of-type{padding:0 .75em;line-height:1} +.colist>table tr>td:last-of-type{padding:.25em 0} +.thumb,.th{line-height:0;display:inline-block;border:solid 4px #fff;-webkit-box-shadow:0 0 0 1px #ddd;box-shadow:0 0 0 1px #ddd} +.imageblock.left,.imageblock[style*="float: left"]{margin:.25em .625em 1.25em 0} +.imageblock.right,.imageblock[style*="float: right"]{margin:.25em 0 1.25em .625em} +.imageblock>.title{margin-bottom:0} +.imageblock.thumb,.imageblock.th{border-width:6px} +.imageblock.thumb>.title,.imageblock.th>.title{padding:0 .125em} +.image.left,.image.right{margin-top:.25em;margin-bottom:.25em;display:inline-block;line-height:0} +.image.left{margin-right:.625em} +.image.right{margin-left:.625em} +a.image{text-decoration:none} +span.footnote,span.footnoteref{vertical-align:super;font-size:.875em} +span.footnote a,span.footnoteref a{text-decoration:none} +span.footnote a:active,span.footnoteref a:active{text-decoration:underline} +#footnotes{padding-top:.75em;padding-bottom:.75em;margin-bottom:.625em} +#footnotes hr{width:20%;min-width:6.25em;margin:-.25em 0 .75em 0;border-width:1px 0 0 0} +#footnotes .footnote{padding:0 .375em;line-height:1.3;font-size:.875em;margin-left:1.2em;text-indent:-1.2em;margin-bottom:.2em} +#footnotes .footnote a:first-of-type{font-weight:bold;text-decoration:none} +#footnotes .footnote:last-of-type{margin-bottom:0} +#content #footnotes{margin-top:-.625em;margin-bottom:0;padding:.75em 0} +.gist .file-data>table{border:0;background:#fff;width:100%;margin-bottom:0} +.gist .file-data>table td.line-data{width:99%} +div.unbreakable{page-break-inside:avoid} +.big{font-size:larger} +.small{font-size:smaller} +.underline{text-decoration:underline} +.overline{text-decoration:overline} +.line-through{text-decoration:line-through} +.aqua{color:#00bfbf} +.aqua-background{background-color:#00fafa} +.black{color:#000} +.black-background{background-color:#000} +.blue{color:#0000bf} +.blue-background{background-color:#0000fa} +.fuchsia{color:#bf00bf} +.fuchsia-background{background-color:#fa00fa} +.gray{color:#606060} +.gray-background{background-color:#7d7d7d} +.green{color:#006000} +.green-background{background-color:#007d00} +.lime{color:#00bf00} +.lime-background{background-color:#00fa00} +.maroon{color:#600000} +.maroon-background{background-color:#7d0000} +.navy{color:#000060} +.navy-background{background-color:#00007d} +.olive{color:#606000} +.olive-background{background-color:#7d7d00} +.purple{color:#600060} +.purple-background{background-color:#7d007d} +.red{color:#bf0000} +.red-background{background-color:#fa0000} +.silver{color:#909090} +.silver-background{background-color:#bcbcbc} +.teal{color:#006060} +.teal-background{background-color:#007d7d} +.white{color:#bfbfbf} +.white-background{background-color:#fafafa} +.yellow{color:#bfbf00} +.yellow-background{background-color:#fafa00} +span.icon>.fa{cursor:default} +.admonitionblock td.icon [class^="fa icon-"]{font-size:2.5em;text-shadow:1px 1px 2px rgba(0,0,0,.5);cursor:default} +.admonitionblock td.icon .icon-note:before{content:"\f05a";color:#19407c} +.admonitionblock td.icon .icon-tip:before{content:"\f0eb";text-shadow:1px 1px 2px rgba(155,155,0,.8);color:#111} +.admonitionblock td.icon .icon-warning:before{content:"\f071";color:#bf6900} +.admonitionblock td.icon .icon-caution:before{content:"\f06d";color:#bf3400} +.admonitionblock td.icon .icon-important:before{content:"\f06a";color:#bf0000} +.conum[data-value]{display:inline-block;color:#fff!important;background-color:rgba(0,0,0,.8);-webkit-border-radius:100px;border-radius:100px;text-align:center;font-size:.75em;width:1.67em;height:1.67em;line-height:1.67em;font-family:"Open Sans","DejaVu Sans",sans-serif;font-style:normal;font-weight:bold} +.conum[data-value] *{color:#fff!important} +.conum[data-value]+b{display:none} +.conum[data-value]:after{content:attr(data-value)} +pre .conum[data-value]{position:relative;top:-.125em} +b.conum *{color:inherit!important} +.conum:not([data-value]):empty{display:none} +h1,h2{letter-spacing:-.01em} +dt,th.tableblock,td.content{text-rendering:optimizeLegibility} +p,td.content{letter-spacing:-.01em} +p strong,td.content strong{letter-spacing:-.005em} +p,blockquote,dt,td.content{font-size:1.0625rem} +p{margin-bottom:1.25rem} +.sidebarblock p,.sidebarblock dt,.sidebarblock td.content,p.tableblock{font-size:1em} +.exampleblock>.content{background-color:#fffef7;border-color:#e0e0dc;-webkit-box-shadow:0 1px 4px #e0e0dc;box-shadow:0 1px 4px #e0e0dc} +.print-only{display:none!important} +@media print{@page{margin:1.25cm .75cm} +*{-webkit-box-shadow:none!important;box-shadow:none!important;text-shadow:none!important} +a{color:inherit!important;text-decoration:underline!important} +a.bare,a[href^="#"],a[href^="mailto:"]{text-decoration:none!important} +a[href^="http:"]:not(.bare):after,a[href^="https:"]:not(.bare):after{content:"(" attr(href) ")";display:inline-block;font-size:.875em;padding-left:.25em} +abbr[title]:after{content:" (" attr(title) ")"} +pre,blockquote,tr,img{page-break-inside:avoid} +thead{display:table-header-group} +img{max-width:100%!important} +p,blockquote,dt,td.content{font-size:1em;orphans:3;widows:3} +h2,h3,#toctitle,.sidebarblock>.content>.title{page-break-after:avoid} +#toc,.sidebarblock,.exampleblock>.content{background:none!important} +#toc{border-bottom:1px solid #ddddd8!important;padding-bottom:0!important} +.sect1{padding-bottom:0!important} +.sect1+.sect1{border:0!important} +#header>h1:first-child{margin-top:1.25rem} +body.book #header{text-align:center} +body.book #header>h1:first-child{border:0!important;margin:2.5em 0 1em 0} +body.book #header .details{border:0!important;display:block;padding:0!important} +body.book #header .details span:first-child{margin-left:0!important} +body.book #header .details br{display:block} +body.book #header .details br+span:before{content:none!important} +body.book #toc{border:0!important;text-align:left!important;padding:0!important;margin:0!important} +body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-break-before:always} +.listingblock code[data-lang]:before{display:block} +#footer{background:none!important;padding:0 .9375em} +#footer-text{color:rgba(0,0,0,.6)!important;font-size:.9em} +.hide-on-print{display:none!important} +.print-only{display:block!important} +.hide-for-print{display:none!important} +.show-for-print{display:inherit!important}} +</style> +<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.2.0/css/font-awesome.min.css";> +</head> +<body class="article"> +<div id="header"> +<h1>NiFi System Administrator’s Guide</h1> +<div class="details"> +<span id="author" class="author">Apache NiFi Team</span><br> +<span id="email" class="email"><a href="mailto:[email protected]";>[email protected]</a></span><br> +</div> +<div id="toc" class="toc"> +<div id="toctitle">Table of Contents</div> +<ul class="sectlevel1"> +<li><a href="administration-guide.html#system-requirements">System Requirements</a></li> +<li><a href="administration-guide.html#how-to-install-and-start-nifi">How to install and start NiFi</a></li> +<li><a href="administration-guide.html#configuration-best-practices">Configuration Best Practices</a></li> +<li><a href="administration-guide.html#security-configuration">Security Configuration</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#tls-generation-toolkit">TLS Generation Toolkit</a></li> +</ul> +</li> +<li><a href="administration-guide.html#user_authentication">User Authentication</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#ldap_login_identity_provider">Lightweight Directory Access Protocol (LDAP)</a></li> +<li><a href="administration-guide.html#kerberos_login_identity_provider">Kerberos</a></li> +</ul> +</li> +<li><a href="administration-guide.html#multi-tenant-authorization">Multi-Tenant Authorization</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#authorizer-configuration">Authorizer Configuration</a></li> +<li><a href="administration-guide.html#authorizers-setup">Authorizers.xml Setup</a></li> +<li><a href="administration-guide.html#config-users-access-policies">Configuring Users & Access Policies</a></li> +</ul> +</li> +<li><a href="administration-guide.html#encryption">Encryption Configuration</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#key-derivation-functions">Key Derivation Functions</a></li> +<li><a href="administration-guide.html#salt-and-iv-encoding">Salt and IV Encoding</a></li> +<li><a href="administration-guide.html#java-cryptography-extension-jce-limited-strength-jurisdiction-policies">Java Cryptography Extension (JCE) Limited Strength Jurisdiction Policies</a></li> +<li><a href="administration-guide.html#allow-insecure-cryptographic-modes">Allow Insecure Cryptographic Modes</a></li> +</ul> +</li> +<li><a href="administration-guide.html#encrypted-passwords-in-configuration-files">Encrypted Passwords in Configuration Files</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#encrypt-config_tool">Encrypt-Config Tool</a></li> +<li><a href="administration-guide.html#sensitive-property-key-migration">Sensitive Property Key Migration</a></li> +<li><a href="administration-guide.html#existing-flow-migration">Existing Flow Migration</a></li> +<li><a href="administration-guide.html#encrypt-config_password">Password Key Derivation</a></li> +<li><a href="administration-guide.html#encrypt-config_secure_prompt">Secure Prompt</a></li> +</ul> +</li> +<li><a href="administration-guide.html#admin-toolkit">Administrative Tools</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#prerequisites-for-running-admin-toolkit-in-a-secure-environment">Prerequisites for Running Admin Toolkit in a Secure Environment</a></li> +<li><a href="administration-guide.html#notify">Notify</a></li> +<li><a href="administration-guide.html#node-manager">Node Manager</a></li> +</ul> +</li> +<li><a href="administration-guide.html#clustering">Clustering Configuration</a></li> +<li><a href="administration-guide.html#state_management">State Management</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#state_providers">Configuring State Providers</a></li> +<li><a href="administration-guide.html#embedded_zookeeper">Embedded ZooKeeper Server</a></li> +<li><a href="administration-guide.html#zk_access_control">ZooKeeper Access Control</a></li> +<li><a href="administration-guide.html#securing_zookeeper">Securing ZooKeeper</a></li> +<li><a href="administration-guide.html#zookeeper_migrator">ZooKeeper Migrator</a></li> +</ul> +</li> +<li><a href="administration-guide.html#bootstrap_properties">Bootstrap Properties</a></li> +<li><a href="administration-guide.html#notification_services">Notification Services</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#email-notification-service-br">Email Notification Service<br></a></li> +<li><a href="administration-guide.html#http-notification-service-br">HTTP Notification Service<br></a></li> +</ul> +</li> +<li><a href="administration-guide.html#kerberos_service">Kerberos Service</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#kerberos_service_notes">Notes</a></li> +</ul> +</li> +<li><a href="administration-guide.html#system_properties">System Properties</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#core-properties-br">Core Properties<br></a></li> +<li><a href="administration-guide.html#state-management-br">State Management<br></a></li> +<li><a href="administration-guide.html#h2-settings">H2 Settings</a></li> +<li><a href="administration-guide.html#flowfile-repository">FlowFile Repository</a></li> +<li><a href="administration-guide.html#swap-management">Swap Management</a></li> +<li><a href="administration-guide.html#content-repository">Content Repository</a></li> +<li><a href="administration-guide.html#file-system-content-repository-properties">File System Content Repository Properties</a></li> +<li><a href="administration-guide.html#volatile-content-repository-properties">Volatile Content Repository Properties</a></li> +<li><a href="administration-guide.html#provenance-repository">Provenance Repository</a></li> +<li><a href="administration-guide.html#persistent-provenance-repository-properties">Persistent Provenance Repository Properties</a></li> +<li><a href="administration-guide.html#volatile-provenance-repository-properties">Volatile Provenance Repository Properties</a></li> +<li><a href="administration-guide.html#write-ahead-provenance-repository-properties">Write Ahead Provenance Repository Properties</a></li> +<li><a href="administration-guide.html#encrypted-write-ahead-provenance-repository-properties">Encrypted Write Ahead Provenance Repository Properties</a></li> +<li><a href="administration-guide.html#component-status-repository">Component Status Repository</a></li> +<li><a href="administration-guide.html#site_to_site_properties">Site to Site Properties</a></li> +<li><a href="administration-guide.html#web-properties">Web Properties</a></li> +<li><a href="administration-guide.html#security-properties">Security Properties</a></li> +<li><a href="administration-guide.html#identity-mapping-properties">Identity Mapping Properties</a></li> +<li><a href="administration-guide.html#cluster-common-properties">Cluster Common Properties</a></li> +<li><a href="administration-guide.html#cluster-node-properties">Cluster Node Properties</a></li> +<li><a href="administration-guide.html#claim_management">Claim Management</a></li> +<li><a href="administration-guide.html#zookeeper-properties">ZooKeeper Properties</a></li> +<li><a href="administration-guide.html#kerberos_properties">Kerberos Properties</a></li> +<li><a href="administration-guide.html#custom_properties">Custom Properties</a></li> +</ul> +</li> +</ul> +</div> +</div> +<div id="content"> +<div class="sect1"> +<h2 id="system-requirements"><a class="anchor" href="administration-guide.html#system-requirements"></a>System Requirements</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>Apache NiFi can run on something as simple as a laptop, but it can also be clustered across many enterprise-class servers. Therefore, the amount of hardware and memory needed will depend on the size and nature of the dataflow involved. The data is stored on disk while NiFi is processing it. So NiFi needs to have sufficient disk space allocated for its various repositories, particularly the content repository, flowfile repository, and provenance repository (see the <a href="administration-guide.html#system_properties">System Properties</a> section for more information about these repositories). NiFi has the following minimum system requirements:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>Requires Java 8 or newer</p> +</li> +<li> +<p>Supported Operating Systems:</p> +<div class="ulist"> +<ul> +<li> +<p>Linux</p> +</li> +<li> +<p>Unix</p> +</li> +<li> +<p>Windows</p> +</li> +<li> +<p>Mac OS X</p> +</li> +</ul> +</div> +</li> +<li> +<p>Supported Web Browsers:</p> +<div class="ulist"> +<ul> +<li> +<p>Microsoft Edge: Current & (Current - 1)</p> +</li> +<li> +<p>Mozilla FireFox: Current & (Current - 1)</p> +</li> +<li> +<p>Google Chrome: Current & (Current - 1)</p> +</li> +<li> +<p>Safari: Current & (Current - 1)</p> +</li> +</ul> +</div> +</li> +</ul> +</div> +<div class="paragraph"> +<p><strong>Note</strong> Under sustained and extremely high throughput the CodeCache settings may need to be tuned to avoid sudden performance loss. See the <a href="administration-guide.html#bootstrap_properties">Bootstrap Properties</a> section for more information.</p> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="how-to-install-and-start-nifi"><a class="anchor" href="administration-guide.html#how-to-install-and-start-nifi"></a>How to install and start NiFi</h2> +<div class="sectionbody"> +<div class="ulist"> +<ul> +<li> +<p>Linux/Unix/OS X</p> +<div class="ulist"> +<ul> +<li> +<p>Decompress and untar into desired installation directory</p> +</li> +<li> +<p>Make any desired edits in files found under <installdir>/conf</p> +<div class="ulist"> +<ul> +<li> +<p>At a minimum, we recommend editing the <em>nifi.properties</em> file and entering a password for the nifi.sensitive.props.key (see <a href="administration-guide.html#system_properties">System Properties</a> below)</p> +</li> +</ul> +</div> +</li> +<li> +<p>From the <installdir>/bin directory, execute the following commands by typing ./nifi.sh <command>:</p> +<div class="ulist"> +<ul> +<li> +<p>start: starts NiFi in the background</p> +</li> +<li> +<p>stop: stops NiFi that is running in the background</p> +</li> +<li> +<p>status: provides the current status of NiFi</p> +</li> +<li> +<p>run: runs NiFi in the foreground and waits for a Ctrl-C to initiate shutdown of NiFi</p> +</li> +<li> +<p>install: installs NiFi as a service that can then be controlled via</p> +<div class="ulist"> +<ul> +<li> +<p>service nifi start</p> +</li> +<li> +<p>service nifi stop</p> +</li> +<li> +<p>service nifi status</p> +</li> +</ul> +</div> +</li> +</ul> +</div> +</li> +</ul> +</div> +</li> +<li> +<p>Windows</p> +<div class="ulist"> +<ul> +<li> +<p>Decompress into the desired installation directory</p> +</li> +<li> +<p>Make any desired edits in the files found under <installdir>/conf</p> +<div class="ulist"> +<ul> +<li> +<p>At a minimum, we recommend editing the <em>nifi.properties</em> file and entering a password for the nifi.sensitive.props.key (see <a href="administration-guide.html#system_properties">System Properties</a> below)</p> +</li> +</ul> +</div> +</li> +<li> +<p>Navigate to the <installdir>/bin directory</p> +</li> +<li> +<p>Double-click run-nifi.bat. This runs NiFi in the foreground and waits for a Ctrl-C to initiate shutdown of NiFi</p> +</li> +<li> +<p>To see the current status of NiFi, double-click status-nifi.bat</p> +</li> +</ul> +</div> +</li> +</ul> +</div> +<div class="paragraph"> +<p>When NiFi first starts up, the following files and directories are created:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>content_repository</p> +</li> +<li> +<p>database_repository</p> +</li> +<li> +<p>flowfile_repository</p> +</li> +<li> +<p>provenance_repository</p> +</li> +<li> +<p>work directory</p> +</li> +<li> +<p>logs directory</p> +</li> +<li> +<p>Within the conf directory, the <em>flow.xml.gz</em> file and the templates directory are created</p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>See the <a href="administration-guide.html#system_properties">System Properties</a> section of this guide for more information about configuring NiFi repositories and configuration files.</p> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="configuration-best-practices"><a class="anchor" href="administration-guide.html#configuration-best-practices"></a>Configuration Best Practices</h2> +<div class="sectionbody"> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<i class="fa icon-note" title="Note"></i> +</td> +<td class="content"> +If you are running on Linux, consider these best practices. Typical Linux defaults are not necessarily well tuned for the needs of an IO intensive application like NiFi. For all of these areas, your distribution’s requirements may vary. Use these sections as advice, but +consult your distribution-specific documentation for how best to achieve these recommendations. +</td> +</tr> +</table> +</div> +<div class="dlist"> +<dl> +<dt class="hdlist1">Maximum File Handles</dt> +<dd> +<p>NiFi will at any one time potentially have a very large number of file handles open. Increase the limits by +editing <em>/etc/security/limits.conf</em> to add +something like</p> +</dd> +</dl> +</div> +<div class="listingblock"> +<div class="content"> +<pre>* hard nofile 50000 +* soft nofile 50000</pre> +</div> +</div> +<div class="dlist"> +<dl> +<dt class="hdlist1">Maximum Forked Processes</dt> +<dd> +<p>NiFi may be configured to generate a significant number of threads. To increase the allowable number edit <em>/etc/security/limits.conf</em></p> +</dd> +</dl> +</div> +<div class="listingblock"> +<div class="content"> +<pre>* hard nproc 10000 +* soft nproc 10000</pre> +</div> +</div> +<div class="paragraph"> +<p>And your distribution may require an edit to /etc/security/limits.d/90-nproc.conf by adding</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>* soft nproc 10000</pre> +</div> +</div> +<div class="dlist"> +<dl> +<dt class="hdlist1">Increase the number of TCP socket ports available</dt> +<dd> +<p>This is particularly important if your flow will be setting up and tearing +down a large number of sockets in small period of time.</p> +</dd> +</dl> +</div> +<div class="listingblock"> +<div class="content"> +<pre>sudo sysctl -w net.ipv4.ip_local_port_range="10000 65000"</pre> +</div> +</div> +<div class="dlist"> +<dl> +<dt class="hdlist1">Set how long sockets stay in a TIMED_WAIT state when closed</dt> +<dd> +<p>You don’t want your sockets to sit and linger too long given that you want to be +able to quickly setup and teardown new sockets. It is a good idea to read more about +it but to adjust do something like</p> +</dd> +</dl> +</div> +<div class="listingblock"> +<div class="content"> +<pre>sudo sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait="1"</pre> +</div> +</div> +<div class="dlist"> +<dl> +<dt class="hdlist1">Tell Linux you never want NiFi to swap</dt> +<dd> +<p>Swapping is fantastic for some applications. It isn’t good for something like +NiFi that always wants to be running. To tell Linux you’d like swapping off you +can edit <em>/etc/sysctl.conf</em> to add the following line</p> +</dd> +</dl> +</div> +<div class="listingblock"> +<div class="content"> +<pre>vm.swappiness = 0</pre> +</div> +</div> +<div class="paragraph"> +<p>For the partitions handling the various NiFi repos turn off things like <em>atime</em>. +Doing so can cause a surprising bump in throughput. Edit the <em>/etc/fstab</em> file +and for the partition(s) of interest add the <em>noatime</em> option.</p> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="security-configuration"><a class="anchor" href="administration-guide.html#security-configuration"></a>Security Configuration</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>NiFi provides several different configuration options for security purposes. The most important properties are those under the +"security properties" heading in the <em>nifi.properties</em> file. In order to run securely, the following properties must be set:</p> +</div> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">Property Name</th> +<th class="tableblock halign-left valign-top">Description</th> +</tr> +</thead> +<tfoot> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.needClientAuth</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Set to <code>true</code> to specify that connecting clients must authenticate themselves. This property is used by the NiFi cluster protocol to indicate that nodes in the cluster will be authenticated and must have certificates that are trusted by the Truststores.</p></td> +</tr> +</tfoot> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.keystore</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Filename of the Keystore that contains the server’s private key.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.keystoreType</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The type of Keystore. Must be either <code>PKCS12</code> or <code>JKS</code>. JKS is the preferred type, PKCS12 files will be loaded with BouncyCastle provider.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.keystorePasswd</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The password for the Keystore.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.keyPasswd</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The password for the certificate in the Keystore. If not set, the value of <code>nifi.security.keystorePasswd</code> will be used.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.truststore</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Filename of the Truststore that will be used to authorize those connecting to NiFi. A secured instance with no Truststore will refuse all incoming connections.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.truststoreType</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The type of the Truststore. Must be either <code>PKCS12</code> or <code>JKS</code>. JKS is the preferred type, PKCS12 files will be loaded with BouncyCastle provider.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.truststorePasswd</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The password for the Truststore.</p></td> +</tr> +</tbody> +</table> +<div class="paragraph"> +<p>Once the above properties have been configured, we can enable the User Interface to be accessed over HTTPS instead of HTTP. This is accomplished +by setting the <code>nifi.web.https.host</code> and <code>nifi.web.https.port</code> properties. The <code>nifi.web.https.host</code> property indicates which hostname the server +should run on. If it is desired that the HTTPS interface be accessible from all network interfaces, a value of <code>0.0.0.0</code> should be used. To allow +admins to configure the application to run only on specific network interfaces, <code>nifi.web.http.network.interface*</code> or <code>nifi.web.https.network.interface*</code> +properties can be specified.</p> +</div> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<i class="fa icon-note" title="Note"></i> +</td> +<td class="content"> +It is important when enabling HTTPS that the <code>nifi.web.http.port</code> property be unset. +</td> +</tr> +</table> +</div> +<div class="paragraph"> +<p>Similar to <code>nifi.security.needClientAuth</code>, the web server can be configured to require certificate based client authentication for users accessing +the User Interface. In order to do this it must be configured to not support username/password authentication using <a href="administration-guide.html#ldap_login_identity_provider">Lightweight Directory Access Protocol (LDAP)</a> or <a href="administration-guide.html#kerberos_login_identity_provider">Kerberos</a>. Either of these options +will configure the web server to WANT certificate based client authentication. This will allow it to support users with certificates and those without +that may be logging in with their credentials or those accessing anonymously. If username/password authentication and anonymous access are not configured, +the web server will REQUIRE certificate based client authentication. See <a href="administration-guide.html#user_authentication">User Authentication</a> for more details.</p> +</div> +<div class="paragraph"> +<p>Now that the User Interface has been secured, we can easily secure Site-to-Site connections and inner-cluster communications, as well. This is +accomplished by setting the <code>nifi.remote.input.secure</code> and <code>nifi.cluster.protocol.is.secure</code> properties, respectively, to <code>true</code>.</p> +</div> +<div class="sect2"> +<h3 id="tls-generation-toolkit"><a class="anchor" href="administration-guide.html#tls-generation-toolkit"></a>TLS Generation Toolkit</h3> +<div class="paragraph"> +<p>In order to facilitate the secure setup of NiFi, you can use the <code>tls-toolkit</code> command line utility to automatically generate the required keystores, truststore, and relevant configuration files. This is especially useful for securing multiple NiFi nodes, which can be a tedious and error-prone process.</p> +</div> +<div class="paragraph"> +<p>Note: JKS keystores and truststores are recommended for NiFi. This tool allows the specification of other keystore types on the command line but will ignore a type of PKCS12 for use as the truststore because that format has some compatibility issues between BouncyCastle and Oracle implementations.</p> +</div> +<div class="paragraph"> +<p>The <code>tls-toolkit</code> command line tool has two primary modes of operation:</p> +</div> +<div class="olist arabic"> +<ol class="arabic"> +<li> +<p>Standalone — generates the certificate authority, keystores, truststores, and nifi.properties files in one command.</p> +</li> +<li> +<p>Client/Server mode — uses a Certificate Authority Server that accepts Certificate Signing Requests from clients, signs them, and sends the resulting certificates back. Both client and server validate the otherâs identity through a shared secret.</p> +</li> +</ol> +</div> +<div class="sect3"> +<h4 id="standalone"><a class="anchor" href="administration-guide.html#standalone"></a>Standalone</h4> +<div class="paragraph"> +<p>Standalone mode is invoked by running <code>./bin/tls-toolkit.sh standalone -h</code> which prints the usage information along with descriptions of options that can be specified.</p> +</div> +<div class="paragraph"> +<p>The most common options to specify are:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p><code>-n,--hostnames</code> The comma-separated list of hostnames that youâd like to generate certificates for. It can be specified multiple times. Range and instance patterns are supported. See below for details.</p> +</li> +<li> +<p><code>-C,--clientCertDn</code> The DN that you’d like to generate a client certificate for. It can be specified multiple times.</p> +</li> +<li> +<p><code>-f,--nifiPropertiesFile</code> The base <em>nifi.properties</em> file that the tool will update for each host.</p> +</li> +<li> +<p><code>-o,--outputDirectory</code> The directory to use for the resulting Certificate Authority files and NiFi configurations. A subdirectory will be made for each host.</p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>Hostname Patterns:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>Square brackets can be used in order to easily specify a range of hostnames. Example: [01-20]</p> +</li> +<li> +<p>Parentheses can be used in order to specify that more than one NiFi instance will run on the given host(s). Example: (5)</p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>Examples:</p> +</div> +<div class="paragraph"> +<p>Create 4 sets of keystore, truststore, nifi.properties for localhost along with a client certificate with the given DN:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>bin/tls-toolkit.sh standalone -n 'localhost(4)' -C 'CN=username,OU=NIFI'</pre> +</div> +</div> +<div class="paragraph"> +<p>Create keystore, truststore, nifi.properties for 10 NiFi hostnames in each of 4 subdomains:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain'</pre> +</div> +</div> +<div class="paragraph"> +<p>Create 2 sets of keystore, truststore, nifi.properties for 10 NiFi hostnames in each of 4 subdomains along with a client certificate with the given DN:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain(2)' -C 'CN=username,OU=NIFI'</pre> +</div> +</div> +</div> +<div class="sect3"> +<h4 id="client-server"><a class="anchor" href="administration-guide.html#client-server"></a>Client/Server</h4> +<div class="paragraph"> +<p>Client/Server mode relies on a long-running Certificate Authority (CA) to issue certificates. The CA can be stopped when youâre not bringing nodes online.</p> +</div> +<div class="sect4"> +<h5 id="server"><a class="anchor" href="administration-guide.html#server"></a>Server</h5> +<div class="paragraph"> +<p>The CA server is invoked by running <code>./bin/tls-toolkit server -h</code> prints the usage information along with descriptions of options that can be specified.</p> +</div> +<div class="paragraph"> +<p>The most common options to specify are:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p><code>-f,--configJson</code> The location of the json config (written after first run)</p> +</li> +<li> +<p><code>-F,--useConfigJson</code> Loads all relevant configuration from the config json (configJson is the only other argument necessary)</p> +</li> +<li> +<p><code>-t,--token</code> The token used to prevent man in the middle attacks (this should be a long, random value and needs to be known when invoking the client)</p> +</li> +<li> +<p><code>-D,--dn</code> The DN for the CA</p> +</li> +</ul> +</div> +</div> +<div class="sect4"> +<h5 id="client"><a class="anchor" href="administration-guide.html#client"></a>Client</h5> +<div class="paragraph"> +<p>The client can be used to request new Certificates from the CA. The client utility generates a keypair and Certificate Signing Request (CSR) and sends the CSR to the Certificate Authority. The client is invoked by running <code>./bin/tls-toolkit.sh client -h</code> which prints the usage information along with descriptions of options that can be specified.</p> +</div> +<div class="paragraph"> +<p>The most common options to specify are:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p><code>-f,--configJson</code> The json config file</p> +</li> +<li> +<p><code>-c,--certificateAuthorityHostname</code> The hostname of the CA</p> +</li> +<li> +<p><code>-D,--DN</code> The DN for the CSR (and Certificate)</p> +</li> +<li> +<p><code>-t,--token</code> The token used to prevent man in the middle attacks (this should be a long, random value and needs to be the same one used to start the CA server)</p> +</li> +<li> +<p><code>-T,--keyStoreType</code> The type of keystore to create (leave default for NiFi nodes, specify PKCS12 to create client cert)</p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>After running the client you will have the CAâs certificate, a keystore, a truststore, and a config.json with information about them as well as their passwords.</p> +</div> +<div class="paragraph"> +<p>For a client certificate that can be easily imported into the browser, specify: <code>-T PKCS12</code></p> +</div> +</div> +</div> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="user_authentication"><a class="anchor" href="administration-guide.html#user_authentication"></a>User Authentication</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>NiFi supports user authentication via client certificates or via username/password. Username/password authentication is performed by a <em>Login Identity +Provider</em>. The Login Identity Provider is a pluggable mechanism for authenticating users via their username/password. Which Login Identity Provider +to use is configured in two properties in the <em>nifi.properties</em> file.</p> +</div> +<div class="paragraph"> +<p>The <code>nifi.login.identity.provider.configuration.file</code> property specifies the configuration file for Login Identity Providers. +The <code>nifi.security.user.login.identity.provider</code> property indicates which of the configured Login Identity Provider should be +used. If this property is not configured, NiFi will not support username/password authentication and will require client +certificates for authenticating users over HTTPS. By default, this property is not configured meaning that username/password must be explicitly enabled.</p> +</div> +<div class="paragraph"> +<p>A secured instance of NiFi cannot be accessed anonymously unless configured to use an LDAP or Kerberos Login Identity Provider, which in turn must be configured to explicitly allow anonymous access. Anonymous access is not currently possible by the default FileAuthorizer (see <a href="administration-guide.html#authorizer-configuration">Authorizer Configuration</a>), but is a future effort (<a href="https://issues.apache.org/jira/browse/NIFI-2730";>NIFI-2730</a>).</p> +</div> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<i class="fa icon-note" title="Note"></i> +</td> +<td class="content"> +NiFi does not perform user authentication over HTTP. Using HTTP, all users will be granted all roles. +</td> +</tr> +</table> +</div> +<div class="sect2"> +<h3 id="ldap_login_identity_provider"><a class="anchor" href="administration-guide.html#ldap_login_identity_provider"></a>Lightweight Directory Access Protocol (LDAP)</h3> +<div class="paragraph"> +<p>Below is an example and description of configuring a Login Identity Provider that integrates with a Directory Server to authenticate users.</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><provider> + <identifier>ldap-provider</identifier> + <class>org.apache.nifi.ldap.LdapProvider</class> + <property name="Authentication Strategy">START_TLS</property> + + <property name="Manager DN"></property> + <property name="Manager Password"></property> + + <property name="TLS - Keystore"></property> + <property name="TLS - Keystore Password"></property> + <property name="TLS - Keystore Type"></property> + <property name="TLS - Truststore"></property> + <property name="TLS - Truststore Password"></property> + <property name="TLS - Truststore Type"></property> + <property name="TLS - Client Auth"></property> + <property name="TLS - Protocol"></property> + <property name="TLS - Shutdown Gracefully"></property> + + <property name="Referral Strategy">FOLLOW</property> + <property name="Connect Timeout">10 secs</property> + <property name="Read Timeout">10 secs</property> + + <property name="Url"></property> + <property name="User Search Base"></property> + <property name="User Search Filter"></property> + + <property name="Identity Strategy">USE_DN</property> + <property name="Authentication Expiration">12 hours</property> +</provider></pre> +</div> +</div> +<div class="paragraph"> +<p>With this configuration, username/password authentication can be enabled by referencing this provider in <em>nifi.properties</em>.</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>nifi.security.user.login.identity.provider=ldap-provider</pre> +</div> +</div> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">Property Name</th> +<th class="tableblock halign-left valign-top">Description</th> +</tr> +</thead> +<tfoot> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Authentication Expiration</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration.</p></td> +</tr> +</tfoot> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Authentication Strategy</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Manager DN</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The DN of the manager that is used to bind to the LDAP server to search for users.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Manager Password</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The password of the manager that is used to bind to the LDAP server to search for users.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Keystore</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Keystore Password</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Password for the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Keystore Type</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Type of the Keystore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Truststore</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Truststore Password</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Password for the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Truststore Type</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Type of the Truststore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Client Auth</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Client authentication policy when connecting to LDAP using LDAPS or START_TLS. Possible values are REQUIRED, WANT, NONE.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Protocol</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS, TLSv1.1, TLSv1.2, etc).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Shutdown Gracefully</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Specifies whether the TLS should be shut down gracefully before the target context is closed. Defaults to false.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Referral Strategy</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Connect Timeout</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Duration of connect timeout. (i.e. 10 secs).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Read Timeout</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Duration of read timeout. (i.e. 10 secs).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Url</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>User Search Base</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Base DN for searching for users (i.e. CN=Users,DC=example,DC=com).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>User Search Filter</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Filter for searching for users against the <em>User Search Base</em>. (i.e. sAMAccountName={0}). The user specified name is inserted into <em>{0}</em>.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Identity Strategy</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Strategy to identify users. Possible values are USE_DN and USE_USERNAME. The default functionality if this property is missing is USE_DN in order to retain backward +compatibility. USE_DN will use the full DN of the user entry if possible. USE_USERNAME will use the username the user logged in with.</p></td> +</tr> +</tbody> +</table> +</div> +<div class="sect2"> +<h3 id="kerberos_login_identity_provider"><a class="anchor" href="administration-guide.html#kerberos_login_identity_provider"></a>Kerberos</h3> +<div class="paragraph"> +<p>Below is an example and description of configuring a Login Identity Provider that integrates with a Kerberos Key Distribution Center (KDC) to authenticate users.</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><provider> + <identifier>kerberos-provider</identifier> + <class>org.apache.nifi.kerberos.KerberosProvider</class> + <property name="Default Realm">NIFI.APACHE.ORG</property> + <property name="Kerberos Config File">/etc/krb5.conf</property> + <property name="Authentication Expiration">12 hours</property> +</provider></pre> +</div> +</div> +<div class="paragraph"> +<p>With this configuration, username/password authentication can be enabled by referencing this provider in <em>nifi.properties</em>.</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>nifi.security.user.login.identity.provider=kerberos-provider</pre> +</div> +</div> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">Property Name</th> +<th class="tableblock halign-left valign-top">Description</th> +</tr> +</thead> +<tfoot> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Authentication Expiration</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration.</p></td> +</tr> +</tfoot> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Default Realm</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Default realm to provide when user enters incomplete user principal (i.e. NIFI.APACHE.ORG).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Kerberos Config File</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Absolute path to Kerberos client configuration file.</p></td> +</tr> +</tbody> +</table> +<div class="paragraph"> +<p>See also <a href="administration-guide.html#kerberos_service">Kerberos Service</a> to allow single sign-on access via client Kerberos tickets.</p> +</div> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="multi-tenant-authorization"><a class="anchor" href="administration-guide.html#multi-tenant-authorization"></a>Multi-Tenant Authorization</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>After you have configured NiFi to run securely and with an authentication mechanism, you must configure who has access to the system, and the level of their access. +You can do this using <em>multi-tenant authorization</em>. Multi-tenant authorization enables multiple groups of users (tenants) to command, control, and observe different +parts of the dataflow, with varying levels of authorization. When an authenticated user attempts to view or modify a NiFi resource, the system checks whether the +user has privileges to perform that action. These privileges are defined by policies that you can apply system-wide or to individual components.</p> +</div> +<div class="sect2"> +<h3 id="authorizer-configuration"><a class="anchor" href="administration-guide.html#authorizer-configuration"></a>Authorizer Configuration</h3> +<div class="paragraph"> +<p>An <em>authorizer</em> grants users the privileges to manage users and policies by creating preliminary authorizations at startup.</p> +</div> +<div class="paragraph"> +<p>Authorizers are configured using two properties in the <em>nifi.properties</em> file:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>The <code>nifi.authorizer.configuration.file</code> property specifies the configuration file where authorizers are defined. By default, the <em>authorizers.xml</em> file located in the root installation conf directory is selected.</p> +</li> +<li> +<p>The <code>nifi.security.user.authorizer</code> property indicates which of the configured authorizers in the <em>authorizers.xml</em> file to use.</p> +</li> +</ul> +</div> +</div> +<div class="sect2"> +<h3 id="authorizers-setup"><a class="anchor" href="administration-guide.html#authorizers-setup"></a>Authorizers.xml Setup</h3> +<div class="paragraph"> +<p>The <em>authorizers.xml</em> file is used to define and configure available authorizers. The default authorizer is the FileAuthorizer, however, you can develop additional authorizers as extensions. The FileAuthorizer has the following properties:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>Authorizations File - The file where the FileAuthorizer stores policies. By default, the <em>authorizations.xml</em> in the <em>conf</em> directory is chosen.</p> +</li> +<li> +<p>Users File - The file where the FileAuthorizer stores users and groups. By default, the <em>users.xml</em> in the <em>conf</em> directory is chosen.</p> +</li> +<li> +<p>Initial Admin Identity - The identity of an initial admin user that is granted access to the UI and given the ability to create additional users, groups, and policies. This property is only used when there are no other users, groups, and policies defined.</p> +</li> +<li> +<p>Legacy Authorized Users File - The full path to an existing authorized-users.xml that is automatically converted to the multi-tenant authorization model. This property is only used when there are no other users, groups, and policies defined.</p> +</li> +<li> +<p>Node Identity - The identity of a NiFi cluster node. When clustered, a property for each node should be defined, so that every node knows about every other node. If not clustered, these properties can be ignored.</p> +</li> +</ul> +</div> +<div class="sect3"> +<h4 id="initial-admin-identity"><a class="anchor" href="administration-guide.html#initial-admin-identity"></a>Initial Admin Identity (New NiFi Instance)</h4> +<div class="paragraph"> +<p>If you are setting up a secured NiFi instance for the first time, you must manually designate an âInitial Admin Identityâ in the <em>authorizers.xml</em> file. This initial admin user is granted access to the UI and given the ability to create additional users, groups, and policies. The value of this property could be a DN (when using certificates or LDAP) or a Kerberos principal. If you are the NiFi administrator, add yourself as the âInitial Admin Identityâ.</p> +</div> +<div class="paragraph"> +<p>Here is an example LDAP entry using the name John Smith:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><authorizer> + <identifier>file-provider</identifier> + <class>org.apache.nifi.authorization.FileAuthorizer</class> + <property name="Authorizations File">./conf/authorizations.xml</property> + <property name="Users File">./conf/users.xml</property> + <property name="Initial Admin Identity">cn=John Smith,ou=people,dc=example,dc=com</property> + <property name="Legacy Authorized Users File"></property> + <!-- + <property name="Node Identity 1"></property> + <property name="Node Identity 2"></property> + --> + </authorizer> +</authorizers></pre> +</div> +</div> +<div class="paragraph"> +<p>Here is an example Kerberos entry using the name John Smith and realm <code>NIFI.APACHE.ORG</code>:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><authorizer> + <identifier>file-provider</identifier> + <class>org.apache.nifi.authorization.FileAuthorizer</class> + <property name="Authorizations File">./conf/authorizations.xml</property> + <property name="Users File">./conf/users.xml</property> + <property name="Initial Admin Identity">[email protected]</property> + <property name="Legacy Authorized Users File"></property> + <!-- + <property name="Node Identity 1"></property> + <property name="Node Identity 2"></property> + --> + </authorizer> +</authorizers></pre> +</div> +</div> +<div class="paragraph"> +<p>After you have edited and saved the <em>authorizers.xml</em> file, restart NiFi. The âInitial Admin Identityâ user and administrative policies are added to the <em>users.xml</em> and <em>authorizations.xml</em> files during restart. Once NiFi starts, the âInitial Admin Identityâ user is able to access the UI and begin managing users, groups, and policies.</p> +</div> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<i class="fa icon-note" title="Note"></i> +</td> +<td class="content"> +For a brand new secure flow, providing the "Initial Admin Identity" gives that user access to get into the UI and to manage users, groups and policies. But if that user wants to start modifying the flow, they need to grant themselves policies for the root process group. The system is unable to do this automatically because in a new flow the UUID of the root process group is not permanent until the flow.xml.gz is generated. If the NiFi instance is an upgrade from an existing flow.xml.gz or a 1.x instance going from unsecure to secure, then the "Initial Admin Identity" user is automatically given the privileges to modify the flow. +</td> +</tr> +</table> +</div> +</div> +<div class="sect3"> +<h4 id="legacy-authorized-users"><a class="anchor" href="administration-guide.html#legacy-authorized-users"></a>Legacy Authorized Users (NiFi Instance Upgrade)</h4> +<div class="paragraph"> +<p>If you are upgrading from a 0.x NiFi instance, you can convert your previously configured users and roles to the multi-tenant authorization model. In the <em>authorizers.xml</em> file, specify the location of your existing <em>authorized-users.xml</em> file in the âLegacy Authorized Users Fileâ property.</p> +</div> +<div class="paragraph"> +<p>Here is an example entry:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><authorizers> + <authorizer> + <identifier>file-provider</identifier> + <class>org.apache.nifi.authorization.FileAuthorizer</class> + <property name="Authorizations File">./conf/authorizations.xml</property> + <property name="Users File">./conf/users.xml</property> + <property name="Initial Admin Identity"></property> + <property name="Legacy Authorized Users File">/Users/johnsmith/config_files/authorized-users.xml</property> + </authorizer> +</authorizers></pre> +</div> +</div> +<div class="paragraph"> +<p>After you have edited and saved the <em>authorizers.xml</em> file, restart NiFi. Users and roles from the <em>authorized-users.xml</em> file are converted and added as identities and policies in the <em>users.xml</em> and <em>authorizations.xml</em> files. Once the application starts, users who previously had a legacy Administrator role can access the UI and begin managing users, groups, and policies.</p> +</div> +<div class="paragraph"> +<p>The following tables summarize the global and component policies assigned to each legacy role if the NiFi instance has an existing <em>flow.xml.gz</em>:</p> +</div> +<div class="sect4"> +<h5 id="global-access-policies"><a class="anchor" href="administration-guide.html#global-access-policies"></a>Global Access Policies</h5> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 14%;"> +<col style="width: 14%;"> +<col style="width: 14%;"> +<col style="width: 14%;"> +<col style="width: 14%;"> +<col style="width: 14%;"> +<col style="width: 14%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-right valign-top"></th> +<th class="tableblock halign-center valign-top">Admin</th> +<th class="tableblock halign-center valign-top">DFM</th> +<th class="tableblock halign-center valign-top">Monitor</th> +<th class="tableblock halign-center valign-top">Provenance</th> +<th class="tableblock halign-center valign-top">NiFi</th> +<th class="tableblock halign-center valign-top">Proxy</th> +</tr> +</thead> +<tbody> +<tr> +<td class="tableblock halign-right valign-top"><p class="tableblock"><strong>view the UI</strong></p></td> +<td class="tableblock halign-center valign-top"><p class="tableblock"><strong>*</strong></p></td> +<td class="tableblock halign-center valign-top"><p class="tableblock"><strong>*</strong></p></td> +<td class="tableblock halign-center valign-top"><p class="tableblock"><strong>*</strong></p></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +</tr> +<tr> +<td class="tableblock halign-right valign-top"><p class="tableblock"><strong>access the controller - view</strong></p></td> +<td class="tableblock halign-center valign-top"><p class="tableblock"><strong>*</strong></p></td> +<td class="tableblock halign-center valign-top"><p class="tableblock"><strong>*</strong></p></td> +<td class="tableblock halign-center valign-top"><p class="tableblock"><strong>*</strong></p></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"><p class="tableblock"><strong>*</strong></p></td> +<td class="tableblock halign-center valign-top"></td> +</tr> +<tr> +<td class="tableblock halign-right valign-top"><p class="tableblock"><strong>access the controller - modify</strong></p></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"><p class="tableblock"><strong>*</strong></p></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +</tr> +<tr> +<td class="tableblock halign-right valign-top"><p class="tableblock"><strong>query provenance</strong></p></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"><p class="tableblock"><strong>*</strong></p></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +</tr> +<tr> +<td class="tableblock halign-right valign-top"><p class="tableblock"><strong>access restricted components</strong></p></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"><p class="tableblock"><strong>*</strong></p></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +</tr> +<tr> +<td class="tableblock halign-right valign-top"><p class="tableblock"><strong>access all policies - view</strong></p></td> +<td class="tableblock halign-center valign-top"><p class="tableblock"><strong>*</strong></p></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +</tr> +<tr> +<td class="tableblock halign-right valign-top"><p class="tableblock"><strong>access all policies - modify</strong></p></td> +<td class="tableblock halign-center valign-top"><p class="tableblock"><strong>*</strong></p></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +</tr> +<tr> +<td class="tableblock halign-right valign-top"><p class="tableblock"><strong>access users/user groups - view</strong></p></td> +<td class="tableblock halign-center valign-top"><p class="tableblock"><strong>*</strong></p></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +</tr> +<tr> +<td class="tableblock halign-right valign-top"><p class="tableblock"><strong>access users/user groups - modify</strong></p></td> +<td class="tableblock halign-center valign-top"><p class="tableblock"><strong>*</strong></p></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +</tr> +<tr> +<td class="tableblock halign-right valign-top"><p class="tableblock"><strong>retrieve site-to-site details</strong></p></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"></td> +<td class="tableblock halign-center valign-top"><p class="tableblock"><strong>*</strong></p></td> +<td class="tableblock halign-center valign-top"></td> +</tr> +<tr> +<td class="tableblock halign-right valign-top"><p class="tableblock"><strong>view system diagnostics</strong></p></td> +<td class="tableblock halign-center valign-top"></td>
[... 4196 lines stripped ...]
