Added: nifi/site/trunk/docs/nifi-registry-docs/html/administration-guide.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/docs/nifi-registry-docs/html/administration-guide.html?rev=1819846&view=auto ============================================================================== --- nifi/site/trunk/docs/nifi-registry-docs/html/administration-guide.html (added) +++ nifi/site/trunk/docs/nifi-registry-docs/html/administration-guide.html Tue Jan 2 15:19:25 2018 @@ -0,0 +1,2107 @@ +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + <!DOCTYPE html> +<html lang="en"> +<head> +<meta charset="UTF-8"> +<!--[if IE]><meta http-equiv="X-UA-Compatible" content="IE=edge"><![endif]--> +<meta name="viewport" content="width=device-width, initial-scale=1.0"> +<meta name="generator" content="Asciidoctor 1.5.2"> +<meta name="author" content="Apache NiFi Team"> +<title>Apache NiFi Registry System Administrator’s Guide</title> +<style> +/* Asciidoctor default stylesheet | MIT License | http://asciidoctor.org */ +/* Copyright (C) 2012-2015 Dan Allen, Ryan Waldron and the Asciidoctor Project + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. */ +/* Remove the comments around the @import statement below when using this as a custom stylesheet */ +@import "https://fonts.googleapis.com/css?family=Open+Sans:300,300italic,400,400italic,600,600italic%7CNoto+Serif:400,400italic,700,700italic%7CDroid+Sans+Mono:400";; +article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block} +audio,canvas,video{display:inline-block} +audio:not([controls]){display:none;height:0} +[hidden],template{display:none} +script{display:none!important} +html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%} +body{margin:0} +a{background:transparent} +a:focus{outline:thin dotted} +a:active,a:hover{outline:0} +h1{font-size:2em;margin:.67em 0} +abbr[title]{border-bottom:1px dotted} +b,strong{font-weight:bold} +dfn{font-style:italic} +hr{-moz-box-sizing:content-box;box-sizing:content-box;height:0} +mark{background:#ff0;color:#000} +code,kbd,pre,samp{font-family:monospace;font-size:1em} +pre{white-space:pre-wrap} +q{quotes:"\201C" "\201D" "\2018" "\2019"} +small{font-size:80%} +sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline} +sup{top:-.5em} +sub{bottom:-.25em} +img{border:0} +svg:not(:root){overflow:hidden} +figure{margin:0} +fieldset{border:1px solid silver;margin:0 2px;padding:.35em .625em .75em} +legend{border:0;padding:0} +button,input,select,textarea{font-family:inherit;font-size:100%;margin:0} +button,input{line-height:normal} +button,select{text-transform:none} +button,html input[type="button"],input[type="reset"],input[type="submit"]{-webkit-appearance:button;cursor:pointer} +button[disabled],html input[disabled]{cursor:default} +input[type="checkbox"],input[type="radio"]{box-sizing:border-box;padding:0} +input[type="search"]{-webkit-appearance:textfield;-moz-box-sizing:content-box;-webkit-box-sizing:content-box;box-sizing:content-box} +input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none} +button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0} +textarea{overflow:auto;vertical-align:top} +table{border-collapse:collapse;border-spacing:0} +*,*:before,*:after{-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box} +html,body{font-size:100%} +body{background:#fff;color:rgba(0,0,0,.8);padding:0;margin:0;font-family:"Noto Serif","DejaVu Serif",serif;font-weight:400;font-style:normal;line-height:1;position:relative;cursor:auto} +a:hover{cursor:pointer} +img,object,embed{max-width:100%;height:auto} +object,embed{height:100%} +img{-ms-interpolation-mode:bicubic} +#map_canvas img,#map_canvas embed,#map_canvas object,.map_canvas img,.map_canvas embed,.map_canvas object{max-width:none!important} +.left{float:left!important} +.right{float:right!important} +.text-left{text-align:left!important} +.text-right{text-align:right!important} +.text-center{text-align:center!important} +.text-justify{text-align:justify!important} +.hide{display:none} +.antialiased,body{-webkit-font-smoothing:antialiased} +img{display:inline-block;vertical-align:middle} +textarea{height:auto;min-height:50px} +select{width:100%} +p.lead,.paragraph.lead>p,#preamble>.sectionbody>.paragraph:first-of-type p{font-size:1.21875em;line-height:1.6} +.subheader,.admonitionblock td.content>.title,.audioblock>.title,.exampleblock>.title,.imageblock>.title,.listingblock>.title,.literalblock>.title,.stemblock>.title,.openblock>.title,.paragraph>.title,.quoteblock>.title,table.tableblock>.title,.verseblock>.title,.videoblock>.title,.dlist>.title,.olist>.title,.ulist>.title,.qlist>.title,.hdlist>.title{line-height:1.45;color:#7a2518;font-weight:400;margin-top:0;margin-bottom:.25em} +div,dl,dt,dd,ul,ol,li,h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6,pre,form,p,blockquote,th,td{margin:0;padding:0;direction:ltr} +a{color:#2156a5;text-decoration:underline;line-height:inherit} +a:hover,a:focus{color:#1d4b8f} +a img{border:none} +p{font-family:inherit;font-weight:400;font-size:1em;line-height:1.6;margin-bottom:1.25em;text-rendering:optimizeLegibility} +p aside{font-size:.875em;line-height:1.35;font-style:italic} +h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{font-family:"Open Sans","DejaVu Sans",sans-serif;font-weight:300;font-style:normal;color:#ba3925;text-rendering:optimizeLegibility;margin-top:1em;margin-bottom:.5em;line-height:1.0125em} +h1 small,h2 small,h3 small,#toctitle small,.sidebarblock>.content>.title small,h4 small,h5 small,h6 small{font-size:60%;color:#e99b8f;line-height:0} +h1{font-size:2.125em} +h2{font-size:1.6875em} +h3,#toctitle,.sidebarblock>.content>.title{font-size:1.375em} +h4,h5{font-size:1.125em} +h6{font-size:1em} +hr{border:solid #ddddd8;border-width:1px 0 0;clear:both;margin:1.25em 0 1.1875em;height:0} +em,i{font-style:italic;line-height:inherit} +strong,b{font-weight:bold;line-height:inherit} +small{font-size:60%;line-height:inherit} +code{font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;font-weight:400;color:rgba(0,0,0,.9);padding-right: 1px;} +ul,ol,dl{font-size:1em;line-height:1.6;margin-bottom:1.25em;list-style-position:outside;font-family:inherit} +ul,ol,ul.no-bullet,ol.no-bullet{margin-left:1.5em} +ul li ul,ul li ol{margin-left:1.25em;margin-bottom:0;font-size:1em} +ul.square li ul,ul.circle li ul,ul.disc li ul{list-style:inherit} +ul.square{list-style-type:square} +ul.circle{list-style-type:circle} +ul.disc{list-style-type:disc} +ul.no-bullet{list-style:none} +ol li ul,ol li ol{margin-left:1.25em;margin-bottom:0} +dl dt{margin-bottom:.3125em;font-weight:bold} +dl dd{margin-bottom:1.25em} +abbr,acronym{text-transform:uppercase;font-size:90%;color:rgba(0,0,0,.8);border-bottom:1px dotted #ddd;cursor:help} +abbr{text-transform:none} +blockquote{margin:0 0 1.25em;padding:.5625em 1.25em 0 1.1875em;border-left:1px solid #ddd} +blockquote cite{display:block;font-size:.9375em;color:rgba(0,0,0,.6)} +blockquote cite:before{content:"\2014 \0020"} +blockquote cite a,blockquote cite a:visited{color:rgba(0,0,0,.6)} +blockquote,blockquote p{line-height:1.6;color:rgba(0,0,0,.85)} +@media only screen and (min-width:768px){h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{line-height:1.2} +h1{font-size:2.75em} +h2{font-size:2.3125em} +h3,#toctitle,.sidebarblock>.content>.title{font-size:1.6875em} +h4{font-size:1.4375em}}table{background:#fff;margin-bottom:1.25em;border:solid 1px #dedede} +table thead,table tfoot{background:#f7f8f7;font-weight:bold} +table thead tr th,table thead tr td,table tfoot tr th,table tfoot tr td{padding:.5em .625em .625em;font-size:inherit;color:rgba(0,0,0,.8);text-align:left} +table tr th,table tr td{padding:.5625em .625em;font-size:inherit;color:rgba(0,0,0,.8)} +table tr.even,table tr.alt,table tr:nth-of-type(even){background:#f8f8f7} +table thead tr th,table tfoot tr th,table tbody tr td,table tr td,table tfoot tr td{display:table-cell;line-height:1.6} +h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{line-height:1.2;word-spacing:-.05em} +h1 strong,h2 strong,h3 strong,#toctitle strong,.sidebarblock>.content>.title strong,h4 strong,h5 strong,h6 strong{font-weight:400} +.clearfix:before,.clearfix:after,.float-group:before,.float-group:after{content:" ";display:table} +.clearfix:after,.float-group:after{clear:both} +*:not(pre)>code{font-size:.9375em;font-style:normal!important;letter-spacing:0;word-spacing:-.15em;background-color:#f7f7f8;-webkit-border-radius:4px;border-radius:4px;line-height:1.45;text-rendering:optimizeSpeed} +pre,pre>code{line-height:1.45;color:rgba(0,0,0,.9);font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;font-weight:400;text-rendering:optimizeSpeed} +.keyseq{color:rgba(51,51,51,.8)} +kbd{display:inline-block;color:rgba(0,0,0,.8);font-size:.75em;line-height:1.4;background-color:#f7f7f7;border:1px solid #ccc;-webkit-border-radius:3px;border-radius:3px;-webkit-box-shadow:0 1px 0 rgba(0,0,0,.2),0 0 0 .1em white inset;box-shadow:0 1px 0 rgba(0,0,0,.2),0 0 0 .1em #fff inset;margin:-.15em .15em 0 .15em;padding:.2em .6em .2em .5em;vertical-align:middle;white-space:nowrap} +.keyseq kbd:first-child{margin-left:0} +.keyseq kbd:last-child{margin-right:0} +.menuseq,.menu{color:rgba(0,0,0,.8)} +b.button:before,b.button:after{position:relative;top:-1px;font-weight:400} +b.button:before{content:"[";padding:0 3px 0 2px} +b.button:after{content:"]";padding:0 2px 0 3px} +p a>code:hover{color:rgba(0,0,0,.9)} +#header,#content,#footnotes,#footer{width:100%;margin-left:auto;margin-right:auto;margin-top:0;margin-bottom:0;max-width:62.5em;*zoom:1;position:relative;padding-left:.9375em;padding-right:.9375em} +#header:before,#header:after,#content:before,#content:after,#footnotes:before,#footnotes:after,#footer:before,#footer:after{content:" ";display:table} +#header:after,#content:after,#footnotes:after,#footer:after{clear:both} +#content{margin-top:1.25em} +#content:before{content:none} +#header>h1:first-child{color:rgba(0,0,0,.85);margin-top:2.25rem;margin-bottom:0} +#header>h1:first-child+#toc{margin-top:8px;border-top:1px solid #ddddd8} +#header>h1:only-child,body.toc2 #header>h1:nth-last-child(2){border-bottom:1px solid #ddddd8;padding-bottom:8px} +#header .details{border-bottom:1px solid #ddddd8;line-height:1.45;padding-top:.25em;padding-bottom:.25em;padding-left:.25em;color:rgba(0,0,0,.6);display:-ms-flexbox;display:-webkit-flex;display:flex;-ms-flex-flow:row wrap;-webkit-flex-flow:row wrap;flex-flow:row wrap} +#header .details span:first-child{margin-left:-.125em} +#header .details span.email a{color:rgba(0,0,0,.85)} +#header .details br{display:none} +#header .details br+span:before{content:"\00a0\2013\00a0"} +#header .details br+span.author:before{content:"\00a0\22c5\00a0";color:rgba(0,0,0,.85)} +#header .details br+span#revremark:before{content:"\00a0|\00a0"} +#header #revnumber{text-transform:capitalize} +#header #revnumber:after{content:"\00a0"} +#content>h1:first-child:not([class]){color:rgba(0,0,0,.85);border-bottom:1px solid #ddddd8;padding-bottom:8px;margin-top:0;padding-top:1rem;margin-bottom:1.25rem} +#toc{border-bottom:1px solid #efefed;padding-bottom:.5em} +#toc>ul{margin-left:.125em} +#toc ul.sectlevel0>li>a{font-style:italic} +#toc ul.sectlevel0 ul.sectlevel1{margin:.5em 0} +#toc ul{font-family:"Open Sans","DejaVu Sans",sans-serif;list-style-type:none} +#toc a{text-decoration:none} +#toc a:active{text-decoration:underline} +#toctitle{color:#7a2518;font-size:1.2em} +@media only screen and (min-width:768px){#toctitle{font-size:1.375em} +body.toc2{padding-left:15em;padding-right:0} +#toc.toc2{margin-top:0!important;background-color:#f8f8f7;position:fixed;width:15em;left:0;top:0;border-right:1px solid #efefed;border-top-width:0!important;border-bottom-width:0!important;z-index:1000;padding:1.25em 1em;height:100%;overflow:auto} +#toc.toc2 #toctitle{margin-top:0;font-size:1.2em} +#toc.toc2>ul{font-size:.9em;margin-bottom:0} +#toc.toc2 ul ul{margin-left:0;padding-left:1em} +#toc.toc2 ul.sectlevel0 ul.sectlevel1{padding-left:0;margin-top:.5em;margin-bottom:.5em} +body.toc2.toc-right{padding-left:0;padding-right:15em} +body.toc2.toc-right #toc.toc2{border-right-width:0;border-left:1px solid #efefed;left:auto;right:0}}@media only screen and (min-width:1280px){body.toc2{padding-left:20em;padding-right:0} +#toc.toc2{width:20em} +#toc.toc2 #toctitle{font-size:1.375em} +#toc.toc2>ul{font-size:.95em} +#toc.toc2 ul ul{padding-left:1.25em} +body.toc2.toc-right{padding-left:0;padding-right:20em}}#content #toc{border-style:solid;border-width:1px;border-color:#e0e0dc;margin-bottom:1.25em;padding:1.25em;background:#f8f8f7;-webkit-border-radius:4px;border-radius:4px} +#content #toc>:first-child{margin-top:0} +#content #toc>:last-child{margin-bottom:0} +#footer{max-width:100%;background-color:rgba(0,0,0,.8);padding:1.25em} +#footer-text{color:rgba(255,255,255,.8);line-height:1.44} +.sect1{padding-bottom:.625em} +@media only screen and (min-width:768px){.sect1{padding-bottom:1.25em}}.sect1+.sect1{border-top:1px solid #efefed} +#content h1>a.anchor,h2>a.anchor,h3>a.anchor,#toctitle>a.anchor,.sidebarblock>.content>.title>a.anchor,h4>a.anchor,h5>a.anchor,h6>a.anchor{position:absolute;z-index:1001;width:1.5ex;margin-left:-1.5ex;display:block;text-decoration:none!important;visibility:hidden;text-align:center;font-weight:400} +#content h1>a.anchor:before,h2>a.anchor:before,h3>a.anchor:before,#toctitle>a.anchor:before,.sidebarblock>.content>.title>a.anchor:before,h4>a.anchor:before,h5>a.anchor:before,h6>a.anchor:before{content:"\00A7";font-size:.85em;display:block;padding-top:.1em} +#content h1:hover>a.anchor,#content h1>a.anchor:hover,h2:hover>a.anchor,h2>a.anchor:hover,h3:hover>a.anchor,#toctitle:hover>a.anchor,.sidebarblock>.content>.title:hover>a.anchor,h3>a.anchor:hover,#toctitle>a.anchor:hover,.sidebarblock>.content>.title>a.anchor:hover,h4:hover>a.anchor,h4>a.anchor:hover,h5:hover>a.anchor,h5>a.anchor:hover,h6:hover>a.anchor,h6>a.anchor:hover{visibility:visible} +#content h1>a.link,h2>a.link,h3>a.link,#toctitle>a.link,.sidebarblock>.content>.title>a.link,h4>a.link,h5>a.link,h6>a.link{color:#ba3925;text-decoration:none} +#content h1>a.link:hover,h2>a.link:hover,h3>a.link:hover,#toctitle>a.link:hover,.sidebarblock>.content>.title>a.link:hover,h4>a.link:hover,h5>a.link:hover,h6>a.link:hover{color:#a53221} +.audioblock,.imageblock,.literalblock,.listingblock,.stemblock,.videoblock{margin-bottom:1.25em} +.admonitionblock td.content>.title,.audioblock>.title,.exampleblock>.title,.imageblock>.title,.listingblock>.title,.literalblock>.title,.stemblock>.title,.openblock>.title,.paragraph>.title,.quoteblock>.title,table.tableblock>.title,.verseblock>.title,.videoblock>.title,.dlist>.title,.olist>.title,.ulist>.title,.qlist>.title,.hdlist>.title{text-rendering:optimizeLegibility;text-align:left;font-family:"Noto Serif","DejaVu Serif",serif;font-size:1rem;font-style:italic} +table.tableblock>caption.title{white-space:nowrap;overflow:visible;max-width:0} +.paragraph.lead>p,#preamble>.sectionbody>.paragraph:first-of-type p{color:rgba(0,0,0,.85)} +table.tableblock #preamble>.sectionbody>.paragraph:first-of-type p{font-size:inherit} +.admonitionblock>table{border-collapse:separate;border:0;background:none;width:100%} +.admonitionblock>table td.icon{text-align:center;width:80px} +.admonitionblock>table td.icon img{max-width:none} +.admonitionblock>table td.icon .title{font-weight:bold;font-family:"Open Sans","DejaVu Sans",sans-serif;text-transform:uppercase} +.admonitionblock>table td.content{padding-left:1.125em;padding-right:1.25em;border-left:1px solid #ddddd8;color:rgba(0,0,0,.6)} +.admonitionblock>table td.content>:last-child>:last-child{margin-bottom:0} +.exampleblock>.content{border-style:solid;border-width:1px;border-color:#e6e6e6;margin-bottom:1.25em;padding:1.25em;background:#fff;-webkit-border-radius:4px;border-radius:4px} +.exampleblock>.content>:first-child{margin-top:0} +.exampleblock>.content>:last-child{margin-bottom:0} +.sidebarblock{border-style:solid;border-width:1px;border-color:#e0e0dc;margin-bottom:1.25em;padding:1.25em;background:#f8f8f7;-webkit-border-radius:4px;border-radius:4px} +.sidebarblock>:first-child{margin-top:0} +.sidebarblock>:last-child{margin-bottom:0} +.sidebarblock>.content>.title{color:#7a2518;margin-top:0;text-align:center} +.exampleblock>.content>:last-child>:last-child,.exampleblock>.content .olist>ol>li:last-child>:last-child,.exampleblock>.content .ulist>ul>li:last-child>:last-child,.exampleblock>.content .qlist>ol>li:last-child>:last-child,.sidebarblock>.content>:last-child>:last-child,.sidebarblock>.content .olist>ol>li:last-child>:last-child,.sidebarblock>.content .ulist>ul>li:last-child>:last-child,.sidebarblock>.content .qlist>ol>li:last-child>:last-child{margin-bottom:0} +.literalblock pre,.listingblock pre:not(.highlight),.listingblock pre[class="highlight"],.listingblock pre[class^="highlight "],.listingblock pre.CodeRay,.listingblock pre.prettyprint{background:#f7f7f8} +.sidebarblock .literalblock pre,.sidebarblock .listingblock pre:not(.highlight),.sidebarblock .listingblock pre[class="highlight"],.sidebarblock .listingblock pre[class^="highlight "],.sidebarblock .listingblock pre.CodeRay,.sidebarblock .listingblock pre.prettyprint{background:#f2f1f1} +.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{-webkit-border-radius:4px;border-radius:4px;word-wrap:break-word;padding:1em;font-size:.8125em} +.literalblock pre.nowrap,.literalblock pre[class].nowrap,.listingblock pre.nowrap,.listingblock pre[class].nowrap{overflow-x:auto;white-space:pre;word-wrap:normal} +@media only screen and (min-width:768px){.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{font-size:.90625em}}@media only screen and (min-width:1280px){.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{font-size:1em}}.literalblock.output pre{color:#f7f7f8;background-color:rgba(0,0,0,.9)} +.listingblock pre.highlightjs{padding:0} +.listingblock pre.highlightjs>code{padding:1em;-webkit-border-radius:4px;border-radius:4px} +.listingblock pre.prettyprint{border-width:0} +.listingblock>.content{position:relative} +.listingblock code[data-lang]:before{display:none;content:attr(data-lang);position:absolute;font-size:.75em;top:.425rem;right:.5rem;line-height:1;text-transform:uppercase;color:#999} +.listingblock:hover code[data-lang]:before{display:block} +.listingblock.terminal pre .command:before{content:attr(data-prompt);padding-right:.5em;color:#999} +.listingblock.terminal pre .command:not([data-prompt]):before{content:"$"} +table.pyhltable{border-collapse:separate;border:0;margin-bottom:0;background:none} +table.pyhltable td{vertical-align:top;padding-top:0;padding-bottom:0} +table.pyhltable td.code{padding-left:.75em;padding-right:0} +pre.pygments .lineno,table.pyhltable td:not(.code){color:#999;padding-left:0;padding-right:.5em;border-right:1px solid #ddddd8} +pre.pygments .lineno{display:inline-block;margin-right:.25em} +table.pyhltable .linenodiv{background:none!important;padding-right:0!important} +.quoteblock{margin:0 1em 1.25em 1.5em;display:table} +.quoteblock>.title{margin-left:-1.5em;margin-bottom:.75em} +.quoteblock blockquote,.quoteblock blockquote p{color:rgba(0,0,0,.85);font-size:1.15rem;line-height:1.75;word-spacing:.1em;letter-spacing:0;font-style:italic;text-align:justify} +.quoteblock blockquote{margin:0;padding:0;border:0} +.quoteblock blockquote:before{content:"\201c";float:left;font-size:2.75em;font-weight:bold;line-height:.6em;margin-left:-.6em;color:#7a2518;text-shadow:0 1px 2px rgba(0,0,0,.1)} +.quoteblock blockquote>.paragraph:last-child p{margin-bottom:0} +.quoteblock .attribution{margin-top:.5em;margin-right:.5ex;text-align:right} +.quoteblock .quoteblock{margin-left:0;margin-right:0;padding:.5em 0;border-left:3px solid rgba(0,0,0,.6)} +.quoteblock .quoteblock blockquote{padding:0 0 0 .75em} +.quoteblock .quoteblock blockquote:before{display:none} +.verseblock{margin:0 1em 1.25em 1em} +.verseblock pre{font-family:"Open Sans","DejaVu Sans",sans;font-size:1.15rem;color:rgba(0,0,0,.85);font-weight:300;text-rendering:optimizeLegibility} +.verseblock pre strong{font-weight:400} +.verseblock .attribution{margin-top:1.25rem;margin-left:.5ex} +.quoteblock .attribution,.verseblock .attribution{font-size:.9375em;line-height:1.45;font-style:italic} +.quoteblock .attribution br,.verseblock .attribution br{display:none} +.quoteblock .attribution cite,.verseblock .attribution cite{display:block;letter-spacing:-.05em;color:rgba(0,0,0,.6)} +.quoteblock.abstract{margin:0 0 1.25em 0;display:block} +.quoteblock.abstract blockquote,.quoteblock.abstract blockquote p{text-align:left;word-spacing:0} +.quoteblock.abstract blockquote:before,.quoteblock.abstract blockquote p:first-of-type:before{display:none} +table.tableblock{max-width:100%;border-collapse:separate} +table.tableblock td>.paragraph:last-child p>p:last-child,table.tableblock th>p:last-child,table.tableblock td>p:last-child{margin-bottom:0} +table.spread{width:100%} +table.tableblock,th.tableblock,td.tableblock{border:0 solid #dedede} +table.grid-all th.tableblock,table.grid-all td.tableblock{border-width:0 1px 1px 0} +table.grid-all tfoot>tr>th.tableblock,table.grid-all tfoot>tr>td.tableblock{border-width:1px 1px 0 0} +table.grid-cols th.tableblock,table.grid-cols td.tableblock{border-width:0 1px 0 0} +table.grid-all *>tr>.tableblock:last-child,table.grid-cols *>tr>.tableblock:last-child{border-right-width:0} +table.grid-rows th.tableblock,table.grid-rows td.tableblock{border-width:0 0 1px 0} +table.grid-all tbody>tr:last-child>th.tableblock,table.grid-all tbody>tr:last-child>td.tableblock,table.grid-all thead:last-child>tr>th.tableblock,table.grid-rows tbody>tr:last-child>th.tableblock,table.grid-rows tbody>tr:last-child>td.tableblock,table.grid-rows thead:last-child>tr>th.tableblock{border-bottom-width:0} +table.grid-rows tfoot>tr>th.tableblock,table.grid-rows tfoot>tr>td.tableblock{border-width:1px 0 0 0} +table.frame-all{border-width:1px} +table.frame-sides{border-width:0 1px} +table.frame-topbot{border-width:1px 0} +th.halign-left,td.halign-left{text-align:left} +th.halign-right,td.halign-right{text-align:right} +th.halign-center,td.halign-center{text-align:center} +th.valign-top,td.valign-top{vertical-align:top} +th.valign-bottom,td.valign-bottom{vertical-align:bottom} +th.valign-middle,td.valign-middle{vertical-align:middle} +table thead th,table tfoot th{font-weight:bold} +tbody tr th{display:table-cell;line-height:1.6;background:#f7f8f7} +tbody tr th,tbody tr th p,tfoot tr th,tfoot tr th p{color:rgba(0,0,0,.8);font-weight:bold} +p.tableblock>code:only-child{background:none;padding:0} +p.tableblock{font-size:1em} +td>div.verse{white-space:pre} +ol{margin-left:1.75em} +ul li ol{margin-left:1.5em} +dl dd{margin-left:1.125em} +dl dd:last-child,dl dd:last-child>:last-child{margin-bottom:0} +ol>li p,ul>li p,ul dd,ol dd,.olist .olist,.ulist .ulist,.ulist .olist,.olist .ulist{margin-bottom:.625em} +ul.unstyled,ol.unnumbered,ul.checklist,ul.none{list-style-type:none} +ul.unstyled,ol.unnumbered,ul.checklist{margin-left:.625em} +ul.checklist li>p:first-child>.fa-square-o:first-child,ul.checklist li>p:first-child>.fa-check-square-o:first-child{width:1em;font-size:.85em} +ul.checklist li>p:first-child>input[type="checkbox"]:first-child{width:1em;position:relative;top:1px} +ul.inline{margin:0 auto .625em auto;margin-left:-1.375em;margin-right:0;padding:0;list-style:none;overflow:hidden} +ul.inline>li{list-style:none;float:left;margin-left:1.375em;display:block} +ul.inline>li>*{display:block} +.unstyled dl dt{font-weight:400;font-style:normal} +ol.arabic{list-style-type:decimal} +ol.decimal{list-style-type:decimal-leading-zero} +ol.loweralpha{list-style-type:lower-alpha} +ol.upperalpha{list-style-type:upper-alpha} +ol.lowerroman{list-style-type:lower-roman} +ol.upperroman{list-style-type:upper-roman} +ol.lowergreek{list-style-type:lower-greek} +.hdlist>table,.colist>table{border:0;background:none} +.hdlist>table>tbody>tr,.colist>table>tbody>tr{background:none} +td.hdlist1{padding-right:.75em;font-weight:bold} +td.hdlist1,td.hdlist2{vertical-align:top} +.literalblock+.colist,.listingblock+.colist{margin-top:-.5em} +.colist>table tr>td:first-of-type{padding:0 .75em;line-height:1} +.colist>table tr>td:last-of-type{padding:.25em 0} +.thumb,.th{line-height:0;display:inline-block;border:solid 4px #fff;-webkit-box-shadow:0 0 0 1px #ddd;box-shadow:0 0 0 1px #ddd} +.imageblock.left,.imageblock[style*="float: left"]{margin:.25em .625em 1.25em 0} +.imageblock.right,.imageblock[style*="float: right"]{margin:.25em 0 1.25em .625em} +.imageblock>.title{margin-bottom:0} +.imageblock.thumb,.imageblock.th{border-width:6px} +.imageblock.thumb>.title,.imageblock.th>.title{padding:0 .125em} +.image.left,.image.right{margin-top:.25em;margin-bottom:.25em;display:inline-block;line-height:0} +.image.left{margin-right:.625em} +.image.right{margin-left:.625em} +a.image{text-decoration:none} +span.footnote,span.footnoteref{vertical-align:super;font-size:.875em} +span.footnote a,span.footnoteref a{text-decoration:none} +span.footnote a:active,span.footnoteref a:active{text-decoration:underline} +#footnotes{padding-top:.75em;padding-bottom:.75em;margin-bottom:.625em} +#footnotes hr{width:20%;min-width:6.25em;margin:-.25em 0 .75em 0;border-width:1px 0 0 0} +#footnotes .footnote{padding:0 .375em;line-height:1.3;font-size:.875em;margin-left:1.2em;text-indent:-1.2em;margin-bottom:.2em} +#footnotes .footnote a:first-of-type{font-weight:bold;text-decoration:none} +#footnotes .footnote:last-of-type{margin-bottom:0} +#content #footnotes{margin-top:-.625em;margin-bottom:0;padding:.75em 0} +.gist .file-data>table{border:0;background:#fff;width:100%;margin-bottom:0} +.gist .file-data>table td.line-data{width:99%} +div.unbreakable{page-break-inside:avoid} +.big{font-size:larger} +.small{font-size:smaller} +.underline{text-decoration:underline} +.overline{text-decoration:overline} +.line-through{text-decoration:line-through} +.aqua{color:#00bfbf} +.aqua-background{background-color:#00fafa} +.black{color:#000} +.black-background{background-color:#000} +.blue{color:#0000bf} +.blue-background{background-color:#0000fa} +.fuchsia{color:#bf00bf} +.fuchsia-background{background-color:#fa00fa} +.gray{color:#606060} +.gray-background{background-color:#7d7d7d} +.green{color:#006000} +.green-background{background-color:#007d00} +.lime{color:#00bf00} +.lime-background{background-color:#00fa00} +.maroon{color:#600000} +.maroon-background{background-color:#7d0000} +.navy{color:#000060} +.navy-background{background-color:#00007d} +.olive{color:#606000} +.olive-background{background-color:#7d7d00} +.purple{color:#600060} +.purple-background{background-color:#7d007d} +.red{color:#bf0000} +.red-background{background-color:#fa0000} +.silver{color:#909090} +.silver-background{background-color:#bcbcbc} +.teal{color:#006060} +.teal-background{background-color:#007d7d} +.white{color:#bfbfbf} +.white-background{background-color:#fafafa} +.yellow{color:#bfbf00} +.yellow-background{background-color:#fafa00} +span.icon>.fa{cursor:default} +.admonitionblock td.icon [class^="fa icon-"]{font-size:2.5em;text-shadow:1px 1px 2px rgba(0,0,0,.5);cursor:default} +.admonitionblock td.icon .icon-note:before{content:"\f05a";color:#19407c} +.admonitionblock td.icon .icon-tip:before{content:"\f0eb";text-shadow:1px 1px 2px rgba(155,155,0,.8);color:#111} +.admonitionblock td.icon .icon-warning:before{content:"\f071";color:#bf6900} +.admonitionblock td.icon .icon-caution:before{content:"\f06d";color:#bf3400} +.admonitionblock td.icon .icon-important:before{content:"\f06a";color:#bf0000} +.conum[data-value]{display:inline-block;color:#fff!important;background-color:rgba(0,0,0,.8);-webkit-border-radius:100px;border-radius:100px;text-align:center;font-size:.75em;width:1.67em;height:1.67em;line-height:1.67em;font-family:"Open Sans","DejaVu Sans",sans-serif;font-style:normal;font-weight:bold} +.conum[data-value] *{color:#fff!important} +.conum[data-value]+b{display:none} +.conum[data-value]:after{content:attr(data-value)} +pre .conum[data-value]{position:relative;top:-.125em} +b.conum *{color:inherit!important} +.conum:not([data-value]):empty{display:none} +h1,h2{letter-spacing:-.01em} +dt,th.tableblock,td.content{text-rendering:optimizeLegibility} +p,td.content{letter-spacing:-.01em} +p strong,td.content strong{letter-spacing:-.005em} +p,blockquote,dt,td.content{font-size:1.0625rem} +p{margin-bottom:1.25rem} +.sidebarblock p,.sidebarblock dt,.sidebarblock td.content,p.tableblock{font-size:1em} +.exampleblock>.content{background-color:#fffef7;border-color:#e0e0dc;-webkit-box-shadow:0 1px 4px #e0e0dc;box-shadow:0 1px 4px #e0e0dc} +.print-only{display:none!important} +@media print{@page{margin:1.25cm .75cm} +*{-webkit-box-shadow:none!important;box-shadow:none!important;text-shadow:none!important} +a{color:inherit!important;text-decoration:underline!important} +a.bare,a[href^="#"],a[href^="mailto:"]{text-decoration:none!important} +a[href^="http:"]:not(.bare):after,a[href^="https:"]:not(.bare):after{content:"(" attr(href) ")";display:inline-block;font-size:.875em;padding-left:.25em} +abbr[title]:after{content:" (" attr(title) ")"} +pre,blockquote,tr,img{page-break-inside:avoid} +thead{display:table-header-group} +img{max-width:100%!important} +p,blockquote,dt,td.content{font-size:1em;orphans:3;widows:3} +h2,h3,#toctitle,.sidebarblock>.content>.title{page-break-after:avoid} +#toc,.sidebarblock,.exampleblock>.content{background:none!important} +#toc{border-bottom:1px solid #ddddd8!important;padding-bottom:0!important} +.sect1{padding-bottom:0!important} +.sect1+.sect1{border:0!important} +#header>h1:first-child{margin-top:1.25rem} +body.book #header{text-align:center} +body.book #header>h1:first-child{border:0!important;margin:2.5em 0 1em 0} +body.book #header .details{border:0!important;display:block;padding:0!important} +body.book #header .details span:first-child{margin-left:0!important} +body.book #header .details br{display:block} +body.book #header .details br+span:before{content:none!important} +body.book #toc{border:0!important;text-align:left!important;padding:0!important;margin:0!important} +body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-break-before:always} +.listingblock code[data-lang]:before{display:block} +#footer{background:none!important;padding:0 .9375em} +#footer-text{color:rgba(0,0,0,.6)!important;font-size:.9em} +.hide-on-print{display:none!important} +.print-only{display:block!important} +.hide-for-print{display:none!important} +.show-for-print{display:inherit!important}} +</style> +<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.2.0/css/font-awesome.min.css";> +</head> +<body class="article"> +<div id="header"> +<h1>Apache NiFi Registry System Administrator’s Guide</h1> +<div class="details"> +<span id="author" class="author">Apache NiFi Team</span><br> +<span id="email" class="email"><a href="mailto:[email protected]";>[email protected]</a></span><br> +</div> +<div id="toc" class="toc"> +<div id="toctitle">Table of Contents</div> +<ul class="sectlevel1"> +<li><a href="administration-guide.html#system-requirements">System Requirements</a></li> +<li><a href="administration-guide.html#how-to-install-and-start-nifi-registry">How to install and start NiFi Registry</a></li> +<li><a href="administration-guide.html#security-configuration">Security Configuration</a></li> +<li><a href="administration-guide.html#user_authentication">User Authentication</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#ldap_identity_provider">Lightweight Directory Access Protocol (LDAP)</a></li> +<li><a href="administration-guide.html#kerberos_identity_provider">Kerberos</a></li> +</ul> +</li> +<li><a href="administration-guide.html#multi-tenant-authorization">Authorization</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#authorizer-configuration">Authorizer Configuration</a></li> +<li><a href="administration-guide.html#authorizers-setup">Authorizers.xml Setup</a></li> +</ul> +</li> +<li><a href="administration-guide.html#encrypted-passwords-in-configuration-files">Encrypted Passwords in Configuration Files</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#encrypt-config_tool">Encrypt-Config Tool</a></li> +<li><a href="administration-guide.html#sensitive-property-key-migration">Sensitive Property Key Migration</a></li> +</ul> +</li> +<li><a href="administration-guide.html#bootstrap_properties">Bootstrap Properties</a></li> +<li><a href="administration-guide.html#proxy_configuration">Proxy Configuration</a></li> +<li><a href="administration-guide.html#kerberos_service">Kerberos Service</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#kerberos_service_notes">Notes</a></li> +</ul> +</li> +<li><a href="administration-guide.html#system_properties">System Properties</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#web-properties">Web Properties</a></li> +<li><a href="administration-guide.html#security-properties">Security Properties</a></li> +<li><a href="administration-guide.html#providers-properties">Providers Properties</a></li> +<li><a href="administration-guide.html#database-properties">Database Properties</a></li> +<li><a href="administration-guide.html#extension-directories">Extension Directories</a></li> +<li><a href="administration-guide.html#kerberos_properties">Kerberos Properties</a></li> +</ul> +</li> +</ul> +</div> +</div> +<div id="content"> +<div class="sect1"> +<h2 id="system-requirements"><a class="anchor" href="administration-guide.html#system-requirements"></a>System Requirements</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>NiFi Registry has the following minimum system requirements:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>Requires Java 8, newer than 1.8.0_45</p> +</li> +<li> +<p>Supported Operating Systems:</p> +<div class="ulist"> +<ul> +<li> +<p>Linux</p> +</li> +<li> +<p>Unix</p> +</li> +<li> +<p>Mac OS X</p> +</li> +</ul> +</div> +</li> +<li> +<p>Supported Web Browsers:</p> +<div class="ulist"> +<ul> +<li> +<p>Google Chrome: Current & (Current - 1)</p> +</li> +<li> +<p>Mozilla FireFox: Current & (Current - 1)</p> +</li> +<li> +<p>Safari: Current & (Current - 1)</p> +</li> +</ul> +</div> +</li> +</ul> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="how-to-install-and-start-nifi-registry"><a class="anchor" href="administration-guide.html#how-to-install-and-start-nifi-registry"></a>How to install and start NiFi Registry</h2> +<div class="sectionbody"> +<div class="ulist"> +<ul> +<li> +<p>Linux/Unix/OS X</p> +<div class="ulist"> +<ul> +<li> +<p>Decompress and untar into desired installation directory</p> +</li> +<li> +<p>Make any desired edits in files found under <installdir>/conf</p> +</li> +<li> +<p>From the <installdir>/bin directory, execute the following commands by typing ./nifi-registry.sh <command>:</p> +<div class="ulist"> +<ul> +<li> +<p>start: starts NiFi Registry in the background</p> +</li> +<li> +<p>stop: stops NiFi Registry that is running in the background</p> +</li> +<li> +<p>status: provides the current status of NiFi Registry</p> +</li> +<li> +<p>run: runs NiFi Registry in the foreground and waits for a Ctrl-C to initiate shutdown of NiFi Registry</p> +</li> +<li> +<p>install: installs NiFi Registry as a service that can then be controlled via</p> +<div class="ulist"> +<ul> +<li> +<p>service nifi-registry start</p> +</li> +<li> +<p>service nifi-regsitry stop</p> +</li> +<li> +<p>service nifi-registry status</p> +</li> +</ul> +</div> +</li> +</ul> +</div> +</li> +</ul> +</div> +</li> +</ul> +</div> +<div class="paragraph"> +<p>When NiFi Registry first starts up, the following files and directories are created:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>flow_storage directory</p> +</li> +<li> +<p>database directory</p> +</li> +<li> +<p>work directory</p> +</li> +<li> +<p>logs directory</p> +</li> +<li> +<p>run directory</p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>See the <a href="administration-guide.html#system_properties">System Properties</a> section of this guide for more information about NiFi Registry configuration files.</p> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="security-configuration"><a class="anchor" href="administration-guide.html#security-configuration"></a>Security Configuration</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>NiFi Registry provides several different configuration options for security purposes. The most important properties are those under the +"security properties" heading in the <em>nifi-registry.properties</em> file. In order to run securely, the following properties must be set:</p> +</div> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">Property Name</th> +<th class="tableblock halign-left valign-top">Description</th> +</tr> +</thead> +<tfoot> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.registry.security.needClientAuth</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">This specifies that connecting clients must authenticate with a client cert. Setting this to <code>false</code> will specify that connecting clients may optionally authenticate with a client cert, but may also login with a username and password against a configured identity provider. The default value is true.</p></td> +</tr> +</tfoot> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.registry.security.keystore</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Filename of the Keystore that contains the server’s private key.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.registry.security.keystoreType</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The type of Keystore. Must be either <code>PKCS12</code> or <code>JKS</code>. JKS is the preferred type, PKCS12 files will be loaded with BouncyCastle provider.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.registry.security.keystorePasswd</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The password for the Keystore.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.registry.security.keyPasswd</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The password for the certificate in the Keystore. If not set, the value of <code>nifi.registry.security.keystorePasswd</code> will be used.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.registry.security.truststore</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Filename of the Truststore that will be used to authorize those connecting to NiFi Registry. A secured instance with no Truststore will refuse all incoming connections.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.registry.security.truststoreType</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The type of the Truststore. Must be either <code>PKCS12</code> or <code>JKS</code>. JKS is the preferred type, PKCS12 files will be loaded with BouncyCastle provider.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.registry.security.truststorePasswd</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The password for the Truststore.</p></td> +</tr> +</tbody> +</table> +<div class="paragraph"> +<p>Once the above properties have been configured, we can enable the User Interface to be accessed over HTTPS instead of HTTP. This is accomplished +by setting the <code>nifi.registry.web.https.host</code> and <code>nifi.registry.web.https.port</code> properties. The <code>nifi.registry.web.https.host</code> property indicates which hostname the server +should run on. If it is desired that the HTTPS interface be accessible from all network interfaces, a value of <code>0.0.0.0</code> should be used for <code>nifi.registry.web.https.host</code>.</p> +</div> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<i class="fa icon-note" title="Note"></i> +</td> +<td class="content"> +It is important when enabling HTTPS that the <code>nifi.registry.web.http.port</code> property be unset. +</td> +</tr> +</table> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="user_authentication"><a class="anchor" href="administration-guide.html#user_authentication"></a>User Authentication</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>A secured instance of NiFi Registry cannot be accessed anonymously, so a method of user authentication must be configured.</p> +</div> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<i class="fa icon-note" title="Note"></i> +</td> +<td class="content"> +NiFi Registry does not perform user authentication over HTTP. Using HTTP, all users will have full permissions. +</td> +</tr> +</table> +</div> +<div class="paragraph"> +<p>Any secured instance of NiFi Registry supports authentication via client certificates that are trusted by the NiFi Registry’s SSL Context Truststore. +Alternatively, a secured NiFi Registry can be configured to authenticate users via username/password.</p> +</div> +<div class="paragraph"> +<p>Username/password authentication is performed by an <em>Identity Provider</em>. The Identity Provider is a pluggable mechanism for +authenticating users via their username/password. Which Identity Provider to use is configured in the <em>nifi-registry.properties</em> file. +Currently NiFi Registry offers Identity Providers for LDAP and Kerberos.</p> +</div> +<div class="paragraph"> +<p>Identity Providers are configured using two properties in the <em>nifi-registry.properties</em> file:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>The <code>nifi.registry.security.identity.providers.configuration.file</code> property specifies the configuration file where identity providers are defined. By default, the <em>identity-providers.xml</em> file located in the root installation conf directory is selected.</p> +</li> +<li> +<p>The <code>nifi.registry.security.identity.provider</code> property indicates which of the configured identity providers in the <em>identity-providers.xml</em> file to use. By default, this property is not configured meaning that username/password must be explicitly enabled.</p> +</li> +</ul> +</div> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<i class="fa icon-note" title="Note"></i> +</td> +<td class="content"> +NiFi Registry can only be configured to use one Identity Provider at a given time. +</td> +</tr> +</table> +</div> +<div class="sect2"> +<h3 id="ldap_identity_provider"><a class="anchor" href="administration-guide.html#ldap_identity_provider"></a>Lightweight Directory Access Protocol (LDAP)</h3> +<div class="paragraph"> +<p>Below is an example and description of configuring a Identity Provider that integrates with a Directory Server to authenticate users.</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><provider> + <identifier>ldap-identity-provider</identifier> + <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class> + <property name="Authentication Strategy">START_TLS</property> + + <property name="Manager DN"></property> + <property name="Manager Password"></property> + + <property name="TLS - Keystore"></property> + <property name="TLS - Keystore Password"></property> + <property name="TLS - Keystore Type"></property> + <property name="TLS - Truststore"></property> + <property name="TLS - Truststore Password"></property> + <property name="TLS - Truststore Type"></property> + <property name="TLS - Client Auth"></property> + <property name="TLS - Protocol"></property> + <property name="TLS - Shutdown Gracefully"></property> + + <property name="Referral Strategy">FOLLOW</property> + <property name="Connect Timeout">10 secs</property> + <property name="Read Timeout">10 secs</property> + + <property name="Url"></property> + <property name="User Search Base"></property> + <property name="User Search Filter"></property> + + <property name="Identity Strategy">USE_DN</property> + <property name="Authentication Expiration">12 hours</property> +</provider></pre> +</div> +</div> +<div class="paragraph"> +<p>With this configuration, username/password authentication can be enabled by referencing this provider in <em>nifi-registry.properties</em>.</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>nifi.registry.security.identity.provider=ldap-identity-provider</pre> +</div> +</div> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">Property Name</th> +<th class="tableblock halign-left valign-top">Description</th> +</tr> +</thead> +<tfoot> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Authentication Expiration</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration.</p></td> +</tr> +</tfoot> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Authentication Strategy</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Manager DN</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The DN of the manager that is used to bind to the LDAP server to search for users.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Manager Password</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The password of the manager that is used to bind to the LDAP server to search for users.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Keystore</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Keystore Password</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Password for the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Keystore Type</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Type of the Keystore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Truststore</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Truststore Password</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Password for the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Truststore Type</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Type of the Truststore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Client Auth</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Client authentication policy when connecting to LDAP using LDAPS or START_TLS. Possible values are REQUIRED, WANT, NONE.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Protocol</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS, TLSv1.1, TLSv1.2, etc).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Shutdown Gracefully</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Specifies whether the TLS should be shut down gracefully before the target context is closed. Defaults to false.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Referral Strategy</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Connect Timeout</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Duration of connect timeout. (i.e. 10 secs).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Read Timeout</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Duration of read timeout. (i.e. 10 secs).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Url</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>User Search Base</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Base DN for searching for users (i.e. CN=Users,DC=example,DC=com).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>User Search Filter</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Filter for searching for users against the <em>User Search Base</em>. (i.e. sAMAccountName={0}). The user specified name is inserted into <em>{0}</em>.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Identity Strategy</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Strategy to identify users. Possible values are USE_DN and USE_USERNAME. The default functionality if this property is missing is USE_DN in order to retain backward +compatibility. USE_DN will use the full DN of the user entry if possible. USE_USERNAME will use the username the user logged in with.</p></td> +</tr> +</tbody> +</table> +</div> +<div class="sect2"> +<h3 id="kerberos_identity_provider"><a class="anchor" href="administration-guide.html#kerberos_identity_provider"></a>Kerberos</h3> +<div class="paragraph"> +<p>Below is an example and description of configuring an Identity Provider that integrates with a Kerberos Key Distribution Center (KDC) to authenticate users.</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><provider> + <identifier>kerberos-identity-provider</identifier> + <class>org.apache.nifi.registry.web.security.authentication.kerberos.KerberosIdentityProvider</class> + <property name="Default Realm">NIFI.APACHE.ORG</property> + <property name="Kerberos Config File">/etc/krb5.conf</property> + <property name="Authentication Expiration">12 hours</property> +</provider></pre> +</div> +</div> +<div class="paragraph"> +<p>With this configuration, username/password authentication can be enabled by referencing this provider in <em>nifi-registry.properties</em>.</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>nifi.registry.security.user.identity.provider=kerberos-identity-provider</pre> +</div> +</div> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">Property Name</th> +<th class="tableblock halign-left valign-top">Description</th> +</tr> +</thead> +<tfoot> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Authentication Expiration</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The duration for which the user authentication is valid. If the user never logs out, they will be required to log back in following this duration.</p></td> +</tr> +</tfoot> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Default Realm</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Default realm to provide when user enters incomplete user principal (i.e. NIFI.APACHE.ORG).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Kerberos Config File</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Absolute path to Kerberos client configuration file.</p></td> +</tr> +</tbody> +</table> +<div class="paragraph"> +<p>See also <a href="administration-guide.html#kerberos_service">Kerberos Service</a> to allow single sign-on access via client Kerberos tickets.</p> +</div> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="multi-tenant-authorization"><a class="anchor" href="administration-guide.html#multi-tenant-authorization"></a>Authorization</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>After you have configured NiFi Registry to run securely and with an authentication mechanism, you must configure who has access to the system and their level of access. +This is done by defining policies that give users and groups permissions to perform a particular action. These policies are defined in an <em>authorizer</em>.</p> +</div> +<div class="sect2"> +<h3 id="authorizer-configuration"><a class="anchor" href="administration-guide.html#authorizer-configuration"></a>Authorizer Configuration</h3> +<div class="paragraph"> +<p>An <em>authorizer</em> manages known users and their access policies. Authorizers are configured using two properties in the <em>nifi-registry.properties</em> file:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>The <code>nifi.registry.security.authorizers.configuration.file</code> property specifies the configuration file where authorizers are defined. By default, the <em>authorizers.xml</em> file located in the root installation conf directory is selected.</p> +</li> +<li> +<p>The <code>nifi.registry.security.authorizer</code> property indicates which of the configured authorizers in the <em>authorizers.xml</em> file to use.</p> +</li> +</ul> +</div> +</div> +<div class="sect2"> +<h3 id="authorizers-setup"><a class="anchor" href="administration-guide.html#authorizers-setup"></a>Authorizers.xml Setup</h3> +<div class="paragraph"> +<p>The <em>authorizers.xml</em> file is used to define and configure available authorizers. The default authorizer is the StandardManagedAuthorizer. The managed authorizer is comprised of a UserGroupProvider +and a AccessPolicyProvider. The users, group, and access policies will be loaded and optionally configured through these providers. The managed authorizer will make all access decisions based on +these provided users, groups, and access policies.</p> +</div> +<div class="paragraph"> +<p>During startup there is a check to ensure that there are no two users/groups with the same identity/name. This check is executed regardless of the configured implementation. This is necessary because this is how users/groups are identified and authorized during access decisions.</p> +</div> +<div class="paragraph"> +<p>The default UserGroupProvider is the FileUserGroupProvider, however, you can develop additional UserGroupProviders as extensions. The FileUserGroupProvider has the following properties:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>Users File - The file where the FileUserGroupProvider stores users and groups. +By default, <em>users.xml</em> in the <em>conf</em> directory is chosen.</p> +</li> +<li> +<p>Initial User Identity - The identity of a user or system to seed an empty Users File. +Multiple Initial User Identity properties can be specified, but the name of each property must be unique, for example: "Initial User Identity A", "Initial User Identity B", "Initial User Identity C" or "Initial User Identity 1", "Initial User Identity 2", "Initial User Identity 3"</p> +</li> +</ul> +</div> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<i class="fa icon-note" title="Note"></i> +</td> +<td class="content"> +Initial User Identities are only created if the specified Users File is missing or empty during NiFi Registry startup. Changes to the configured Initial Users Identities will not take effect if the Users File is populated. +</td> +</tr> +</table> +</div> +<div class="paragraph"> +<p>Another option for the UserGroupProvider is the LdapUserGroupProvider. By default, this option is commented out but can be configured in lieu of the FileUserGroupProvider. +This will sync users and groups from a directory server and will present them in NiFi Registry UI in read only form. The LdapUserGroupProvider has the following properties:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>Authentication Strategy - How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS</p> +</li> +<li> +<p>Manager DN - The DN of the manager that is used to bind to the LDAP server to search for users.</p> +</li> +<li> +<p>Manager Password - The password of the manager that is used to bind to the LDAP server to search for users.</p> +</li> +<li> +<p>TLS - Keystore - Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.</p> +</li> +<li> +<p>TLS - Keystore Password - Password for the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.</p> +</li> +<li> +<p>TLS - Keystore Type - Type of the Keystore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12).</p> +</li> +<li> +<p>TLS - Truststore - Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.</p> +</li> +<li> +<p>TLS - Truststore Password - Password for the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.</p> +</li> +<li> +<p>TLS - Truststore Type - Type of the Truststore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12).</p> +</li> +<li> +<p>TLS - Client Auth - Client authentication policy when connecting to LDAP using LDAPS or START_TLS. Possible values are REQUIRED, WANT, NONE.</p> +</li> +<li> +<p>TLS - Protocol - Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS, TLSv1.1, TLSv1.2, etc).</p> +</li> +<li> +<p>TLS - Shutdown Gracefully - Specifies whether the TLS should be shut down gracefully before the target context is closed. Defaults to false.</p> +</li> +<li> +<p>Referral Strategy - Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.</p> +</li> +<li> +<p>Connect Timeout - Duration of connect timeout. (i.e. 10 secs).</p> +</li> +<li> +<p>Read Timeout - Duration of read timeout. (i.e. 10 secs).</p> +</li> +<li> +<p>Url - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).</p> +</li> +<li> +<p>Page Size - Sets the page size when retrieving users and groups. If not specified, no paging is performed.</p> +</li> +<li> +<p>Sync Interval - Duration of time between syncing users and groups. (i.e. 30 mins).</p> +</li> +<li> +<p>User Search Base - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users.</p> +</li> +<li> +<p>User Object Class - Object class for identifying users (i.e. person). Required if searching users.</p> +</li> +<li> +<p>User Search Scope - Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users.</p> +</li> +<li> +<p>User Search Filter - Filter for searching for users against the <em>User Search Base</em> (i.e. (memberof=cn=team1,ou=groups,o=nifi) ). Optional.</p> +</li> +<li> +<p>User Identity Attribute - Attribute to use to extract user identity (i.e. cn). Optional. If not set, the entire DN is used.</p> +</li> +<li> +<p>User Group Name Attribute - Attribute to use to define group membership (i.e. memberof). Optional. If not set group membership will not be calculated through the users. Will rely on group membership being defined through Group Member Attribute if set.</p> +</li> +<li> +<p>Group Search Base - Base DN for searching for groups (i.e. ou=groups,o=nifi). Required to search groups.</p> +</li> +<li> +<p>Group Object Class - Object class for identifying groups (i.e. groupOfNames). Required if searching groups.</p> +</li> +<li> +<p>Group Search Scope - Search scope for searching groups (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching groups.</p> +</li> +<li> +<p>Group Search Filter - Filter for searching for groups against the <em>Group Search Base</em>. Optional.</p> +</li> +<li> +<p>Group Name Attribute - Attribute to use to extract group name (i.e. cn). Optional. If not set, the entire DN is used.</p> +</li> +<li> +<p>Group Member Attribute - Group Member Attribute - Attribute to use to define group membership (i.e. member). Optional. If not set group membership will not be calculated through the groups. Will rely on group member being defined through User Group Name Attribute if set.</p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>Another option for the UserGroupProvider are composite implementations. This means that multiple sources/implementations can be configured and composed. For instance, an admin can configure users/groups to be loaded from a file and a directory server. There are two composite implementations, one that supports multiple UserGroupProviders and one that supports multiple UserGroupProviders and a single configurable UserGroupProvider.</p> +</div> +<div class="paragraph"> +<p>The CompositeUserGroupProvider will provide support for retrieving users and groups from multiple sources. The CompositeUserGroupProvider has the following properties:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>User Group Provider - The identifier of user group providers to load from. The name of each property must be unique, for example: "User Group Provider A", "User Group Provider B", "User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"</p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>The CompositeConfigurableUserGroupProvider will provide support for retrieving users and groups from multiple sources. Additionally, a single configurable user group provider is required. Users from the configurable user group provider are configurable, however users loaded from one of the User Group Provider [unique key] will not be. The CompositeConfigurableUserGroupProvider has the following properties:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>Configurable User Group Provider - A configurable user group provider.</p> +</li> +<li> +<p>User Group Provider - The identifier of user group providers to load from. The name of each property must be unique, for example: "User Group Provider A", "User Group Provider B", "User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"</p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>After you have configured a UserGroupProvider, you must configure an AccessPolicyProvider that will control Access Policies for the identities in the UserGroupProvider. +The default AccessPolicyProvider is the FileAccessPolicyProvider, however, you can develop additional AccessPolicyProvider as extensions. The FileAccessPolicyProvider has the following properties:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>User Group Provider - The identifier for an User Group Provider defined above that will be used to access users and groups for use in the managed access policies.</p> +</li> +<li> +<p>Authorizations File - The file where the FileAccessPolicyProvider will store policies. +By default, <em>authorizations.xml</em> in the <em>conf</em> directory is chosen.</p> +</li> +<li> +<p>Initial Admin Identity - The identity of an initial admin user that will be granted access to the UI and given the ability to create additional users, groups, and policies. +For example, a certificate DN, LDAP identity, or Kerberos principal.</p> +</li> +<li> +<p>NiFi Identity - The identity of a NiFi instance/node that will be accessing this registry. Each NiFi Identity will be granted permission to proxy user requests, as well as read any bucket to perform synchronization status checks.</p> +</li> +</ul> +</div> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<i class="fa icon-note" title="Note"></i> +</td> +<td class="content"> +The identities configured in the Initial Admin Identity and NiFi Identity properties must be available in the configured User Group Provider. Initial Admin Identity and NiFi Identity properties are only read by NiFi Registry when the Authorizations File is missing or empty on startup in order to seed the initial Authorizations File. +Changes to the configured Initial Admin Identity and NiFi Identities will not take effect if the Authorizations File is populated. +</td> +</tr> +</table> +</div> +<div class="paragraph"> +<p>The default Authorizer is the StandardManagedAuthorizer, however, you can develop additional Authorizers as extensions. The StandardManagedAuthorizer has the following properties:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>Access Policy Provider - The identifier for an Access Policy Provider defined above.</p> +</li> +</ul> +</div> +<div class="sect3"> +<h4 id="initial-admin-identity"><a class="anchor" href="administration-guide.html#initial-admin-identity"></a>Initial Admin Identity (New NiFi Registry Instance)</h4> +<div class="paragraph"> +<p>If you are setting up a secured NiFi Registry instance for the first time, you must manually designate an âInitial Admin Identityâ in the <em>authorizers.xml</em> file. +This initial admin user is granted access to the UI and given the ability to create additional users, groups, and policies. +The value of this property could be a certificate DN , LDAP identity (DN or username), or a Kerberos principal. +If you are the NiFi Registry administrator, add yourself as the âInitial Admin Identityâ.</p> +</div> +<div class="paragraph"> +<p>Here is an example LDAP entry using the name John Smith:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><authorizers> + + <userGroupProvider> + <identifier>file-user-group-provider</identifier> + <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> + <property name="Users File">./conf/users.xml</property> + <property name="Legacy Authorized Users File"></property> + <property name="Initial User Identity 1">cn=John Smith,ou=people,dc=example,dc=com</property> + </userGroupProvider> + + <accessPolicyProvider> + <identifier>file-access-policy-provider</identifier> + <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> + <property name="User Group Provider">file-user-group-provider</property> + <property name="Authorizations File">./conf/authorizations.xml</property> + <property name="Initial Admin Identity">cn=John Smith,ou=people,dc=example,dc=com</property + <property name="NiFi Identity 1"></property> + </accessPolicyProvider> + + <authorizer> + <identifier>managed-authorizer</identifier> + <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> + <property name="Access Policy Provider">file-access-policy-provider</property> + </authorizer> +</authorizers></pre> +</div> +</div> +<div class="paragraph"> +<p>Here is an example Kerberos entry using the name John Smith and realm <code>NIFI.APACHE.ORG</code>:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><authorizers> + + <userGroupProvider> + <identifier>file-user-group-provider</identifier> + <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> + <property name="Users File">./conf/users.xml</property> + <property name="Initial User Identity 1">[email protected]</property> + </userGroupProvider> + + <accessPolicyProvider> + <identifier>file-access-policy-provider</identifier> + <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> + <property name="User Group Provider">file-user-group-provider</property> + <property name="Authorizations File">./conf/authorizations.xml</property> + <property name="Initial Admin Identity">[email protected]</property> + <property name="NiFi Identity 1"></property> + </accessPolicyProvider> + + <authorizer> + <identifier>managed-authorizer</identifier> + <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> + <property name="Access Policy Provider">file-access-policy-provider</property> + </authorizer> +</authorizers></pre> +</div> +</div> +<div class="paragraph"> +<p>After you have edited and saved the <em>authorizers.xml</em> file, restart NiFi Registry. +The <em>users.xml</em> and <em>authorizations.xml</em> files will be created, and the âInitial Admin Identityâ user and administrative policies are added during start up. +Once NiFi Registry starts, the âInitial Admin Identityâ user is able to access the UI and begin managing users, groups, and policies.</p> +</div> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<i class="fa icon-note" title="Note"></i> +</td> +<td class="content"> +If initial NiFi identities are not provided, they can be added through the UI at a later time by first creating a user for the given +NiFi identity, and then giving that user Proxy permissions, and permission to Buckets/READ in order to read all buckets. +</td> +</tr> +</table> +</div> +<div class="paragraph"> +<p>Here is an example loading users and groups from LDAP. Group membership will be driven through the member attribute of each group. +Authorization will still use file based access policies.</p> +</div> +<div class="paragraph"> +<p>Given the following LDAP entries exist:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>dn: cn=User 1,ou=users,o=nifi +objectClass: organizationalPerson +objectClass: person +objectClass: inetOrgPerson +objectClass: top +cn: User 1 +sn: User1 +uid: user1 + +dn: cn=User 2,ou=users,o=nifi +objectClass: organizationalPerson +objectClass: person +objectClass: inetOrgPerson +objectClass: top +cn: User 2 +sn: User2 +uid: user2 + +dn: cn=users,ou=groups,o=nifi +objectClass: groupOfNames +objectClass: top +cn: users +member: cn=User 1,ou=users,o=nifi +member: cn=User 2,ou=users,o=nifi</pre> +</div> +</div> +<div class="paragraph"> +<p>An Authorizer using an LdapUserGroupProvider would be configured as:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><authorizers> + <userGroupProvider> + <identifier>ldap-user-group-provider</identifier> + <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class> + <property name="Authentication Strategy">ANONYMOUS</property> + + <property name="Manager DN"></property> + <property name="Manager Password"></property> + + <property name="TLS - Keystore"></property> + <property name="TLS - Keystore Password"></property> + <property name="TLS - Keystore Type"></property> + <property name="TLS - Truststore"></property> + <property name="TLS - Truststore Password"></property> + <property name="TLS - Truststore Type"></property> + <property name="TLS - Client Auth"></property> + <property name="TLS - Protocol"></property> + <property name="TLS - Shutdown Gracefully"></property> + + <property name="Referral Strategy">FOLLOW</property> + <property name="Connect Timeout">10 secs</property> + <property name="Read Timeout">10 secs</property> + + <property name="Url">ldap://localhost:10389</property> + <property name="Page Size"></property> + <property name="Sync Interval">30 mins</property> + + <property name="User Search Base">ou=users,o=nifi</property> + <property name="User Object Class">person</property> + <property name="User Search Scope">ONE_LEVEL</property> + <property name="User Search Filter"></property> + <property name="User Identity Attribute">cn</property> + <property name="User Group Name Attribute"></property> + + <property name="Group Search Base">ou=groups,o=nifi</property> + <property name="Group Object Class">groupOfNames</property> + <property name="Group Search Scope">ONE_LEVEL</property> + <property name="Group Search Filter"></property> + <property name="Group Name Attribute">cn</property> + <property name="Group Member Attribute">member</property> + </userGroupProvider> + + <accessPolicyProvider> + <identifier>file-access-policy-provider</identifier> + <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> + <property name="User Group Provider">ldap-user-group-provider</property> + <property name="Authorizations File">./conf/authorizations.xml</property> + <property name="Initial Admin Identity">User 1</property> + <property name="NiFi Identity 1"></property> + </accessPolicyProvider> + + <authorizer> + <identifier>managed-authorizer</identifier> + <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> + <property name="Access Policy Provider">file-access-policy-provider</property> + </authorizer> +</authorizers></pre> +</div> +</div> +<div class="paragraph"> +<p>The <em>Initial Admin Identity</em> value would have loaded from the cn of the User 1 entry based on the <em>User Identity Attribute</em> value.</p> +</div> +<div class="paragraph"> +<p>Here is an example composite implementation loading users and groups from LDAP and a local file. Group membership will be driven through +the member attribute of each group. The users from LDAP will be read only while the users loaded from the file will be configurable in UI.</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><authorizers> + + <userGroupProvider> + <identifier>file-user-group-provider</identifier> + <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> + <property name="Users File">./conf/users.xml</property> + <property name="Initial User Identity 1">cn=nifi-node1,ou=servers,dc=example,dc=com</property> + <property name="Initial User Identity 2">cn=nifi-node2,ou=servers,dc=example,dc=com</property> + </userGroupProvider> + + <userGroupProvider> + <identifier>ldap-user-group-provider</identifier> + <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class> + <property name="Authentication Strategy">ANONYMOUS</property> + + <property name="Manager DN"></property> + <property name="Manager Password"></property> + + <property name="TLS - Keystore"></property> + <property name="TLS - Keystore Password"></property> + <property name="TLS - Keystore Type"></property> + <property name="TLS - Truststore"></property> + <property name="TLS - Truststore Password"></property> + <property name="TLS - Truststore Type"></property> + <property name="TLS - Client Auth"></property> + <property name="TLS - Protocol"></property> + <property name="TLS - Shutdown Gracefully"></property> + + <property name="Referral Strategy">FOLLOW</property> + <property name="Connect Timeout">10 secs</property> + <property name="Read Timeout">10 secs</property> + + <property name="Url">ldap://localhost:10389</property> + <property name="Page Size"></property> + <property name="Sync Interval">30 mins</property> + + <property name="User Search Base">ou=users,o=nifi</property> + <property name="User Object Class">person</property> + <property name="User Search Scope">ONE_LEVEL</property> + <property name="User Search Filter"></property> + <property name="User Identity Attribute">cn</property> + <property name="User Group Name Attribute"></property> + + <property name="Group Search Base">ou=groups,o=nifi</property> + <property name="Group Object Class">groupOfNames</property> + <property name="Group Search Scope">ONE_LEVEL</property> + <property name="Group Search Filter"></property> + <property name="Group Name Attribute">cn</property> + <property name="Group Member Attribute">member</property> + </userGroupProvider> + + <userGroupProvider> + <identifier>composite-user-group-provider</identifier> + <class>org.apache.nifi.registry.security.authorization.CompositeUserGroupProvider</class> + <property name="User Group Provider 1">file-user-group-provider</property> + <property name="User Group Provider 2">ldap-user-group-provider</property> + </userGroupProvider> + + <accessPolicyProvider> + <identifier>file-access-policy-provider</identifier> + <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> + <property name="User Group Provider">composite-user-group-provider</property> + <property name="Authorizations File">./conf/authorizations.xml</property> + <property name="Initial Admin Identity">User 1/property> + <property name="NiFi Identity 1">cn=nifi-node1,ou=servers,dc=example,dc=com</property> + <property name="NiFi Identity 2">cn=nifi-node2,ou=servers,dc=example,dc=com</property> + </accessPolicyProvider> + + <authorizer> + <identifier>managed-authorizer</identifier> + <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> + <property name="Access Policy Provider">file-access-policy-provider</property> + </authorizer> +</authorizers></pre> +</div> +</div> +<div class="paragraph"> +<p>In this example, the users and groups are loaded from LDAP but the servers are managed in a local file. The <em>Initial Admin Identity</em> value came +from an attribute in a LDAP entry based on the <em>User Identity Attribute</em>. The <em>NiFi Identity</em> values are established in the local file using the +<em>Initial User Identity</em> properties.</p> +</div> +</div> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="encrypted-passwords-in-configuration-files"><a class="anchor" href="administration-guide.html#encrypted-passwords-in-configuration-files"></a>Encrypted Passwords in Configuration Files</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>In order to facilitate the secure setup of NiFi Registry, you can use the <code>encrypt-config</code> command line utility to encrypt raw configuration values +that NiFi Registry decrypts in memory on startup. This extensible protection scheme transparently allows NiFi Registry to use raw values in operation, +while protecting them at rest. In the future, hardware security modules (HSM) and external secure storage mechanisms will be integrated, but for now, +an AES encryption provider is the default implementation.</p> +</div> +<div class="paragraph"> +<p>If no administrator action is taken, the configuration values remain unencrypted.</p> +</div> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<i class="fa icon-note" title="Note"></i> +</td> +<td class="content"> +The <code>encrypt-config</code> tool for NiFi Registry is implemented as an additional mode to the existing tool in the <code>nifi-toolkit</code>. The following sections +assume you have downloaded the binary for the nifi-toolkit. +</td> +</tr> +</table> +</div> +<div class="sect2"> +<h3 id="encrypt-config_tool"><a class="anchor" href="administration-guide.html#encrypt-config_tool"></a>Encrypt-Config Tool</h3> +<div class="paragraph"> +<p>The <code>encrypt-config</code> command line tool can be used to encrypt NiFi Registry configuration by invoking the tool with the following command:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>./bin/encrypt-config nifi-registry [options]</pre> +</div> +</div> +<div class="ulist"> +<ul> +<li> +<p><code>-h</code>,<code>--help</code> Show usage information (this message)</p> +</li> +<li> +<p><code>-v</code>,<code>--verbose</code> Enables verbose mode (off by default)</p> +</li> +<li> +<p><code>-p</code>,<code>--password <password></code> Protect the files using a password-derived key. If an argument is not provided to this flag, interactive mode will be triggered to prompt the user to enter the password.</p> +</li> +<li> +<p><code>-k</code>,<code>--key <keyhex></code> Protect the files using a raw hexadecimal key. If an argument is not provided to this flag, interactive mode will be triggered to prompt the user to enter the key.</p> +</li> +<li> +<p><code>--oldPassword <password></code> If the input files are already protected using a password-derived key, this specifies the old password so that the files can be unprotected before re-protecting.</p> +</li> +<li> +<p><code>--oldKey <keyhex></code> If the input files are already protected using a key, this specifies the raw hexadecimal key so that the files can be unprotected before re-protecting.</p> +</li> +<li> +<p><code>-b</code>,<code>--bootstrapConf <file></code> The bootstrap.conf file containing no master key or an existing master key. If a new password/key is specified and no output bootstrap.conf file is specified, then this file will be overwritten to persist the new master key.</p> +</li> +<li> +<p><code>-B</code>,<code>--outputBootstrapConf <file></code> The destination bootstrap.conf file to persist master key. If specified, the input bootstrap.conf will not be modified.</p> +</li> +<li> +<p><code>-r</code>,<code>--nifiRegistryProperties <file></code> The nifi-registry.properties file containing unprotected config values, overwritten if no output file specified.</p> +</li> +<li> +<p><code>-R</code>,<code>--outputNifiRegistryProperties <file></code> The destination nifi-registry.properties file containing protected config values.</p> +</li> +<li> +<p><code>-a</code>,<code>--authorizersXml <file></code> The authorizers.xml file containing unprotected config values, overwritten if no output file specified.</p> +</li> +<li> +<p><code>-A</code>,<code>--outputAuthorizersXml <file></code> The destination authorizers.xml file containing protected config values.</p> +</li> +<li> +<p><code>-i</code>,<code>--identityProvidersXml <file></code> The identity-providers.xml file containing unprotected config values, overwritten if no output file specified.</p> +</li> +<li> +<p><code>-I</code>,<code>--outputIdentityProvidersXml <file></code> The destination identity-providers.xml file containing protected config values.</p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>As an example of how the tool works, assuming that you have installed the tool on a machine supporting 256-bit encryption and with the following existing values in the <em>nifi-registry.properties</em> file:</p>
[... 559 lines stripped ...]
