I created a Jira to make sure we update that paragraph in the 1.x User Guide:
https://issues.apache.org/jira/browse/NIFI-3526 -Drew > On Feb 23, 2017, at 1:48 PM, Bryan Bende <[email protected]> wrote: > > Mark, > > I think you are correct that the paragraph in the user guide should be > updated for 1.x. > > I know the admin guide has a section about users and policies in > general, but not necessarily specific to site-to-site: > > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#config-users-access-policies > > I also have a blog post here, but I realize it is not official documentation: > > http://bryanbende.com/development/2016/08/30/apache-nifi-1.0.0-secure-site-to-site > > Thanks, > > Bryan > > On Thu, Feb 23, 2017 at 1:33 PM, Mark Bean <[email protected]> wrote: >> Ok. Understood. I created the policy and added the user (server.) All is >> working as expected now. >> >> Is this process of manipulating policies required for secure site-to-site >> documented anywhere? The User Guide still talked about Access Control and >> the NiFi Role which seems to apply only to 0.x. >> >> Thanks, >> Mark >> >> >> On Thu, Feb 23, 2017 at 1:11 PM, Bryan Bende <[email protected]> wrote: >> >>> Mark, >>> >>> When you are looking at the "receive data via site-to-site" for the >>> input port, is there a link across the top to "Create Policy"? >>> >>> I think you need to create a policy first then you can add users. >>> >>> Thanks, >>> >>> Bryan >>> >>> On Thu, Feb 23, 2017 at 1:01 PM, Mark Bean <[email protected]> wrote: >>>> Bryan, >>>> >>>> The server is listed on the global policy for "retrieve site-to-site >>>> details". However, I am not able to add users to the "receive data via >>>> site-to-site" policy for the given Input Port (the add user button is >>>> grayed out.) Under global access policies, "access all policies/modify", >>> I >>>> am listed as a user. Shouldn't this allow me to modify the policy (i.e. >>> add >>>> a user) on the Input Port? >>>> >>>> Thanks again, >>>> Mark >>>> >>>> >>>> On Thu, Feb 23, 2017 at 12:50 PM, Bryan Bende <[email protected]> wrote: >>>> >>>>> Hi Mark, >>>>> >>>>> There are two policies needed for secure site-to-site... >>>>> >>>>> In the global policies there needs to be a policy for "retrieve >>>>> site-to-site details" with the user of the server added. >>>>> >>>>> In the policies for the port (from the palette on the left when the >>>>> port is selected) there needs to be a policy for "receive data via >>>>> site-to-site" with user of the server added. >>>>> >>>>> Thanks, >>>>> >>>>> Bryan >>>>> >>>>> On Thu, Feb 23, 2017 at 12:34 PM, Mark Bean <[email protected]> >>> wrote: >>>>>> I am attempting to setup secure site-to-site using NiFi 1.1.1. I have >>>>>> secured NiFi, and am able to access the UI securely via HTTPS. I have >>> set >>>>>> the following security-related properties: >>>>>> >>>>>> nifi.sensitive.props.key=<key-value> >>>>>> nifi.sensitive.props.key.protected= >>>>>> nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL >>>>>> nifi.sensitive.props.provider=BC >>>>>> nifi.sensitive.props.aditional.keys= >>>>>> >>>>>> nifi.security.keystore=<keystore-file> >>>>>> nifi.security.keystoreType=JKS >>>>>> nifi.security.keystorePasswd=<password> >>>>>> nifi.security.keyPasswd=<password> >>>>>> nifi.security.truststore=<truststore-file> >>>>>> nifi.security.truststoreType=JKS >>>>>> nifi.security.trsustorePasswd=<password> >>>>>> nifi.security.needClientAuth=true >>>>>> nifi.security.user.authorizer=file-provider >>>>>> nifi.security.user.login.identity.provider= >>>>>> >>>>>> I also set the site-to-site properties: >>>>>> nifi.remote.input.host=<host-fqdn> >>>>>> nifi.remote.input.secure=true >>>>>> nifi.remote.input.socket.port=<port, different from https UI port> >>>>>> nifi.remote.input.http.enabled=true >>>>>> nifi.remote.input.http.tansaction.ttl=30 sec >>>>>> >>>>>> The authorizers.xml has been setup to import the legacy >>>>>> authorized-users.xml. And, this correctly populated the users.xml to >>>>>> include the remote server for the site-to-site. It also added users to >>>>> the >>>>>> authorizations.xml file to include the user (i.e.server ) with >>>>> site-to-site >>>>>> resource (both R and W). >>>>>> >>>>>> Despite this setup, the Input Port on the UI does not show an Access >>>>>> Control tab as in NiFi 0.x. I am not sure how to authorize the remote >>>>>> server such that the Input Port will be displayed in the remote >>> server's >>>>>> Remote Process Group's list of ports. >>>>>> >>>>>> Have I missed a step in the security and/or user authentication setup? >>>>>> >>>>>> Thanks, >>>>>> Mark >>>>> >>>
