SSLContextService Issue on Minifi

2017-07-27 Thread Harrison Unruh 
Hello,

I've been trying to configure Minifi to work with the SSLContextService,
and have been running into an error I can't find much documentation on:

ERROR [main] o.apache.nifi.controller.FlowController Unable to start
PostHTTP[id=80508d8d-015d-1000--] due to
java.lang.IllegalStateException: Processor PostHTTP is not in a valid state
due to ['SSL Context Service' validated against
'854b66f7-015d-1000--' is invalid because
StandardSSLContextService - 0.2.0 from org.apache.nifi.minifi -
minifi-ssl-context-service-nar is not compatible with SSLContextService -
unversioned from default - system]

I've tried quite a few configurations of the StandardSSLContextService I'm
using in my flow but haven't been able to avoid this. I was wondering if
you would have any ideas on what would cause this?

Thanks!

Re: Review PR 2020 - Add PutKudu Processor for Kudu

2017-07-27 Thread Ricky Saltzer 
Hi Cam -

Thanks for the PR, I'll see if I can take a look this afternoon.

Ricky

On Thu, Jul 27, 2017 at 2:08 PM, Cam Q. Mach  wrote:

> Can some body help to review this PR?
>
>
>
> Thanks,
>
> Cam
>
>
>
> *From:* Cam Q. Mach
> *Sent:* Friday, July 21, 2017 4:38 PM
> *To:* dev@nifi.apache.org
> *Cc:* William Li 
> *Subject:* RE: Review PR 2020 - Add PutKudu Processor for Kudu
>
>
>
> Anyone interested in reviewing this PR?
>
>
>
> Thanks,
>
> Cam Mach
>
> Inspur USA
>
>
>
> *From:* Cam Q. Mach
> *Sent:* Thursday, July 20, 2017 9:58 AM
> *To:* dev@nifi.apache.org
> *Subject:* Review PR 2020 - Add PutKudu Processor for Kudu
>
>
>
> Hello NiFi Dev,
>
>
>
> Would you please help to review this Pull Request?
>
> https://github.com/apache/nifi/pull/2020
>
>
>
> Jira: https://issues.apache.org/jira/browse/NIFI-3973
>
>
>
> Thanks,
>
> Cam Mach
>
> Inspur USA
>



-- 
Ricky Saltzer
http://www.cloudera.com

Re: Review PR 2020 - Add PutKudu Processor for Kudu

2017-07-27 Thread Joe Witt 
Cam,

I am still willing to help review but i ask that you please be
patient.  Hopefully someone else can help sooner but if not i am still
happy to when able.  We have 91 outstanding PRs at this time and
probably a few more patch available items in Apache NiFi
contributions.  You could consider also helping review other work.

Thanks

On Thu, Jul 27, 2017 at 2:08 PM, Cam Q. Mach  wrote:
> Can some body help to review this PR?
>
>
>
> Thanks,
>
> Cam
>
>
>
> From: Cam Q. Mach
> Sent: Friday, July 21, 2017 4:38 PM
> To: dev@nifi.apache.org
> Cc: William Li 
> Subject: RE: Review PR 2020 - Add PutKudu Processor for Kudu
>
>
>
> Anyone interested in reviewing this PR?
>
>
>
> Thanks,
>
> Cam Mach
>
> Inspur USA
>
>
>
> From: Cam Q. Mach
> Sent: Thursday, July 20, 2017 9:58 AM
> To: dev@nifi.apache.org
> Subject: Review PR 2020 - Add PutKudu Processor for Kudu
>
>
>
> Hello NiFi Dev,
>
>
>
> Would you please help to review this Pull Request?
>
> https://github.com/apache/nifi/pull/2020
>
>
>
> Jira: https://issues.apache.org/jira/browse/NIFI-3973
>
>
>
> Thanks,
>
> Cam Mach
>
> Inspur USA

RE: Review PR 2020 - Add PutKudu Processor for Kudu

2017-07-27 Thread Cam Q. Mach 
Can some body help to review this PR?

 

Thanks,

Cam

 

From: Cam Q. Mach 
Sent: Friday, July 21, 2017 4:38 PM
To: dev@nifi.apache.org
Cc: William Li 
Subject: RE: Review PR 2020 - Add PutKudu Processor for Kudu

 

Anyone interested in reviewing this PR?

 

Thanks,

Cam Mach

Inspur USA

 

From: Cam Q. Mach 
Sent: Thursday, July 20, 2017 9:58 AM
To: dev@nifi.apache.org  
Subject: Review PR 2020 - Add PutKudu Processor for Kudu

 

Hello NiFi Dev,

 

Would you please help to review this Pull Request?

https://github.com/apache/nifi/pull/2020

 

Jira: https://issues.apache.org/jira/browse/NIFI-3973

 

Thanks,

Cam Mach

Inspur USA



smime.p7s
Description: S/MIME cryptographic signature

Re: AuthorizerContext

2017-07-27 Thread Mark Bean 
I neglected to make the method public. All better now. Thanks for
confirming.


On Thu, Jul 27, 2017 at 1:59 PM, Matt Gilman 
wrote:

> Yes. The setter is invoked prior to initialize(...) and onConfigured(...)
> [1]. Can you debug and see where it's failing?
>
> Matt
>
> [1] https://github.com/apache/nifi/blob/master/nifi-nar-
> bundles/nifi-framework-bundle/nifi-framework/nifi-
> authorizer/src/main/java/org/apache/nifi/authorization/
> AuthorizerFactoryBean.java#L311
>
> On Thu, Jul 27, 2017 at 1:51 PM, Mark Bean  wrote:
>
> > I am writing a custom authorizer, and I need access to some properties in
> > nifi.properties during the onConfigured method. It is similar to the
> usage
> > in FileAccessPolicyProvider. In this class, there is a setNiFiProperties
> > method annotated with @AuthorizerContext. Presumably, this annotation
> > causes the framework to execute the method. When does this occur? More
> > specifically, does it occur before the onConfigured method is invoked?
> >
> > In my testing, setNiFiProperties is not being called - at least not prior
> > to onConfigured in which case an NPE is thrown due to the properties not
> > being set.
> >
> > Thanks,
> > Mark
> >
>

Re: AuthorizerContext

2017-07-27 Thread Matt Gilman 
Yes. The setter is invoked prior to initialize(...) and onConfigured(...)
[1]. Can you debug and see where it's failing?

Matt

[1] https://github.com/apache/nifi/blob/master/nifi-nar-
bundles/nifi-framework-bundle/nifi-framework/nifi-
authorizer/src/main/java/org/apache/nifi/authorization/
AuthorizerFactoryBean.java#L311

On Thu, Jul 27, 2017 at 1:51 PM, Mark Bean  wrote:

> I am writing a custom authorizer, and I need access to some properties in
> nifi.properties during the onConfigured method. It is similar to the usage
> in FileAccessPolicyProvider. In this class, there is a setNiFiProperties
> method annotated with @AuthorizerContext. Presumably, this annotation
> causes the framework to execute the method. When does this occur? More
> specifically, does it occur before the onConfigured method is invoked?
>
> In my testing, setNiFiProperties is not being called - at least not prior
> to onConfigured in which case an NPE is thrown due to the properties not
> being set.
>
> Thanks,
> Mark
>

AuthorizerContext

2017-07-27 Thread Mark Bean 
I am writing a custom authorizer, and I need access to some properties in
nifi.properties during the onConfigured method. It is similar to the usage
in FileAccessPolicyProvider. In this class, there is a setNiFiProperties
method annotated with @AuthorizerContext. Presumably, this annotation
causes the framework to execute the method. When does this occur? More
specifically, does it occur before the onConfigured method is invoked?

In my testing, setNiFiProperties is not being called - at least not prior
to onConfigured in which case an NPE is thrown due to the properties not
being set.

Thanks,
Mark

How to upload avro schema from external file to AvroSchemaRegistry

2017-07-27 Thread Anna Lysenko 
Hello,

I started using nifi, and using AvroSchemaRegistry for storing schema for 
CSVWriter.

I have to upload avro schema using UI.  I would like to use expression language 
to have schema stored outside of NIFI as external file.   Is this possible?

Thank you,
Anna

Re: why cant nifi perform user authentication over http

2017-07-27 Thread Sam Feng 
Hello Joe
   The scene is that we want to put nifi into an iframe page in our platform. 
because of nifi dosen't support multi-cavas for multi-tenants, we may use 
multi-nifi-instance in our platform to suport multi-tenants. That is to say  
one group of users use one instance of nifi while another group use another 
instance. 
   The problem is that using https in an iframe is not as friendly as http. 
because a SSL connection needs cert for authentication , and when using LDAP 
with https the connection will be considered not secure by browser(our cert is 
generate by nifi-toolkit). For a good User Experience we need to use http 
rather than https.

Thank you anyway.
YuNing


On 2017-07-26 01:04 (+0800), Joe Witt  wrote: 
> YuNing
> 
> What can we do to help you setup an HTTPS based environment?  We can
> support LDAP-based username and password authentication in that
> environment.  We've basically taken a "what is the point" approach to
> trying to add authentication/authorization in the HTTP only context so
> all is based around HTTPS as the entry point.  From there we've put in
> a lot of effort to help you choose the most effective
> authentication/authorization model for your case.  There are also some
> nice toolkit capabilities that come with the release now too to help
> with cert creation.
> 
> Thanks
> Joe
> 
> On Tue, Jul 25, 2017 at 12:54 PM, Andy LoPresto  wrote:
> > Modifying NiFi’s source code to provide user authentication and
> > authorization over HTTP is highly discouraged. Along with the possibility
> > for credential leak that Kevin mentioned, any plaintext HTTP request can be
> > intercepted, monitored, and modified before being relayed to the NiFi
> > application. This means that any and all actions are susceptible to
> > malicious changes, and any entity monitoring the network can perform actions
> > under the assumed identity of another user. This would be an incredible
> > amount of effort and almost definitely pointless.
> >
> >
> > Andy LoPresto
> > alopre...@apache.org
> > alopresto.apa...@gmail.com
> > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> >
> > On Jul 25, 2017, at 7:09 AM, Kevin Doran  wrote:
> >
> > Hi YuNing,
> >
> > In your original post, you mentioned a need for multi-tenant authorization.
> > For that use case, I would not recommend transmitting passwords, even
> > encrypted/hashed passwords, over unencrypted HTTP, as the authorized
> > operations would be still be vulnerable to man-in-the-middle (MITM) attacks
> > and replay attacks.
> >
> > As you mentioned, modifying the NiFi source code to allow authorization over
> > HTTP instead of HTTPS would be a significant task, and at the end of the day
> > would have the vulnerabilities I described. My advice is that it would be a
> > better use of time and effort to configure your NiFi server(s) to use HTTPS.
> > The NiFi Toolkit [1] [2] includes TLS utilities to make this easier, and
> > there are plenty of folks on this list who can assist you if you have
> > questions while setting up HTTPS.
> >
> > If you truly do not need to worry about security for your use case and do
> > not want to use HTTPS, then using HTTP without authorization is an option.
> >
> > Regards,
> > Kevin
> >
> > [1] https://nifi.apache.org/download.html
> > [2]
> > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit
> >
> > On 7/24/17, 23:00, "Sam Feng"  wrote:
> >
> >Hello Kevin,
> >
> >   Your answers helps me a lot.  Now i am trying to modify nifi`s
> > sourcecode to enable http authentication, because the platform where i am
> > using nifi is not that sensitive about security, and we use ldap as
> > login-identity-providers whitch password is already encrypted by an unique
> > key.
> >But i find it difficult to modify it`s sourceCode. there so many
> > places that limit login and authentication from http, and i have to edit all
> > of it, which will certainly take a lot of time to find them.
> >Do you have any idea on how to modify nifi`s code more efficiently,
> > or if there are  some other way to get what i want.
> >
> >As you can see my English is poor, thanks for you patience.
> >
> >Thanks for your reply.
> >Best Regards
> >YuNing
> >
> >
> >On 2017-07-21 19:07 (+0800), Kevin Doran  wrote:
> >
> > Hi,
> >
> > You are correct, NiFi requires an encrypted connection for user
> > authentication. This is because client identity is established in one of two
> > ways:
> >
> > - user name & password, which should not be sent over a non-encrypted
> > connection
> > - client certificate in a two-way TLS (HTTPS) connection
> >
> > I hope this answers your question. If HTTPS is suitable for your needs, here
> > are some resources to help you get started:
> >
> > - NiFi System Administration Guide, specifically