Added: nifi/site/trunk/docs/nifi-docs/html/administration-guide.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/docs/nifi-docs/html/administration-guide.html?rev=1811008&view=auto ============================================================================== --- nifi/site/trunk/docs/nifi-docs/html/administration-guide.html (added) +++ nifi/site/trunk/docs/nifi-docs/html/administration-guide.html Tue Oct 3 13:30:16 2017 @@ -0,0 +1,6631 @@ +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + <!DOCTYPE html> +<html lang="en"> +<head> +<meta charset="UTF-8"> +<!--[if IE]><meta http-equiv="X-UA-Compatible" content="IE=edge"><![endif]--> +<meta name="viewport" content="width=device-width, initial-scale=1.0"> +<meta name="generator" content="Asciidoctor 1.5.2"> +<meta name="author" content="Apache NiFi Team"> +<title>NiFi System Administrator’s Guide</title> +<style> +/* Asciidoctor default stylesheet | MIT License | http://asciidoctor.org */ +/* Copyright (C) 2012-2015 Dan Allen, Ryan Waldron and the Asciidoctor Project + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. */ +/* Remove the comments around the @import statement below when using this as a custom stylesheet */ +@import "https://fonts.googleapis.com/css?family=Open+Sans:300,300italic,400,400italic,600,600italic%7CNoto+Serif:400,400italic,700,700italic%7CDroid+Sans+Mono:400";; +article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block} +audio,canvas,video{display:inline-block} +audio:not([controls]){display:none;height:0} +[hidden],template{display:none} +script{display:none!important} +html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%} +body{margin:0} +a{background:transparent} +a:focus{outline:thin dotted} +a:active,a:hover{outline:0} +h1{font-size:2em;margin:.67em 0} +abbr[title]{border-bottom:1px dotted} +b,strong{font-weight:bold} +dfn{font-style:italic} +hr{-moz-box-sizing:content-box;box-sizing:content-box;height:0} +mark{background:#ff0;color:#000} +code,kbd,pre,samp{font-family:monospace;font-size:1em} +pre{white-space:pre-wrap} +q{quotes:"\201C" "\201D" "\2018" "\2019"} +small{font-size:80%} +sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline} +sup{top:-.5em} +sub{bottom:-.25em} +img{border:0} +svg:not(:root){overflow:hidden} +figure{margin:0} +fieldset{border:1px solid silver;margin:0 2px;padding:.35em .625em .75em} +legend{border:0;padding:0} +button,input,select,textarea{font-family:inherit;font-size:100%;margin:0} +button,input{line-height:normal} +button,select{text-transform:none} +button,html input[type="button"],input[type="reset"],input[type="submit"]{-webkit-appearance:button;cursor:pointer} +button[disabled],html input[disabled]{cursor:default} +input[type="checkbox"],input[type="radio"]{box-sizing:border-box;padding:0} +input[type="search"]{-webkit-appearance:textfield;-moz-box-sizing:content-box;-webkit-box-sizing:content-box;box-sizing:content-box} +input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none} +button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0} +textarea{overflow:auto;vertical-align:top} +table{border-collapse:collapse;border-spacing:0} +*,*:before,*:after{-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box} +html,body{font-size:100%} +body{background:#fff;color:rgba(0,0,0,.8);padding:0;margin:0;font-family:"Noto Serif","DejaVu Serif",serif;font-weight:400;font-style:normal;line-height:1;position:relative;cursor:auto} +a:hover{cursor:pointer} +img,object,embed{max-width:100%;height:auto} +object,embed{height:100%} +img{-ms-interpolation-mode:bicubic} +#map_canvas img,#map_canvas embed,#map_canvas object,.map_canvas img,.map_canvas embed,.map_canvas object{max-width:none!important} +.left{float:left!important} +.right{float:right!important} +.text-left{text-align:left!important} +.text-right{text-align:right!important} +.text-center{text-align:center!important} +.text-justify{text-align:justify!important} +.hide{display:none} +.antialiased,body{-webkit-font-smoothing:antialiased} +img{display:inline-block;vertical-align:middle} +textarea{height:auto;min-height:50px} +select{width:100%} +p.lead,.paragraph.lead>p,#preamble>.sectionbody>.paragraph:first-of-type p{font-size:1.21875em;line-height:1.6} +.subheader,.admonitionblock td.content>.title,.audioblock>.title,.exampleblock>.title,.imageblock>.title,.listingblock>.title,.literalblock>.title,.stemblock>.title,.openblock>.title,.paragraph>.title,.quoteblock>.title,table.tableblock>.title,.verseblock>.title,.videoblock>.title,.dlist>.title,.olist>.title,.ulist>.title,.qlist>.title,.hdlist>.title{line-height:1.45;color:#7a2518;font-weight:400;margin-top:0;margin-bottom:.25em} +div,dl,dt,dd,ul,ol,li,h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6,pre,form,p,blockquote,th,td{margin:0;padding:0;direction:ltr} +a{color:#2156a5;text-decoration:underline;line-height:inherit} +a:hover,a:focus{color:#1d4b8f} +a img{border:none} +p{font-family:inherit;font-weight:400;font-size:1em;line-height:1.6;margin-bottom:1.25em;text-rendering:optimizeLegibility} +p aside{font-size:.875em;line-height:1.35;font-style:italic} +h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{font-family:"Open Sans","DejaVu Sans",sans-serif;font-weight:300;font-style:normal;color:#ba3925;text-rendering:optimizeLegibility;margin-top:1em;margin-bottom:.5em;line-height:1.0125em} +h1 small,h2 small,h3 small,#toctitle small,.sidebarblock>.content>.title small,h4 small,h5 small,h6 small{font-size:60%;color:#e99b8f;line-height:0} +h1{font-size:2.125em} +h2{font-size:1.6875em} +h3,#toctitle,.sidebarblock>.content>.title{font-size:1.375em} +h4,h5{font-size:1.125em} +h6{font-size:1em} +hr{border:solid #ddddd8;border-width:1px 0 0;clear:both;margin:1.25em 0 1.1875em;height:0} +em,i{font-style:italic;line-height:inherit} +strong,b{font-weight:bold;line-height:inherit} +small{font-size:60%;line-height:inherit} +code{font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;font-weight:400;color:rgba(0,0,0,.9);padding-right: 1px;} +ul,ol,dl{font-size:1em;line-height:1.6;margin-bottom:1.25em;list-style-position:outside;font-family:inherit} +ul,ol,ul.no-bullet,ol.no-bullet{margin-left:1.5em} +ul li ul,ul li ol{margin-left:1.25em;margin-bottom:0;font-size:1em} +ul.square li ul,ul.circle li ul,ul.disc li ul{list-style:inherit} +ul.square{list-style-type:square} +ul.circle{list-style-type:circle} +ul.disc{list-style-type:disc} +ul.no-bullet{list-style:none} +ol li ul,ol li ol{margin-left:1.25em;margin-bottom:0} +dl dt{margin-bottom:.3125em;font-weight:bold} +dl dd{margin-bottom:1.25em} +abbr,acronym{text-transform:uppercase;font-size:90%;color:rgba(0,0,0,.8);border-bottom:1px dotted #ddd;cursor:help} +abbr{text-transform:none} +blockquote{margin:0 0 1.25em;padding:.5625em 1.25em 0 1.1875em;border-left:1px solid #ddd} +blockquote cite{display:block;font-size:.9375em;color:rgba(0,0,0,.6)} +blockquote cite:before{content:"\2014 \0020"} +blockquote cite a,blockquote cite a:visited{color:rgba(0,0,0,.6)} +blockquote,blockquote p{line-height:1.6;color:rgba(0,0,0,.85)} +@media only screen and (min-width:768px){h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{line-height:1.2} +h1{font-size:2.75em} +h2{font-size:2.3125em} +h3,#toctitle,.sidebarblock>.content>.title{font-size:1.6875em} +h4{font-size:1.4375em}}table{background:#fff;margin-bottom:1.25em;border:solid 1px #dedede} +table thead,table tfoot{background:#f7f8f7;font-weight:bold} +table thead tr th,table thead tr td,table tfoot tr th,table tfoot tr td{padding:.5em .625em .625em;font-size:inherit;color:rgba(0,0,0,.8);text-align:left} +table tr th,table tr td{padding:.5625em .625em;font-size:inherit;color:rgba(0,0,0,.8)} +table tr.even,table tr.alt,table tr:nth-of-type(even){background:#f8f8f7} +table thead tr th,table tfoot tr th,table tbody tr td,table tr td,table tfoot tr td{display:table-cell;line-height:1.6} +h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{line-height:1.2;word-spacing:-.05em} +h1 strong,h2 strong,h3 strong,#toctitle strong,.sidebarblock>.content>.title strong,h4 strong,h5 strong,h6 strong{font-weight:400} +.clearfix:before,.clearfix:after,.float-group:before,.float-group:after{content:" ";display:table} +.clearfix:after,.float-group:after{clear:both} +*:not(pre)>code{font-size:.9375em;font-style:normal!important;letter-spacing:0;word-spacing:-.15em;background-color:#f7f7f8;-webkit-border-radius:4px;border-radius:4px;line-height:1.45;text-rendering:optimizeSpeed} +pre,pre>code{line-height:1.45;color:rgba(0,0,0,.9);font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;font-weight:400;text-rendering:optimizeSpeed} +.keyseq{color:rgba(51,51,51,.8)} +kbd{display:inline-block;color:rgba(0,0,0,.8);font-size:.75em;line-height:1.4;background-color:#f7f7f7;border:1px solid #ccc;-webkit-border-radius:3px;border-radius:3px;-webkit-box-shadow:0 1px 0 rgba(0,0,0,.2),0 0 0 .1em white inset;box-shadow:0 1px 0 rgba(0,0,0,.2),0 0 0 .1em #fff inset;margin:-.15em .15em 0 .15em;padding:.2em .6em .2em .5em;vertical-align:middle;white-space:nowrap} +.keyseq kbd:first-child{margin-left:0} +.keyseq kbd:last-child{margin-right:0} +.menuseq,.menu{color:rgba(0,0,0,.8)} +b.button:before,b.button:after{position:relative;top:-1px;font-weight:400} +b.button:before{content:"[";padding:0 3px 0 2px} +b.button:after{content:"]";padding:0 2px 0 3px} +p a>code:hover{color:rgba(0,0,0,.9)} +#header,#content,#footnotes,#footer{width:100%;margin-left:auto;margin-right:auto;margin-top:0;margin-bottom:0;max-width:62.5em;*zoom:1;position:relative;padding-left:.9375em;padding-right:.9375em} +#header:before,#header:after,#content:before,#content:after,#footnotes:before,#footnotes:after,#footer:before,#footer:after{content:" ";display:table} +#header:after,#content:after,#footnotes:after,#footer:after{clear:both} +#content{margin-top:1.25em} +#content:before{content:none} +#header>h1:first-child{color:rgba(0,0,0,.85);margin-top:2.25rem;margin-bottom:0} +#header>h1:first-child+#toc{margin-top:8px;border-top:1px solid #ddddd8} +#header>h1:only-child,body.toc2 #header>h1:nth-last-child(2){border-bottom:1px solid #ddddd8;padding-bottom:8px} +#header .details{border-bottom:1px solid #ddddd8;line-height:1.45;padding-top:.25em;padding-bottom:.25em;padding-left:.25em;color:rgba(0,0,0,.6);display:-ms-flexbox;display:-webkit-flex;display:flex;-ms-flex-flow:row wrap;-webkit-flex-flow:row wrap;flex-flow:row wrap} +#header .details span:first-child{margin-left:-.125em} +#header .details span.email a{color:rgba(0,0,0,.85)} +#header .details br{display:none} +#header .details br+span:before{content:"\00a0\2013\00a0"} +#header .details br+span.author:before{content:"\00a0\22c5\00a0";color:rgba(0,0,0,.85)} +#header .details br+span#revremark:before{content:"\00a0|\00a0"} +#header #revnumber{text-transform:capitalize} +#header #revnumber:after{content:"\00a0"} +#content>h1:first-child:not([class]){color:rgba(0,0,0,.85);border-bottom:1px solid #ddddd8;padding-bottom:8px;margin-top:0;padding-top:1rem;margin-bottom:1.25rem} +#toc{border-bottom:1px solid #efefed;padding-bottom:.5em} +#toc>ul{margin-left:.125em} +#toc ul.sectlevel0>li>a{font-style:italic} +#toc ul.sectlevel0 ul.sectlevel1{margin:.5em 0} +#toc ul{font-family:"Open Sans","DejaVu Sans",sans-serif;list-style-type:none} +#toc a{text-decoration:none} +#toc a:active{text-decoration:underline} +#toctitle{color:#7a2518;font-size:1.2em} +@media only screen and (min-width:768px){#toctitle{font-size:1.375em} +body.toc2{padding-left:15em;padding-right:0} +#toc.toc2{margin-top:0!important;background-color:#f8f8f7;position:fixed;width:15em;left:0;top:0;border-right:1px solid #efefed;border-top-width:0!important;border-bottom-width:0!important;z-index:1000;padding:1.25em 1em;height:100%;overflow:auto} +#toc.toc2 #toctitle{margin-top:0;font-size:1.2em} +#toc.toc2>ul{font-size:.9em;margin-bottom:0} +#toc.toc2 ul ul{margin-left:0;padding-left:1em} +#toc.toc2 ul.sectlevel0 ul.sectlevel1{padding-left:0;margin-top:.5em;margin-bottom:.5em} +body.toc2.toc-right{padding-left:0;padding-right:15em} +body.toc2.toc-right #toc.toc2{border-right-width:0;border-left:1px solid #efefed;left:auto;right:0}}@media only screen and (min-width:1280px){body.toc2{padding-left:20em;padding-right:0} +#toc.toc2{width:20em} +#toc.toc2 #toctitle{font-size:1.375em} +#toc.toc2>ul{font-size:.95em} +#toc.toc2 ul ul{padding-left:1.25em} +body.toc2.toc-right{padding-left:0;padding-right:20em}}#content #toc{border-style:solid;border-width:1px;border-color:#e0e0dc;margin-bottom:1.25em;padding:1.25em;background:#f8f8f7;-webkit-border-radius:4px;border-radius:4px} +#content #toc>:first-child{margin-top:0} +#content #toc>:last-child{margin-bottom:0} +#footer{max-width:100%;background-color:rgba(0,0,0,.8);padding:1.25em} +#footer-text{color:rgba(255,255,255,.8);line-height:1.44} +.sect1{padding-bottom:.625em} +@media only screen and (min-width:768px){.sect1{padding-bottom:1.25em}}.sect1+.sect1{border-top:1px solid #efefed} +#content h1>a.anchor,h2>a.anchor,h3>a.anchor,#toctitle>a.anchor,.sidebarblock>.content>.title>a.anchor,h4>a.anchor,h5>a.anchor,h6>a.anchor{position:absolute;z-index:1001;width:1.5ex;margin-left:-1.5ex;display:block;text-decoration:none!important;visibility:hidden;text-align:center;font-weight:400} +#content h1>a.anchor:before,h2>a.anchor:before,h3>a.anchor:before,#toctitle>a.anchor:before,.sidebarblock>.content>.title>a.anchor:before,h4>a.anchor:before,h5>a.anchor:before,h6>a.anchor:before{content:"\00A7";font-size:.85em;display:block;padding-top:.1em} +#content h1:hover>a.anchor,#content h1>a.anchor:hover,h2:hover>a.anchor,h2>a.anchor:hover,h3:hover>a.anchor,#toctitle:hover>a.anchor,.sidebarblock>.content>.title:hover>a.anchor,h3>a.anchor:hover,#toctitle>a.anchor:hover,.sidebarblock>.content>.title>a.anchor:hover,h4:hover>a.anchor,h4>a.anchor:hover,h5:hover>a.anchor,h5>a.anchor:hover,h6:hover>a.anchor,h6>a.anchor:hover{visibility:visible} +#content h1>a.link,h2>a.link,h3>a.link,#toctitle>a.link,.sidebarblock>.content>.title>a.link,h4>a.link,h5>a.link,h6>a.link{color:#ba3925;text-decoration:none} +#content h1>a.link:hover,h2>a.link:hover,h3>a.link:hover,#toctitle>a.link:hover,.sidebarblock>.content>.title>a.link:hover,h4>a.link:hover,h5>a.link:hover,h6>a.link:hover{color:#a53221} +.audioblock,.imageblock,.literalblock,.listingblock,.stemblock,.videoblock{margin-bottom:1.25em} +.admonitionblock td.content>.title,.audioblock>.title,.exampleblock>.title,.imageblock>.title,.listingblock>.title,.literalblock>.title,.stemblock>.title,.openblock>.title,.paragraph>.title,.quoteblock>.title,table.tableblock>.title,.verseblock>.title,.videoblock>.title,.dlist>.title,.olist>.title,.ulist>.title,.qlist>.title,.hdlist>.title{text-rendering:optimizeLegibility;text-align:left;font-family:"Noto Serif","DejaVu Serif",serif;font-size:1rem;font-style:italic} +table.tableblock>caption.title{white-space:nowrap;overflow:visible;max-width:0} +.paragraph.lead>p,#preamble>.sectionbody>.paragraph:first-of-type p{color:rgba(0,0,0,.85)} +table.tableblock #preamble>.sectionbody>.paragraph:first-of-type p{font-size:inherit} +.admonitionblock>table{border-collapse:separate;border:0;background:none;width:100%} +.admonitionblock>table td.icon{text-align:center;width:80px} +.admonitionblock>table td.icon img{max-width:none} +.admonitionblock>table td.icon .title{font-weight:bold;font-family:"Open Sans","DejaVu Sans",sans-serif;text-transform:uppercase} +.admonitionblock>table td.content{padding-left:1.125em;padding-right:1.25em;border-left:1px solid #ddddd8;color:rgba(0,0,0,.6)} +.admonitionblock>table td.content>:last-child>:last-child{margin-bottom:0} +.exampleblock>.content{border-style:solid;border-width:1px;border-color:#e6e6e6;margin-bottom:1.25em;padding:1.25em;background:#fff;-webkit-border-radius:4px;border-radius:4px} +.exampleblock>.content>:first-child{margin-top:0} +.exampleblock>.content>:last-child{margin-bottom:0} +.sidebarblock{border-style:solid;border-width:1px;border-color:#e0e0dc;margin-bottom:1.25em;padding:1.25em;background:#f8f8f7;-webkit-border-radius:4px;border-radius:4px} +.sidebarblock>:first-child{margin-top:0} +.sidebarblock>:last-child{margin-bottom:0} +.sidebarblock>.content>.title{color:#7a2518;margin-top:0;text-align:center} +.exampleblock>.content>:last-child>:last-child,.exampleblock>.content .olist>ol>li:last-child>:last-child,.exampleblock>.content .ulist>ul>li:last-child>:last-child,.exampleblock>.content .qlist>ol>li:last-child>:last-child,.sidebarblock>.content>:last-child>:last-child,.sidebarblock>.content .olist>ol>li:last-child>:last-child,.sidebarblock>.content .ulist>ul>li:last-child>:last-child,.sidebarblock>.content .qlist>ol>li:last-child>:last-child{margin-bottom:0} +.literalblock pre,.listingblock pre:not(.highlight),.listingblock pre[class="highlight"],.listingblock pre[class^="highlight "],.listingblock pre.CodeRay,.listingblock pre.prettyprint{background:#f7f7f8} +.sidebarblock .literalblock pre,.sidebarblock .listingblock pre:not(.highlight),.sidebarblock .listingblock pre[class="highlight"],.sidebarblock .listingblock pre[class^="highlight "],.sidebarblock .listingblock pre.CodeRay,.sidebarblock .listingblock pre.prettyprint{background:#f2f1f1} +.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{-webkit-border-radius:4px;border-radius:4px;word-wrap:break-word;padding:1em;font-size:.8125em} +.literalblock pre.nowrap,.literalblock pre[class].nowrap,.listingblock pre.nowrap,.listingblock pre[class].nowrap{overflow-x:auto;white-space:pre;word-wrap:normal} +@media only screen and (min-width:768px){.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{font-size:.90625em}}@media only screen and (min-width:1280px){.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{font-size:1em}}.literalblock.output pre{color:#f7f7f8;background-color:rgba(0,0,0,.9)} +.listingblock pre.highlightjs{padding:0} +.listingblock pre.highlightjs>code{padding:1em;-webkit-border-radius:4px;border-radius:4px} +.listingblock pre.prettyprint{border-width:0} +.listingblock>.content{position:relative} +.listingblock code[data-lang]:before{display:none;content:attr(data-lang);position:absolute;font-size:.75em;top:.425rem;right:.5rem;line-height:1;text-transform:uppercase;color:#999} +.listingblock:hover code[data-lang]:before{display:block} +.listingblock.terminal pre .command:before{content:attr(data-prompt);padding-right:.5em;color:#999} +.listingblock.terminal pre .command:not([data-prompt]):before{content:"$"} +table.pyhltable{border-collapse:separate;border:0;margin-bottom:0;background:none} +table.pyhltable td{vertical-align:top;padding-top:0;padding-bottom:0} +table.pyhltable td.code{padding-left:.75em;padding-right:0} +pre.pygments .lineno,table.pyhltable td:not(.code){color:#999;padding-left:0;padding-right:.5em;border-right:1px solid #ddddd8} +pre.pygments .lineno{display:inline-block;margin-right:.25em} +table.pyhltable .linenodiv{background:none!important;padding-right:0!important} +.quoteblock{margin:0 1em 1.25em 1.5em;display:table} +.quoteblock>.title{margin-left:-1.5em;margin-bottom:.75em} +.quoteblock blockquote,.quoteblock blockquote p{color:rgba(0,0,0,.85);font-size:1.15rem;line-height:1.75;word-spacing:.1em;letter-spacing:0;font-style:italic;text-align:justify} +.quoteblock blockquote{margin:0;padding:0;border:0} +.quoteblock blockquote:before{content:"\201c";float:left;font-size:2.75em;font-weight:bold;line-height:.6em;margin-left:-.6em;color:#7a2518;text-shadow:0 1px 2px rgba(0,0,0,.1)} +.quoteblock blockquote>.paragraph:last-child p{margin-bottom:0} +.quoteblock .attribution{margin-top:.5em;margin-right:.5ex;text-align:right} +.quoteblock .quoteblock{margin-left:0;margin-right:0;padding:.5em 0;border-left:3px solid rgba(0,0,0,.6)} +.quoteblock .quoteblock blockquote{padding:0 0 0 .75em} +.quoteblock .quoteblock blockquote:before{display:none} +.verseblock{margin:0 1em 1.25em 1em} +.verseblock pre{font-family:"Open Sans","DejaVu Sans",sans;font-size:1.15rem;color:rgba(0,0,0,.85);font-weight:300;text-rendering:optimizeLegibility} +.verseblock pre strong{font-weight:400} +.verseblock .attribution{margin-top:1.25rem;margin-left:.5ex} +.quoteblock .attribution,.verseblock .attribution{font-size:.9375em;line-height:1.45;font-style:italic} +.quoteblock .attribution br,.verseblock .attribution br{display:none} +.quoteblock .attribution cite,.verseblock .attribution cite{display:block;letter-spacing:-.05em;color:rgba(0,0,0,.6)} +.quoteblock.abstract{margin:0 0 1.25em 0;display:block} +.quoteblock.abstract blockquote,.quoteblock.abstract blockquote p{text-align:left;word-spacing:0} +.quoteblock.abstract blockquote:before,.quoteblock.abstract blockquote p:first-of-type:before{display:none} +table.tableblock{max-width:100%;border-collapse:separate} +table.tableblock td>.paragraph:last-child p>p:last-child,table.tableblock th>p:last-child,table.tableblock td>p:last-child{margin-bottom:0} +table.spread{width:100%} +table.tableblock,th.tableblock,td.tableblock{border:0 solid #dedede} +table.grid-all th.tableblock,table.grid-all td.tableblock{border-width:0 1px 1px 0} +table.grid-all tfoot>tr>th.tableblock,table.grid-all tfoot>tr>td.tableblock{border-width:1px 1px 0 0} +table.grid-cols th.tableblock,table.grid-cols td.tableblock{border-width:0 1px 0 0} +table.grid-all *>tr>.tableblock:last-child,table.grid-cols *>tr>.tableblock:last-child{border-right-width:0} +table.grid-rows th.tableblock,table.grid-rows td.tableblock{border-width:0 0 1px 0} +table.grid-all tbody>tr:last-child>th.tableblock,table.grid-all tbody>tr:last-child>td.tableblock,table.grid-all thead:last-child>tr>th.tableblock,table.grid-rows tbody>tr:last-child>th.tableblock,table.grid-rows tbody>tr:last-child>td.tableblock,table.grid-rows thead:last-child>tr>th.tableblock{border-bottom-width:0} +table.grid-rows tfoot>tr>th.tableblock,table.grid-rows tfoot>tr>td.tableblock{border-width:1px 0 0 0} +table.frame-all{border-width:1px} +table.frame-sides{border-width:0 1px} +table.frame-topbot{border-width:1px 0} +th.halign-left,td.halign-left{text-align:left} +th.halign-right,td.halign-right{text-align:right} +th.halign-center,td.halign-center{text-align:center} +th.valign-top,td.valign-top{vertical-align:top} +th.valign-bottom,td.valign-bottom{vertical-align:bottom} +th.valign-middle,td.valign-middle{vertical-align:middle} +table thead th,table tfoot th{font-weight:bold} +tbody tr th{display:table-cell;line-height:1.6;background:#f7f8f7} +tbody tr th,tbody tr th p,tfoot tr th,tfoot tr th p{color:rgba(0,0,0,.8);font-weight:bold} +p.tableblock>code:only-child{background:none;padding:0} +p.tableblock{font-size:1em} +td>div.verse{white-space:pre} +ol{margin-left:1.75em} +ul li ol{margin-left:1.5em} +dl dd{margin-left:1.125em} +dl dd:last-child,dl dd:last-child>:last-child{margin-bottom:0} +ol>li p,ul>li p,ul dd,ol dd,.olist .olist,.ulist .ulist,.ulist .olist,.olist .ulist{margin-bottom:.625em} +ul.unstyled,ol.unnumbered,ul.checklist,ul.none{list-style-type:none} +ul.unstyled,ol.unnumbered,ul.checklist{margin-left:.625em} +ul.checklist li>p:first-child>.fa-square-o:first-child,ul.checklist li>p:first-child>.fa-check-square-o:first-child{width:1em;font-size:.85em} +ul.checklist li>p:first-child>input[type="checkbox"]:first-child{width:1em;position:relative;top:1px} +ul.inline{margin:0 auto .625em auto;margin-left:-1.375em;margin-right:0;padding:0;list-style:none;overflow:hidden} +ul.inline>li{list-style:none;float:left;margin-left:1.375em;display:block} +ul.inline>li>*{display:block} +.unstyled dl dt{font-weight:400;font-style:normal} +ol.arabic{list-style-type:decimal} +ol.decimal{list-style-type:decimal-leading-zero} +ol.loweralpha{list-style-type:lower-alpha} +ol.upperalpha{list-style-type:upper-alpha} +ol.lowerroman{list-style-type:lower-roman} +ol.upperroman{list-style-type:upper-roman} +ol.lowergreek{list-style-type:lower-greek} +.hdlist>table,.colist>table{border:0;background:none} +.hdlist>table>tbody>tr,.colist>table>tbody>tr{background:none} +td.hdlist1{padding-right:.75em;font-weight:bold} +td.hdlist1,td.hdlist2{vertical-align:top} +.literalblock+.colist,.listingblock+.colist{margin-top:-.5em} +.colist>table tr>td:first-of-type{padding:0 .75em;line-height:1} +.colist>table tr>td:last-of-type{padding:.25em 0} +.thumb,.th{line-height:0;display:inline-block;border:solid 4px #fff;-webkit-box-shadow:0 0 0 1px #ddd;box-shadow:0 0 0 1px #ddd} +.imageblock.left,.imageblock[style*="float: left"]{margin:.25em .625em 1.25em 0} +.imageblock.right,.imageblock[style*="float: right"]{margin:.25em 0 1.25em .625em} +.imageblock>.title{margin-bottom:0} +.imageblock.thumb,.imageblock.th{border-width:6px} +.imageblock.thumb>.title,.imageblock.th>.title{padding:0 .125em} +.image.left,.image.right{margin-top:.25em;margin-bottom:.25em;display:inline-block;line-height:0} +.image.left{margin-right:.625em} +.image.right{margin-left:.625em} +a.image{text-decoration:none} +span.footnote,span.footnoteref{vertical-align:super;font-size:.875em} +span.footnote a,span.footnoteref a{text-decoration:none} +span.footnote a:active,span.footnoteref a:active{text-decoration:underline} +#footnotes{padding-top:.75em;padding-bottom:.75em;margin-bottom:.625em} +#footnotes hr{width:20%;min-width:6.25em;margin:-.25em 0 .75em 0;border-width:1px 0 0 0} +#footnotes .footnote{padding:0 .375em;line-height:1.3;font-size:.875em;margin-left:1.2em;text-indent:-1.2em;margin-bottom:.2em} +#footnotes .footnote a:first-of-type{font-weight:bold;text-decoration:none} +#footnotes .footnote:last-of-type{margin-bottom:0} +#content #footnotes{margin-top:-.625em;margin-bottom:0;padding:.75em 0} +.gist .file-data>table{border:0;background:#fff;width:100%;margin-bottom:0} +.gist .file-data>table td.line-data{width:99%} +div.unbreakable{page-break-inside:avoid} +.big{font-size:larger} +.small{font-size:smaller} +.underline{text-decoration:underline} +.overline{text-decoration:overline} +.line-through{text-decoration:line-through} +.aqua{color:#00bfbf} +.aqua-background{background-color:#00fafa} +.black{color:#000} +.black-background{background-color:#000} +.blue{color:#0000bf} +.blue-background{background-color:#0000fa} +.fuchsia{color:#bf00bf} +.fuchsia-background{background-color:#fa00fa} +.gray{color:#606060} +.gray-background{background-color:#7d7d7d} +.green{color:#006000} +.green-background{background-color:#007d00} +.lime{color:#00bf00} +.lime-background{background-color:#00fa00} +.maroon{color:#600000} +.maroon-background{background-color:#7d0000} +.navy{color:#000060} +.navy-background{background-color:#00007d} +.olive{color:#606000} +.olive-background{background-color:#7d7d00} +.purple{color:#600060} +.purple-background{background-color:#7d007d} +.red{color:#bf0000} +.red-background{background-color:#fa0000} +.silver{color:#909090} +.silver-background{background-color:#bcbcbc} +.teal{color:#006060} +.teal-background{background-color:#007d7d} +.white{color:#bfbfbf} +.white-background{background-color:#fafafa} +.yellow{color:#bfbf00} +.yellow-background{background-color:#fafa00} +span.icon>.fa{cursor:default} +.admonitionblock td.icon [class^="fa icon-"]{font-size:2.5em;text-shadow:1px 1px 2px rgba(0,0,0,.5);cursor:default} +.admonitionblock td.icon .icon-note:before{content:"\f05a";color:#19407c} +.admonitionblock td.icon .icon-tip:before{content:"\f0eb";text-shadow:1px 1px 2px rgba(155,155,0,.8);color:#111} +.admonitionblock td.icon .icon-warning:before{content:"\f071";color:#bf6900} +.admonitionblock td.icon .icon-caution:before{content:"\f06d";color:#bf3400} +.admonitionblock td.icon .icon-important:before{content:"\f06a";color:#bf0000} +.conum[data-value]{display:inline-block;color:#fff!important;background-color:rgba(0,0,0,.8);-webkit-border-radius:100px;border-radius:100px;text-align:center;font-size:.75em;width:1.67em;height:1.67em;line-height:1.67em;font-family:"Open Sans","DejaVu Sans",sans-serif;font-style:normal;font-weight:bold} +.conum[data-value] *{color:#fff!important} +.conum[data-value]+b{display:none} +.conum[data-value]:after{content:attr(data-value)} +pre .conum[data-value]{position:relative;top:-.125em} +b.conum *{color:inherit!important} +.conum:not([data-value]):empty{display:none} +h1,h2{letter-spacing:-.01em} +dt,th.tableblock,td.content{text-rendering:optimizeLegibility} +p,td.content{letter-spacing:-.01em} +p strong,td.content strong{letter-spacing:-.005em} +p,blockquote,dt,td.content{font-size:1.0625rem} +p{margin-bottom:1.25rem} +.sidebarblock p,.sidebarblock dt,.sidebarblock td.content,p.tableblock{font-size:1em} +.exampleblock>.content{background-color:#fffef7;border-color:#e0e0dc;-webkit-box-shadow:0 1px 4px #e0e0dc;box-shadow:0 1px 4px #e0e0dc} +.print-only{display:none!important} +@media print{@page{margin:1.25cm .75cm} +*{-webkit-box-shadow:none!important;box-shadow:none!important;text-shadow:none!important} +a{color:inherit!important;text-decoration:underline!important} +a.bare,a[href^="#"],a[href^="mailto:"]{text-decoration:none!important} +a[href^="http:"]:not(.bare):after,a[href^="https:"]:not(.bare):after{content:"(" attr(href) ")";display:inline-block;font-size:.875em;padding-left:.25em} +abbr[title]:after{content:" (" attr(title) ")"} +pre,blockquote,tr,img{page-break-inside:avoid} +thead{display:table-header-group} +img{max-width:100%!important} +p,blockquote,dt,td.content{font-size:1em;orphans:3;widows:3} +h2,h3,#toctitle,.sidebarblock>.content>.title{page-break-after:avoid} +#toc,.sidebarblock,.exampleblock>.content{background:none!important} +#toc{border-bottom:1px solid #ddddd8!important;padding-bottom:0!important} +.sect1{padding-bottom:0!important} +.sect1+.sect1{border:0!important} +#header>h1:first-child{margin-top:1.25rem} +body.book #header{text-align:center} +body.book #header>h1:first-child{border:0!important;margin:2.5em 0 1em 0} +body.book #header .details{border:0!important;display:block;padding:0!important} +body.book #header .details span:first-child{margin-left:0!important} +body.book #header .details br{display:block} +body.book #header .details br+span:before{content:none!important} +body.book #toc{border:0!important;text-align:left!important;padding:0!important;margin:0!important} +body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-break-before:always} +.listingblock code[data-lang]:before{display:block} +#footer{background:none!important;padding:0 .9375em} +#footer-text{color:rgba(0,0,0,.6)!important;font-size:.9em} +.hide-on-print{display:none!important} +.print-only{display:block!important} +.hide-for-print{display:none!important} +.show-for-print{display:inherit!important}} +</style> +<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.2.0/css/font-awesome.min.css";> +</head> +<body class="article"> +<div id="header"> +<h1>NiFi System Administrator’s Guide</h1> +<div class="details"> +<span id="author" class="author">Apache NiFi Team</span><br> +<span id="email" class="email"><a href="mailto:d...@nifi.apache.org";>d...@nifi.apache.org</a></span><br> +</div> +<div id="toc" class="toc"> +<div id="toctitle">Table of Contents</div> +<ul class="sectlevel1"> +<li><a href="administration-guide.html#system-requirements">System Requirements</a></li> +<li><a href="administration-guide.html#how-to-install-and-start-nifi">How to install and start NiFi</a></li> +<li><a href="administration-guide.html#configuration-best-practices">Configuration Best Practices</a></li> +<li><a href="administration-guide.html#security-configuration">Security Configuration</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#tls-generation-toolkit">TLS Generation Toolkit</a></li> +</ul> +</li> +<li><a href="administration-guide.html#user_authentication">User Authentication</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#ldap_login_identity_provider">Lightweight Directory Access Protocol (LDAP)</a></li> +<li><a href="administration-guide.html#kerberos_login_identity_provider">Kerberos</a></li> +<li><a href="administration-guide.html#openid_connect">OpenId Connect</a></li> +<li><a href="administration-guide.html#apache_knox">Apache Knox</a></li> +</ul> +</li> +<li><a href="administration-guide.html#multi-tenant-authorization">Multi-Tenant Authorization</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#authorizer-configuration">Authorizer Configuration</a></li> +<li><a href="administration-guide.html#authorizers-setup">Authorizers.xml Setup</a></li> +<li><a href="administration-guide.html#config-users-access-policies">Configuring Users & Access Policies</a></li> +</ul> +</li> +<li><a href="administration-guide.html#encryption">Encryption Configuration</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#key-derivation-functions">Key Derivation Functions</a></li> +<li><a href="administration-guide.html#salt-and-iv-encoding">Salt and IV Encoding</a></li> +<li><a href="administration-guide.html#java-cryptography-extension-jce-limited-strength-jurisdiction-policies">Java Cryptography Extension (JCE) Limited Strength Jurisdiction Policies</a></li> +<li><a href="administration-guide.html#allow-insecure-cryptographic-modes">Allow Insecure Cryptographic Modes</a></li> +</ul> +</li> +<li><a href="administration-guide.html#encrypted-passwords-in-configuration-files">Encrypted Passwords in Configuration Files</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#encrypt-config_tool">Encrypt-Config Tool</a></li> +<li><a href="administration-guide.html#sensitive-property-key-migration">Sensitive Property Key Migration</a></li> +<li><a href="administration-guide.html#existing-flow-migration">Existing Flow Migration</a></li> +<li><a href="administration-guide.html#encrypt-config_password">Password Key Derivation</a></li> +<li><a href="administration-guide.html#encrypt-config_secure_prompt">Secure Prompt</a></li> +</ul> +</li> +<li><a href="administration-guide.html#admin-toolkit">Administrative Tools</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#prerequisites-for-running-admin-toolkit-in-a-secure-environment">Prerequisites for Running Admin Toolkit in a Secure Environment</a></li> +<li><a href="administration-guide.html#notify">Notify</a></li> +<li><a href="administration-guide.html#node-manager">Node Manager</a></li> +<li><a href="administration-guide.html#file-manager">File Manager</a></li> +<li><a href="administration-guide.html#expected-behavior-2">Expected Behavior</a></li> +</ul> +</li> +<li><a href="administration-guide.html#clustering">Clustering Configuration</a></li> +<li><a href="administration-guide.html#state_management">State Management</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#state_providers">Configuring State Providers</a></li> +<li><a href="administration-guide.html#embedded_zookeeper">Embedded ZooKeeper Server</a></li> +<li><a href="administration-guide.html#zk_access_control">ZooKeeper Access Control</a></li> +<li><a href="administration-guide.html#securing_zookeeper">Securing ZooKeeper</a></li> +<li><a href="administration-guide.html#zookeeper_migrator">ZooKeeper Migrator</a></li> +</ul> +</li> +<li><a href="administration-guide.html#bootstrap_properties">Bootstrap Properties</a></li> +<li><a href="administration-guide.html#notification_services">Notification Services</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#email-notification-service-br">Email Notification Service<br></a></li> +<li><a href="administration-guide.html#http-notification-service-br">HTTP Notification Service<br></a></li> +</ul> +</li> +<li><a href="administration-guide.html#proxy_configuration">Proxy Configuration</a></li> +<li><a href="administration-guide.html#kerberos_service">Kerberos Service</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#kerberos_service_notes">Notes</a></li> +</ul> +</li> +<li><a href="administration-guide.html#system_properties">System Properties</a> +<ul class="sectlevel2"> +<li><a href="administration-guide.html#core-properties-br">Core Properties<br></a></li> +<li><a href="administration-guide.html#state-management-br">State Management<br></a></li> +<li><a href="administration-guide.html#h2-settings">H2 Settings</a></li> +<li><a href="administration-guide.html#flowfile-repository">FlowFile Repository</a></li> +<li><a href="administration-guide.html#swap-management">Swap Management</a></li> +<li><a href="administration-guide.html#content-repository">Content Repository</a></li> +<li><a href="administration-guide.html#file-system-content-repository-properties">File System Content Repository Properties</a></li> +<li><a href="administration-guide.html#volatile-content-repository-properties">Volatile Content Repository Properties</a></li> +<li><a href="administration-guide.html#provenance-repository">Provenance Repository</a></li> +<li><a href="administration-guide.html#persistent-provenance-repository-properties">Persistent Provenance Repository Properties</a></li> +<li><a href="administration-guide.html#volatile-provenance-repository-properties">Volatile Provenance Repository Properties</a></li> +<li><a href="administration-guide.html#write-ahead-provenance-repository-properties">Write Ahead Provenance Repository Properties</a></li> +<li><a href="administration-guide.html#encrypted-write-ahead-provenance-repository-properties">Encrypted Write Ahead Provenance Repository Properties</a></li> +<li><a href="administration-guide.html#component-status-repository">Component Status Repository</a></li> +<li><a href="administration-guide.html#site_to_site_properties">Site to Site Properties</a></li> +<li><a href="administration-guide.html#web-properties">Web Properties</a></li> +<li><a href="administration-guide.html#security-properties">Security Properties</a></li> +<li><a href="administration-guide.html#identity-mapping-properties">Identity Mapping Properties</a></li> +<li><a href="administration-guide.html#cluster-common-properties">Cluster Common Properties</a></li> +<li><a href="administration-guide.html#cluster-node-properties">Cluster Node Properties</a></li> +<li><a href="administration-guide.html#claim_management">Claim Management</a></li> +<li><a href="administration-guide.html#zookeeper-properties">ZooKeeper Properties</a></li> +<li><a href="administration-guide.html#kerberos_properties">Kerberos Properties</a></li> +<li><a href="administration-guide.html#custom_properties">Custom Properties</a></li> +</ul> +</li> +</ul> +</div> +</div> +<div id="content"> +<div class="sect1"> +<h2 id="system-requirements"><a class="anchor" href="administration-guide.html#system-requirements"></a>System Requirements</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>Apache NiFi can run on something as simple as a laptop, but it can also be clustered across many enterprise-class servers. Therefore, the amount of hardware and memory needed will depend on the size and nature of the dataflow involved. The data is stored on disk while NiFi is processing it. So NiFi needs to have sufficient disk space allocated for its various repositories, particularly the content repository, flowfile repository, and provenance repository (see the <a href="administration-guide.html#system_properties">System Properties</a> section for more information about these repositories). NiFi has the following minimum system requirements:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>Requires Java 8 or newer</p> +</li> +<li> +<p>Supported Operating Systems:</p> +<div class="ulist"> +<ul> +<li> +<p>Linux</p> +</li> +<li> +<p>Unix</p> +</li> +<li> +<p>Windows</p> +</li> +<li> +<p>Mac OS X</p> +</li> +</ul> +</div> +</li> +<li> +<p>Supported Web Browsers:</p> +<div class="ulist"> +<ul> +<li> +<p>Microsoft Edge: Current & (Current - 1)</p> +</li> +<li> +<p>Mozilla FireFox: Current & (Current - 1)</p> +</li> +<li> +<p>Google Chrome: Current & (Current - 1)</p> +</li> +<li> +<p>Safari: Current & (Current - 1)</p> +</li> +</ul> +</div> +</li> +</ul> +</div> +<div class="paragraph"> +<p><strong>Note</strong> Under sustained and extremely high throughput the CodeCache settings may need to be tuned to avoid sudden performance loss. See the <a href="administration-guide.html#bootstrap_properties">Bootstrap Properties</a> section for more information.</p> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="how-to-install-and-start-nifi"><a class="anchor" href="administration-guide.html#how-to-install-and-start-nifi"></a>How to install and start NiFi</h2> +<div class="sectionbody"> +<div class="ulist"> +<ul> +<li> +<p>Linux/Unix/OS X</p> +<div class="ulist"> +<ul> +<li> +<p>Decompress and untar into desired installation directory</p> +</li> +<li> +<p>Make any desired edits in files found under <installdir>/conf</p> +<div class="ulist"> +<ul> +<li> +<p>At a minimum, we recommend editing the <em>nifi.properties</em> file and entering a password for the nifi.sensitive.props.key (see <a href="administration-guide.html#system_properties">System Properties</a> below)</p> +</li> +</ul> +</div> +</li> +<li> +<p>From the <installdir>/bin directory, execute the following commands by typing ./nifi.sh <command>:</p> +<div class="ulist"> +<ul> +<li> +<p>start: starts NiFi in the background</p> +</li> +<li> +<p>stop: stops NiFi that is running in the background</p> +</li> +<li> +<p>status: provides the current status of NiFi</p> +</li> +<li> +<p>run: runs NiFi in the foreground and waits for a Ctrl-C to initiate shutdown of NiFi</p> +</li> +<li> +<p>install: installs NiFi as a service that can then be controlled via</p> +<div class="ulist"> +<ul> +<li> +<p>service nifi start</p> +</li> +<li> +<p>service nifi stop</p> +</li> +<li> +<p>service nifi status</p> +</li> +</ul> +</div> +</li> +</ul> +</div> +</li> +</ul> +</div> +</li> +<li> +<p>Windows</p> +<div class="ulist"> +<ul> +<li> +<p>Decompress into the desired installation directory</p> +</li> +<li> +<p>Make any desired edits in the files found under <installdir>/conf</p> +<div class="ulist"> +<ul> +<li> +<p>At a minimum, we recommend editing the <em>nifi.properties</em> file and entering a password for the nifi.sensitive.props.key (see <a href="administration-guide.html#system_properties">System Properties</a> below)</p> +</li> +</ul> +</div> +</li> +<li> +<p>Navigate to the <installdir>/bin directory</p> +</li> +<li> +<p>Double-click run-nifi.bat. This runs NiFi in the foreground and waits for a Ctrl-C to initiate shutdown of NiFi</p> +</li> +<li> +<p>To see the current status of NiFi, double-click status-nifi.bat</p> +</li> +</ul> +</div> +</li> +</ul> +</div> +<div class="paragraph"> +<p>When NiFi first starts up, the following files and directories are created:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>content_repository</p> +</li> +<li> +<p>database_repository</p> +</li> +<li> +<p>flowfile_repository</p> +</li> +<li> +<p>provenance_repository</p> +</li> +<li> +<p>work directory</p> +</li> +<li> +<p>logs directory</p> +</li> +<li> +<p>Within the conf directory, the <em>flow.xml.gz</em> file and the templates directory are created</p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>See the <a href="administration-guide.html#system_properties">System Properties</a> section of this guide for more information about configuring NiFi repositories and configuration files.</p> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="configuration-best-practices"><a class="anchor" href="administration-guide.html#configuration-best-practices"></a>Configuration Best Practices</h2> +<div class="sectionbody"> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<i class="fa icon-note" title="Note"></i> +</td> +<td class="content"> +If you are running on Linux, consider these best practices. Typical Linux defaults are not necessarily well tuned for the needs of an IO intensive application like NiFi. For all of these areas, your distribution’s requirements may vary. Use these sections as advice, but +consult your distribution-specific documentation for how best to achieve these recommendations. +</td> +</tr> +</table> +</div> +<div class="dlist"> +<dl> +<dt class="hdlist1">Maximum File Handles</dt> +<dd> +<p>NiFi will at any one time potentially have a very large number of file handles open. Increase the limits by +editing <em>/etc/security/limits.conf</em> to add +something like</p> +</dd> +</dl> +</div> +<div class="listingblock"> +<div class="content"> +<pre>* hard nofile 50000 +* soft nofile 50000</pre> +</div> +</div> +<div class="dlist"> +<dl> +<dt class="hdlist1">Maximum Forked Processes</dt> +<dd> +<p>NiFi may be configured to generate a significant number of threads. To increase the allowable number edit <em>/etc/security/limits.conf</em></p> +</dd> +</dl> +</div> +<div class="listingblock"> +<div class="content"> +<pre>* hard nproc 10000 +* soft nproc 10000</pre> +</div> +</div> +<div class="paragraph"> +<p>And your distribution may require an edit to /etc/security/limits.d/90-nproc.conf by adding</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>* soft nproc 10000</pre> +</div> +</div> +<div class="dlist"> +<dl> +<dt class="hdlist1">Increase the number of TCP socket ports available</dt> +<dd> +<p>This is particularly important if your flow will be setting up and tearing +down a large number of sockets in small period of time.</p> +</dd> +</dl> +</div> +<div class="listingblock"> +<div class="content"> +<pre>sudo sysctl -w net.ipv4.ip_local_port_range="10000 65000"</pre> +</div> +</div> +<div class="dlist"> +<dl> +<dt class="hdlist1">Set how long sockets stay in a TIMED_WAIT state when closed</dt> +<dd> +<p>You don’t want your sockets to sit and linger too long given that you want to be +able to quickly setup and teardown new sockets. It is a good idea to read more about +it but to adjust do something like</p> +</dd> +</dl> +</div> +<div class="listingblock"> +<div class="content"> +<pre>sudo sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait="1"</pre> +</div> +</div> +<div class="dlist"> +<dl> +<dt class="hdlist1">Tell Linux you never want NiFi to swap</dt> +<dd> +<p>Swapping is fantastic for some applications. It isn’t good for something like +NiFi that always wants to be running. To tell Linux you’d like swapping off you +can edit <em>/etc/sysctl.conf</em> to add the following line</p> +</dd> +</dl> +</div> +<div class="listingblock"> +<div class="content"> +<pre>vm.swappiness = 0</pre> +</div> +</div> +<div class="paragraph"> +<p>For the partitions handling the various NiFi repos turn off things like <em>atime</em>. +Doing so can cause a surprising bump in throughput. Edit the <em>/etc/fstab</em> file +and for the partition(s) of interest add the <em>noatime</em> option.</p> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="security-configuration"><a class="anchor" href="administration-guide.html#security-configuration"></a>Security Configuration</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>NiFi provides several different configuration options for security purposes. The most important properties are those under the +"security properties" heading in the <em>nifi.properties</em> file. In order to run securely, the following properties must be set:</p> +</div> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">Property Name</th> +<th class="tableblock halign-left valign-top">Description</th> +</tr> +</thead> +<tfoot> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.needClientAuth</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Set to <code>true</code> to specify that connecting clients must authenticate themselves. This property is used by the NiFi cluster protocol to indicate that nodes in the cluster will be authenticated and must have certificates that are trusted by the Truststores.</p></td> +</tr> +</tfoot> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.keystore</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Filename of the Keystore that contains the server’s private key.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.keystoreType</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The type of Keystore. Must be either <code>PKCS12</code> or <code>JKS</code>. JKS is the preferred type, PKCS12 files will be loaded with BouncyCastle provider.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.keystorePasswd</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The password for the Keystore.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.keyPasswd</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The password for the certificate in the Keystore. If not set, the value of <code>nifi.security.keystorePasswd</code> will be used.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.truststore</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Filename of the Truststore that will be used to authorize those connecting to NiFi. A secured instance with no Truststore will refuse all incoming connections.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.truststoreType</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The type of the Truststore. Must be either <code>PKCS12</code> or <code>JKS</code>. JKS is the preferred type, PKCS12 files will be loaded with BouncyCastle provider.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.truststorePasswd</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The password for the Truststore.</p></td> +</tr> +</tbody> +</table> +<div class="paragraph"> +<p>Once the above properties have been configured, we can enable the User Interface to be accessed over HTTPS instead of HTTP. This is accomplished +by setting the <code>nifi.web.https.host</code> and <code>nifi.web.https.port</code> properties. The <code>nifi.web.https.host</code> property indicates which hostname the server +should run on. If it is desired that the HTTPS interface be accessible from all network interfaces, a value of <code>0.0.0.0</code> should be used. To allow +admins to configure the application to run only on specific network interfaces, <code>nifi.web.http.network.interface*</code> or <code>nifi.web.https.network.interface*</code> +properties can be specified.</p> +</div> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<i class="fa icon-note" title="Note"></i> +</td> +<td class="content"> +It is important when enabling HTTPS that the <code>nifi.web.http.port</code> property be unset. +</td> +</tr> +</table> +</div> +<div class="paragraph"> +<p>Similar to <code>nifi.security.needClientAuth</code>, the web server can be configured to require certificate based client authentication for users accessing +the User Interface. In order to do this it must be configured to not support username/password authentication using <a href="administration-guide.html#ldap_login_identity_provider">Lightweight Directory Access Protocol (LDAP)</a> or <a href="administration-guide.html#kerberos_login_identity_provider">Kerberos</a>. Either of these options +will configure the web server to WANT certificate based client authentication. This will allow it to support users with certificates and those without +that may be logging in with their credentials or those accessing anonymously. If username/password authentication and anonymous access are not configured, +the web server will REQUIRE certificate based client authentication. See <a href="administration-guide.html#user_authentication">User Authentication</a> for more details.</p> +</div> +<div class="paragraph"> +<p>Now that the User Interface has been secured, we can easily secure Site-to-Site connections and inner-cluster communications, as well. This is +accomplished by setting the <code>nifi.remote.input.secure</code> and <code>nifi.cluster.protocol.is.secure</code> properties, respectively, to <code>true</code>.</p> +</div> +<div class="sect2"> +<h3 id="tls-generation-toolkit"><a class="anchor" href="administration-guide.html#tls-generation-toolkit"></a>TLS Generation Toolkit</h3> +<div class="paragraph"> +<p>In order to facilitate the secure setup of NiFi, you can use the <code>tls-toolkit</code> command line utility to automatically generate the required keystores, truststore, and relevant configuration files. This is especially useful for securing multiple NiFi nodes, which can be a tedious and error-prone process.</p> +</div> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<i class="fa icon-note" title="Note"></i> +</td> +<td class="content"> +JKS keystores and truststores are recommended for NiFi. This tool allows the specification of other keystore types on the command line but will ignore a type of PKCS12 for use as the truststore because that format has some compatibility issues between BouncyCastle and Oracle implementations. +</td> +</tr> +</table> +</div> +<div class="paragraph"> +<p>The <code>tls-toolkit</code> command line tool has two primary modes of operation:</p> +</div> +<div class="olist arabic"> +<ol class="arabic"> +<li> +<p>Standalone — generates the certificate authority, keystores, truststores, and nifi.properties files in one command.</p> +</li> +<li> +<p>Client/Server mode — uses a Certificate Authority Server that accepts Certificate Signing Requests from clients, signs them, and sends the resulting certificates back. Both client and server validate the otherâs identity through a shared secret.</p> +</li> +</ol> +</div> +<div class="sect3"> +<h4 id="standalone"><a class="anchor" href="administration-guide.html#standalone"></a>Standalone</h4> +<div class="paragraph"> +<p>Standalone mode is invoked by running <code>./bin/tls-toolkit.sh standalone -h</code> which prints the usage information along with descriptions of options that can be specified.</p> +</div> +<div class="paragraph"> +<p>You can use the following command line options with the <code>tls-toolkit</code> in standalone mode:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p><code>-a</code>,<code>--keyAlgorithm <arg></code> Algorithm to use for generated keys (default: <code>RSA</code>)</p> +</li> +<li> +<p><code>-B</code>,<code>--clientCertPassword <arg></code> Password for client certificate. Must either be one value or one for each client DN (auto-generate if not specified)</p> +</li> +<li> +<p><code>-c</code>,<code>--certificateAuthorityHostname <arg></code> Hostname of NiFi Certificate Authority (default: <code>localhost</code>)</p> +</li> +<li> +<p><code>-C</code>,<code>--clientCertDn <arg></code> Generate client certificate suitable for use in browser with specified DN (Can be specified multiple times)</p> +</li> +<li> +<p><code>-d</code>,<code>--days <arg></code> Number of days issued certificate should be valid for (default: <code>1095</code>)</p> +</li> +<li> +<p><code>-f</code>,<code>--nifiPropertiesFile <arg></code> Base <code>nifi.properties</code> file to update (Embedded file identical to the one in a default NiFi install will be used if not specified)</p> +</li> +<li> +<p><code>-g</code>,<code>--differentKeyAndKeystorePasswords</code> Use different generated password for the key and the keystore</p> +</li> +<li> +<p><code>-G</code>,<code>--globalPortSequence <arg></code> Use sequential ports that are calculated for all hosts according to the provided hostname expressions (Can be specified multiple times, MUST BE SAME FROM RUN TO RUN)</p> +</li> +<li> +<p><code>-h</code>,<code>--help</code> Print help and exit</p> +</li> +<li> +<p><code>-k</code>,<code>--keySize <arg></code> Number of bits for generated keys (default: <code>2048</code>)</p> +</li> +<li> +<p><code>-K</code>,<code>--keyPassword <arg></code> Key password to use. Must either be one value or one for each host (auto-generate if not specified)</p> +</li> +<li> +<p><code>-n</code>,<code>--hostnames <arg></code> Comma separated list of hostnames</p> +</li> +<li> +<p><code>--nifiDnPrefix <arg></code> String to prepend to hostname(s) when determining DN (default: <code>CN=</code>)</p> +</li> +<li> +<p><code>--nifiDnSuffix <arg></code> String to append to hostname(s) when determining DN (default: <code>, OU=NIFI</code>)</p> +</li> +<li> +<p><code>-o</code>,<code>--outputDirectory <arg></code> The directory to output keystores, truststore, config files (default: <code>../bin</code>)</p> +</li> +<li> +<p><code>-O</code>,<code>--isOverwrite</code> Overwrite existing host output</p> +</li> +<li> +<p><code>-P</code>,<code>--trustStorePassword <arg></code> Keystore password to use. Must either be one value or one for each host (auto-generate if not specified)</p> +</li> +<li> +<p><code>-s</code>,<code>--signingAlgorithm <arg></code> Algorithm to use for signing certificates (default: <code>SHA256WITHRSA</code>)</p> +</li> +<li> +<p><code>-S</code>,<code>--keyStorePassword <arg></code> Keystore password to use. Must either be one value or one for each host (auto-generate if not specified)</p> +</li> +<li> +<p><code>--subjectAlternativeNames <arg></code> Comma-separated list of domains to use as Subject Alternative Names in the certificate</p> +</li> +<li> +<p><code>-T</code>,<code>--keyStoreType <arg></code> The type of keystores to generate (default: <code>jks</code>)</p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>Hostname Patterns:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>Square brackets can be used in order to easily specify a range of hostnames. Example: <code>[01-20]</code></p> +</li> +<li> +<p>Parentheses can be used in order to specify that more than one NiFi instance will run on the given host(s). Example: <code>(5)</code></p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>Examples:</p> +</div> +<div class="paragraph"> +<p>Create 4 sets of keystore, truststore, nifi.properties for localhost along with a client certificate with the given DN:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>bin/tls-toolkit.sh standalone -n 'localhost(4)' -C 'CN=username,OU=NIFI'</pre> +</div> +</div> +<div class="paragraph"> +<p>Create keystore, truststore, nifi.properties for 10 NiFi hostnames in each of 4 subdomains:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain'</pre> +</div> +</div> +<div class="paragraph"> +<p>Create 2 sets of keystore, truststore, nifi.properties for 10 NiFi hostnames in each of 4 subdomains along with a client certificate with the given DN:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain(2)' -C 'CN=username,OU=NIFI'</pre> +</div> +</div> +</div> +<div class="sect3"> +<h4 id="client-server"><a class="anchor" href="administration-guide.html#client-server"></a>Client/Server</h4> +<div class="paragraph"> +<p>Client/Server mode relies on a long-running Certificate Authority (CA) to issue certificates. The CA can be stopped when youâre not bringing nodes online.</p> +</div> +<div class="sect4"> +<h5 id="server"><a class="anchor" href="administration-guide.html#server"></a>Server</h5> +<div class="paragraph"> +<p>The CA server is invoked by running <code>./bin/tls-toolkit.sh server -h</code> which prints the usage information along with descriptions of options that can be specified.</p> +</div> +<div class="paragraph"> +<p>You can use the following command line options with the <code>tls-toolkit</code> in server mode:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p><code>-a</code>,<code>--keyAlgorithm <arg></code> Algorithm to use for generated keys (default: <code>RSA</code>)</p> +</li> +<li> +<p><code>--configJsonIn <arg></code> The place to read configuration info from (defaults to the value of configJson), implies useConfigJson if set (default: <code>configJson</code> value)</p> +</li> +<li> +<p><code>-d</code>,<code>--days <arg></code> Number of days issued certificate should be valid for (default: <code>1095</code>)</p> +</li> +<li> +<p><code>-D</code>,<code>--dn <arg></code> The dn to use for the CA certificate (default: <code>CN=YOUR_CA_HOSTNAME,OU=NIFI</code>)</p> +</li> +<li> +<p><code>-f</code>,<code>--configJson <arg></code> The place to write configuration info (default: <code>config.json</code>)</p> +</li> +<li> +<p><code>-F</code>,<code>--useConfigJson</code> Flag specifying that all configuration is read from <code>configJson</code> to facilitate automated use (otherwise <code>configJson</code> will only be written to)</p> +</li> +<li> +<p><code>-g</code>,<code>--differentKeyAndKeystorePasswords</code> Use different generated password for the key and the keystore</p> +</li> +<li> +<p><code>-h</code>,<code>--help</code> Print help and exit</p> +</li> +<li> +<p><code>-k</code>,<code>--keySize <arg></code> Number of bits for generated keys (default: <code>2048</code>)</p> +</li> +<li> +<p><code>-p</code>,<code>--PORT <arg></code> The port for the Certificate Authority to listen on (default: <code>8443</code>)</p> +</li> +<li> +<p><code>-s</code>,<code>--signingAlgorithm <arg></code> Algorithm to use for signing certificates (default: <code>SHA256WITHRSA</code>)</p> +</li> +<li> +<p><code>-T</code>,<code>--keyStoreType <arg></code> The type of keystores to generate (default: <code>jks</code>)</p> +</li> +<li> +<p><code>-t</code>,<code>--token <arg></code> The token to use to prevent MITM (required and must be same as one used by clients)</p> +</li> +</ul> +</div> +</div> +<div class="sect4"> +<h5 id="client"><a class="anchor" href="administration-guide.html#client"></a>Client</h5> +<div class="paragraph"> +<p>The client can be used to request new Certificates from the CA. The client utility generates a keypair and Certificate Signing Request (CSR) and sends the CSR to the Certificate Authority. The client is invoked by running <code>./bin/tls-toolkit.sh client -h</code> which prints the usage information along with descriptions of options that can be specified.</p> +</div> +<div class="paragraph"> +<p>You can use the following command line options with the <code>tls-toolkit</code> in client mode:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p><code>-a</code>,<code>--keyAlgorithm <arg></code> Algorithm to use for generated keys (default: <code>RSA</code>)</p> +</li> +<li> +<p><code>-c</code>,<code>--certificateAuthorityHostname <arg></code> Hostname of NiFi Certificate Authority (default: <code>localhost</code>)</p> +</li> +<li> +<p><code>-C</code>,<code>--certificateDirectory <arg></code> The directory to write the CA certificate (default: <code>.</code>)</p> +</li> +<li> +<p><code>--configJsonIn <arg></code> The place to read configuration info from, implies <code>useConfigJson</code> if set (default: <code>configJson</code> value)</p> +</li> +<li> +<p><code>-D</code>,<code>--dn <arg></code> The DN to use for the client certificate (default: <code>CN=<localhost name>,OU=NIFI</code>) (this is auto-populated by the tool)</p> +</li> +<li> +<p><code>-f</code>,<code>--configJson <arg></code> The place to write configuration info (default: <code>config.json</code>)</p> +</li> +<li> +<p><code>-F</code>,<code>--useConfigJson</code> Flag specifying that all configuration is read from <code>configJson</code> to facilitate automated use (otherwise <code>configJson</code> will only be written to)</p> +</li> +<li> +<p><code>-g</code>,<code>--differentKeyAndKeystorePasswords</code> Use different generated password for the key and the keystore</p> +</li> +<li> +<p><code>-h</code>,<code>--help</code> Print help and exit</p> +</li> +<li> +<p><code>-k</code>,<code>--keySize <arg></code> Number of bits for generated keys (default: <code>2048</code>)</p> +</li> +<li> +<p><code>-p</code>,<code>--PORT <arg></code> The port to use to communicate with the Certificate Authority (default: <code>8443</code>)</p> +</li> +<li> +<p><code>--subjectAlternativeNames <arg></code> Comma-separated list of domains to use as Subject Alternative Names in the certificate</p> +</li> +<li> +<p><code>-T</code>,<code>--keyStoreType <arg></code> The type of keystores to generate (default: <code>jks</code>)</p> +</li> +<li> +<p><code>-t</code>,<code>--token <arg></code> The token to use to prevent MITM (required and must be same as one used by CA)</p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>After running the client you will have the CAâs certificate, a keystore, a truststore, and a <code>config.json</code> with information about them as well as their passwords.</p> +</div> +<div class="paragraph"> +<p>For a client certificate that can be easily imported into the browser, specify: <code>-T PKCS12</code></p> +</div> +</div> +</div> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="user_authentication"><a class="anchor" href="administration-guide.html#user_authentication"></a>User Authentication</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>NiFi supports user authentication via client certificates, via username/password, via Apache Knox, or via OpenId Connect (<a href="http://openid.net/connect"; class="bare">http://openid.net/connect</a>).</p> +</div> +<div class="paragraph"> +<p>Username/password authentication is performed by a <em>Login Identity Provider</em>. The Login Identity Provider is a pluggable mechanism for +authenticating users via their username/password. Which Login Identity Provider to use is configured in the <em>nifi.properties</em> file. +Currently NiFi offers username/password with Login Identity Providers options for LDAP and Kerberos.</p> +</div> +<div class="paragraph"> +<p>The <code>nifi.login.identity.provider.configuration.file</code> property specifies the configuration file for Login Identity Providers. +The <code>nifi.security.user.login.identity.provider</code> property indicates which of the configured Login Identity Provider should be +used. By default, this property is not configured meaning that username/password must be explicitly enabled.</p> +</div> +<div class="paragraph"> +<p>During OpenId Connect authentication, NiFi will redirect users to login with the Provider before returning to NiFi. NiFi will then +call the Provider to obtain the user identity.</p> +</div> +<div class="paragraph"> +<p>During Apache Knox authentication, NiFi will redirect users to login with Apache Knox before returning to NiFi. NiFi will verify the Apache Knox +token during authentication.</p> +</div> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<i class="fa icon-note" title="Note"></i> +</td> +<td class="content"> +NiFi can only be configured for username/password, OpenId Connect, or Apache Knox at a given time. It does not support running each of +these concurrently. NiFi will require client certificates for authenticating users over HTTPS if none of these are configured. +</td> +</tr> +</table> +</div> +<div class="paragraph"> +<p>A secured instance of NiFi cannot be accessed anonymously unless configured to use an LDAP or Kerberos Login Identity Provider, which in turn must be configured to explicitly allow anonymous access. Anonymous access is not currently possible by the default FileAuthorizer (see <a href="administration-guide.html#authorizer-configuration">Authorizer Configuration</a>), but is a future effort (<a href="https://issues.apache.org/jira/browse/NIFI-2730";>NIFI-2730</a>).</p> +</div> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<i class="fa icon-note" title="Note"></i> +</td> +<td class="content"> +NiFi does not perform user authentication over HTTP. Using HTTP, all users will be granted all roles. +</td> +</tr> +</table> +</div> +<div class="sect2"> +<h3 id="ldap_login_identity_provider"><a class="anchor" href="administration-guide.html#ldap_login_identity_provider"></a>Lightweight Directory Access Protocol (LDAP)</h3> +<div class="paragraph"> +<p>Below is an example and description of configuring a Login Identity Provider that integrates with a Directory Server to authenticate users.</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><provider> + <identifier>ldap-provider</identifier> + <class>org.apache.nifi.ldap.LdapProvider</class> + <property name="Authentication Strategy">START_TLS</property> + + <property name="Manager DN"></property> + <property name="Manager Password"></property> + + <property name="TLS - Keystore"></property> + <property name="TLS - Keystore Password"></property> + <property name="TLS - Keystore Type"></property> + <property name="TLS - Truststore"></property> + <property name="TLS - Truststore Password"></property> + <property name="TLS - Truststore Type"></property> + <property name="TLS - Client Auth"></property> + <property name="TLS - Protocol"></property> + <property name="TLS - Shutdown Gracefully"></property> + + <property name="Referral Strategy">FOLLOW</property> + <property name="Connect Timeout">10 secs</property> + <property name="Read Timeout">10 secs</property> + + <property name="Url"></property> + <property name="User Search Base"></property> + <property name="User Search Filter"></property> + + <property name="Identity Strategy">USE_DN</property> + <property name="Authentication Expiration">12 hours</property> +</provider></pre> +</div> +</div> +<div class="paragraph"> +<p>With this configuration, username/password authentication can be enabled by referencing this provider in <em>nifi.properties</em>.</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>nifi.security.user.login.identity.provider=ldap-provider</pre> +</div> +</div> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">Property Name</th> +<th class="tableblock halign-left valign-top">Description</th> +</tr> +</thead> +<tfoot> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Authentication Expiration</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration.</p></td> +</tr> +</tfoot> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Authentication Strategy</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Manager DN</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The DN of the manager that is used to bind to the LDAP server to search for users.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Manager Password</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The password of the manager that is used to bind to the LDAP server to search for users.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Keystore</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Keystore Password</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Password for the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Keystore Type</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Type of the Keystore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Truststore</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Truststore Password</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Password for the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Truststore Type</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Type of the Truststore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Client Auth</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Client authentication policy when connecting to LDAP using LDAPS or START_TLS. Possible values are REQUIRED, WANT, NONE.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Protocol</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS, TLSv1.1, TLSv1.2, etc).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Shutdown Gracefully</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Specifies whether the TLS should be shut down gracefully before the target context is closed. Defaults to false.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Referral Strategy</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Connect Timeout</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Duration of connect timeout. (i.e. 10 secs).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Read Timeout</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Duration of read timeout. (i.e. 10 secs).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Url</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>User Search Base</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Base DN for searching for users (i.e. CN=Users,DC=example,DC=com).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>User Search Filter</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Filter for searching for users against the <em>User Search Base</em>. (i.e. sAMAccountName={0}). The user specified name is inserted into <em>{0}</em>.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Identity Strategy</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Strategy to identify users. Possible values are USE_DN and USE_USERNAME. The default functionality if this property is missing is USE_DN in order to retain backward +compatibility. USE_DN will use the full DN of the user entry if possible. USE_USERNAME will use the username the user logged in with.</p></td> +</tr> +</tbody> +</table> +</div> +<div class="sect2"> +<h3 id="kerberos_login_identity_provider"><a class="anchor" href="administration-guide.html#kerberos_login_identity_provider"></a>Kerberos</h3> +<div class="paragraph"> +<p>Below is an example and description of configuring a Login Identity Provider that integrates with a Kerberos Key Distribution Center (KDC) to authenticate users.</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><provider> + <identifier>kerberos-provider</identifier> + <class>org.apache.nifi.kerberos.KerberosProvider</class> + <property name="Default Realm">NIFI.APACHE.ORG</property> + <property name="Kerberos Config File">/etc/krb5.conf</property> + <property name="Authentication Expiration">12 hours</property> +</provider></pre> +</div> +</div> +<div class="paragraph"> +<p>With this configuration, username/password authentication can be enabled by referencing this provider in <em>nifi.properties</em>.</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>nifi.security.user.login.identity.provider=kerberos-provider</pre> +</div> +</div> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">Property Name</th> +<th class="tableblock halign-left valign-top">Description</th> +</tr> +</thead> +<tfoot> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Authentication Expiration</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration.</p></td> +</tr> +</tfoot> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Default Realm</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Default realm to provide when user enters incomplete user principal (i.e. NIFI.APACHE.ORG).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Kerberos Config File</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Absolute path to Kerberos client configuration file.</p></td> +</tr> +</tbody> +</table> +<div class="paragraph"> +<p>See also <a href="administration-guide.html#kerberos_service">Kerberos Service</a> to allow single sign-on access via client Kerberos tickets.</p> +</div> +</div> +<div class="sect2"> +<h3 id="openid_connect"><a class="anchor" href="administration-guide.html#openid_connect"></a>OpenId Connect</h3> +<div class="paragraph"> +<p>To enable authentication via OpenId Connect the following properties must be configured in nifi.properties.</p> +</div> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">Property Name</th> +<th class="tableblock halign-left valign-top">Description</th> +</tr> +</thead> +<tfoot> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.user.oidc.preferred.jwsalgorithm</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The preferred algorithm for for validating identity tokens. If this value is blank, it will default to <em>RS256</em> which is required to be supported +by the OpenId Connect Provider according to the specification. If this value is <em>HS256</em>, <em>HS384</em>, or <em>HS512</em>, NiFi will attempt to validate HMAC protected tokens using the specified client secret. +If this value is <em>none</em>, NiFi will attempt to validate unsecured/plain tokens. Other values for this algorithm will attempt to parse as an RSA or EC algorithm to be used in conjunction with the +JSON Web Key (JWK) provided through the jwks_uri in the metadata found at the discovery URL.</p></td> +</tr> +</tfoot> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.user.oidc.discovery.url</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The discovery URL for the desired OpenId Connect Provider (<a href="http://openid.net/specs/openid-connect-discovery-1_0.html"; class="bare">http://openid.net/specs/openid-connect-discovery-1_0.html</a>).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.user.oidc.connect.timeout</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Connect timeout when communicating with the OpenId Connect Provider.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.user.oidc.read.timeout</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Read timeout when communicating with the OpenId Connect Provider.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.user.oidc.client.id</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The client id for NiFi after registration with the OpenId Connect Provider.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.user.oidc.client.secret</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The client secret for NiFi after registration with the OpenId Connect Provider.</p></td> +</tr> +</tbody> +</table> +</div> +<div class="sect2"> +<h3 id="apache_knox"><a class="anchor" href="administration-guide.html#apache_knox"></a>Apache Knox</h3> +<div class="paragraph"> +<p>To enable authentication via Apache Knox the following properties must be configured in nifi.properties.</p> +</div> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">Property Name</th> +<th class="tableblock halign-left valign-top">Description</th> +</tr> +</thead> +<tfoot> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.user.knox.audiences</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Optional. A comma separate listed of allowed audiences. If set, the audience in the token must be present in +this listing. The audience that is populated in the token can be configured in Knox.</p></td> +</tr> +</tfoot> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.user.knox.url</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The URL for the Apache Knox log in page.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.user.knox.publicKey</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The path to the Apache Knox public key that will be used to verify the signatures of the authentication tokens in the HTTP Cookie.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.user.knox.cookieName</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The name of the HTTP Cookie that Apache Knox will generate after successful log in.</p></td> +</tr> +</tbody> +</table> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="multi-tenant-authorization"><a class="anchor" href="administration-guide.html#multi-tenant-authorization"></a>Multi-Tenant Authorization</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>After you have configured NiFi to run securely and with an authentication mechanism, you must configure who has access to the system, and the level of their access. +You can do this using <em>multi-tenant authorization</em>. Multi-tenant authorization enables multiple groups of users (tenants) to command, control, and observe different +parts of the dataflow, with varying levels of authorization. When an authenticated user attempts to view or modify a NiFi resource, the system checks whether the +user has privileges to perform that action. These privileges are defined by policies that you can apply system-wide or to individual components.</p> +</div> +<div class="sect2"> +<h3 id="authorizer-configuration"><a class="anchor" href="administration-guide.html#authorizer-configuration"></a>Authorizer Configuration</h3> +<div class="paragraph"> +<p>An <em>authorizer</em> grants users the privileges to manage users and policies by creating preliminary authorizations at startup.</p> +</div>
[... 5078 lines stripped ...]
