Il dom 20 gen 2019, 00:06 Ryan H <ryan.howell.developm...@gmail.com> ha scritto:
> Thanks Enrico, > > Agreed on Username/Password. Maybe to rephrase my question: if I have an > existing ZK tree that doesn't currently have any kind of Access Control, > can a Username/Password ACL be applied to that existing tree? If so, how > would one go about doing that? > I would do this way (not tested): - reboot all clients with authentication enabled and check in the logs that all is okay - configure Nifi to apply ACL on new znodes - bulk change the ACL of every znode with the ACL you want It depends on NiFi bacause you should have at least two features: - enable auth on zk client - every time Nifi creates a znode to ZK it sets correct ACLs Enrico > -Ryan H > > On Sat, Jan 19, 2019 at 2:25 PM Enrico Olivelli <eolive...@gmail.com> > wrote: > > > Hi Ryan, > > I think this should be supported by NiFi, but I don't know that platform. > > > > Username/password is very weak and it is hard to maintain. > > > > Apart from this I think you can write a simple program which scans your > ZK > > tree and applies ACL, no need for a new cluster. > > > > Just my 2 cents > > > > Enrico > > > > Il sab 19 gen 2019, 16:35 Ryan H <ryan.howell.developm...@gmail.com> ha > > scritto: > > > > > Hi All, > > > > > > I am currently using an external 3 machine Zookeeper (3.4.10) to manage > > > multiple NiFi Clusters (NiFi 1.5). I would like to put in ACL for each > of > > > the existing NiFi clusters with username/password that is unique to > each > > of > > > the NiFi clusters as it is currently wide open. The docs say that > > Kerberos > > > is the recommended method for securing ZK, but for now going to go with > > > User/Password. > > > > > > I'm looking for the best way to do this. My initial thought was to spin > > up > > > a new ZK cluster, then use the migration tool to migrate each of the > root > > > nodes to the new cluster, adding the username/password as each root is > > > migrated. Is there a better way to do this? I'm wondering if a new ZK > > > cluster is needed or not and whether the same thing can just be done on > > the > > > existing ZK cluster. Can the Username/Password ACL info just be applied > > to > > > the existing roots (just add the ACL info to the NiFi configuration) > and > > > then that's it? > > > > > > Any direction or suggestions is appreciated!! > > > > > > > > > Cheers, > > > > > > Ryan H > > > > > -- > > > > > > -- Enrico Olivelli > > > -- -- Enrico Olivelli