Thanks Kevin, I am just using the ELB to go from the public subnet to the private subnet. I will not have multiple instances running of registry.
I will say on my authorizers.xml there is one difference between my nifi instance. On my nifi instance I am using file-provider for nifi.security.user.authorizer in my nifi.properties. I don’t think from reading the documents for nifi-registry that I can use that. If there is a way that might be my problem. I was running into some issues with my nifi instance when I was using managed-authorizers instead of file-provider. > On Mar 19, 2018, at 9:35 AM, Kevin Doran <[email protected]> wrote: > > Hey Scott, > > Assuming you are using two-way TLS with client certificates for > authentication, I recommend configuring your ELB for TCP passthrough so that > the TLS handshake is between the end-client and the NiFi Registry Server (in > other words, no decryption/termination of the TLS connection happens in the > ELB). If you are using some other form of authentication (e.g., LDAP), you > will need to configure your ELB to trust the self-signed key NiFi Registry is > using. I'm not sure how to do that as I've never run an ELB with that > configuration before. > > Also, just a note about using an ELB with NiFi Registry: > > NiFi Registry is currently only supports single-instance use as persisted > data and in-memory state is not synced between multiple instances. Are you > hoping to use the ELB for actual load balancing, or is it just to take > advantage of other ELB features, such as forwarding and security group rules? > If the plan is to load balance multiple Registry instances, just be aware > that you will probably run into some unexpected behavior. (As you mentioned > using authorization, that is one case where I know the in-memory cache of the > persisted data will not refresh across instances, so even if you were using > some sort of shared network file system attached to multiple Registry > instances, such as EFS, it would not work the way you hope.) > > Hope this helps, > Kevin > > On 3/19/18, 10:20, "Scott Howell" <[email protected]> wrote: > > Thanks for the quick response. > > A couple of things I am seeing. > > 1. There is no error, I don’t see anything in the logs once the service > comes up. This is because the health check is not even hitting the instance > when secure. > > 2. Nothing interesting in the nifi-registry-app.logs. That was my concern > because on my nifi instance I can see the health check hitting the instance > from the ELB. This does not happen on the nifi-registry instance. I see the > service startup and it tells me what domain and port I can access the UI but > nothing else after that. > > 3. When I am on an instances in the same private subnet I am able to curl > to the instance I get the TLS SSL which tells me the keystore is on the > server. I am using a JKS keystore that is self-signed by the company I work > for. > >> On Mar 19, 2018, at 9:10 AM, Bryan Bende <[email protected]> wrote: >> >> Hello, >> >> What error are you getting when you cannot access the UI? >> >> Is there anything interesting in nifi-registry-app.log regarding >> authentication/authorization when this happens? >> >> Can you access the UI securely without going through the ELB? >> >> Thanks, >> >> Bryan >> >> >> On Mon, Mar 19, 2018 at 10:05 AM, Scott Howell <[email protected]> >> wrote: >>> I was able to stand up nifi-registry behind an AWS ELB non-secure. >>> Everything was working great and was able to access the UI anonymously. I >>> set up the authorization just like on my nifi instances along with the >>> authorizers and identity-provider. The service comes up without errors and >>> everything looks good but the health check does not pass and I cannot >>> access the UI to login. I was wondering if anyone else has ran into this >>> issue using nifi-registry. > > > >
