Ryan, Sorry for the late reply. Are you still looking for a way to do this?
If I understand correctly what you're trying to do, you should be able to use the zk-migrator tool to do this. I haven't done this personally, but here is a rough outline of steps you can follow: - Stop the flow on the unsecured NiFi - Export your current NiFI ZK state nodes under "/nifi/components" to a json file, for example "zk-source-data.json" - Configure NiFi and the ZK quorum for Kerberos - Configure NiFi to use a different root node than the one used while NiFi was running unsecured with an unsecured ZK (or an unsecured root node) - Start the newly kerberos-enabled NiFi, leaving the flow stopped, so that NiFi can create the cluster nodes in ZK under the new ZK root node - Import "zk-source-data.json to the new root node, using a JAAS config to allow the migrator to create the CREATOR-ONLY ACLs with NiFi as the owner of the nodes At this point, you should be able to verify that the state for the processors has been imported into ZK under the new root node by right-clicking on processor such as ListHDFS and clicking "View State". You should be able to start the flow to have it pick up where it left off, based on the imported state. You could do these for each NiFi cluster, providing a different root node for each cluster. Hopefully this helps, and again, sorry for the delay in response! Please let us know if you need more information. - Jeff On Sat, Jan 19, 2019 at 6:23 PM Ryan H <[email protected]> wrote: > Hi All, > > I've also posted this question to the Zookeeper Users DL, but thought I > would also put the question out here as well since it is related to NiFi. > > We currently have a centralized external Zookeeper cluster that is being > used for multiple NiFi clusters. There wasn't any initial security set up > (shame on us) and now want to add something in such that each NiFi cluster > should only be able to see it's own ZK data (CreatorOnly). > > Can an ACL be put in place (either Kerberos or Username/Password) to an > existing ZK tree that isn't currently under any kind of ACL? Example being, > could I stop one of the NiFi clusters, add in Username/Password info and > CreatorOnly to the state-management.xml file, restart the cluster, and then > that ZK tree will then be only accessible by that cluster? Would this be a > case where the migration tool would need to be used? I couldn't really find > much in way of documentation for this specific case and just want to > understand what options there are without breaking any of the clusters and > get some security in there. > > Any info is always appreciated! > > Cheers, > > Ryan H >
