Have you configured this in nifi.properties? nifi.zookeeper.auth.type=sasl
On Mon, Jul 6, 2020 at 12:43 PM dan young <[email protected]> wrote: > Hello, > > And a follow up on this, if I delete the znode in zookeeper, the leaders > is written to the /nifi znode, but the ACL is open, 'world';'anyone.... I > do have the Access COntrol set to CreatorOnly in the state-management.xml. > So one question, is the CreatorOnly only supported when we run in kerberos > env? > > Dano > > On Mon, Jul 6, 2020 at 10:36 AM dan young <[email protected]> wrote: > >> Hello everyone, >> >> I'm trying to configure the zookeeper state provider in NiFi to use the >> Access Policy of CreatorOnly vs Open using DIGEST vs Kerberos. I believe >> I've setup zookeeper correctly for this, and partly Nifi, but when I >> startup nifi cluster, we seem to get stuck with the following: >> >> 2020-07-06 16:06:20,826 WARN [Clustering Tasks Thread-1] >> o.apache.nifi.controller.FlowController Failed to send heartbeat due to: >> org.apache.nifi.cluster.protocol.ProtocolException: Cannot send heartbeat >> because there is no Cluster Coordinator currently elected >> 2020-07-06 16:06:35,920 WARN [Clustering Tasks Thread-2] >> o.apache.nifi.controller.FlowController Failed to send heartbeat due to: >> org.apache.nifi.cluster.protocol.ProtocolException: Cannot send heartbeat >> because there is no Cluster Coordinator currently elected >> 2020-07-06 16:06:50,923 WARN [Clustering Tasks Thread-2] >> o.apache.nifi.controller.FlowController Failed to send heartbeat due to: >> org.apache.nifi.cluster.protocol.ProtocolException: Cannot send heartbeat >> because there is no Cluster Coordinator currently elected >> 2020-07-06 16:07:06,071 WARN [Clustering Tasks Thread-2] >> o.apache.nifi.controller.FlowController Failed to send heartbeat due to: >> org.apache.nifi.cluster.protocol.ProtocolException: Cannot send heartbeat >> because there is no Cluster Coordinator currently elected >> >> I can see the znode in zookeeper, and it appears to at least have the >> correct permissions. I created this znode in the CLI: >> >> addauth digest nifi:<passwd> >> create /nifi data digest:nifi<passwd digest>:cdrwa >> >> The digest was generated via: >> >> java -cp >> '/op/zookeeper/lib/zookeeper-3.5.8.jar:/opt/zookeeper/lib/slf4j-api-1.7.25.jar' >> org.apache.auth.AuthenticationProvider nifi:<passwd> >> >> [zk: nifi1-5:2181,nifi2-5:2181,nifi3-5:2181(CONNECTED) 4] getAcl /nifi >> 'digest,'nifi:the-passwd-digest' >> : cdrwa >> >> >> after starting up Nifi, doing and ls /nifi, the znode is empty. >> [zk: nifi1-5:2181,nifi2-5:2181,nifi3-5:2181(CONNECTED) 4] ls /nifi >> [] >> >> Seems like we can't write the leaders or components value under the /nifi >> znode. >> >> >> Looking at the nifi-app log >> >> 2020-07-06 16:05:46,554 INFO [main-SendThread(xx.xxx.x.xx:2181)] >> org.apache.zookeeper.Login Client successfully logged in. >> 2020-07-06 16:05:46,556 INFO [main-SendThread(xx.xxx.x.xx:2181)] >> o.a.zookeeper.client.ZooKeeperSaslClient Client will use DIGEST-MD5 as SASL >> mechanism. >> 2020-07-06 16:05:46,900 INFO [main-EventThread] >> o.a.c.f.state.ConnectionStateManager State change: CONNECTED >> 2020-07-06 16:05:47,347 INFO [main-EventThread] >> o.a.c.framework.imps.EnsembleTracker New config event received: >> {server.1=xx.xxx.x.xxx:2888:3888:participant;0.0.0.0:2181, version=0, >> server.3=xx.xxx.x.xx:2888:3888:participant;0.0.0.0:2181, >> server.2=xx.xxx.x.xxx:2888:3888:participant;0.0.0.0:2181} >> 2020-07-06 16:05:47,354 INFO [main-EventThread] >> o.a.c.framework.imps.EnsembleTracker New config event received: >> {server.1=xx.xxx.x.xxx:2888:3888:participant;0.0.0.0:2181, version=0, >> server.3=xx.xxx.x.xx:2888:3888:participant;0.0.0.0:2181, >> server.2=xx.xxx.x.xxx:2888:3888:participant;0.0.0.0:2181} >> 2020-07-06 16:05:47,357 INFO [Curator-Framework-0] >> o.a.c.f.imps.CuratorFrameworkImpl backgroundOperationsLoop exiting >> 2020-07-06 16:05:47,364 DEBUG [main] org.apache.zookeeper.ZooKeeper >> Closing session: 0x3002a05b0c60006 >> 2020-07-06 16:05:47,469 INFO [main/ org.apache.zookeeper.ZooKeeper >> Session: 0x3002a05b0c60006 closed >> >> >> >> Any ideas on what configuration I could be missing or have wrong? I have >> a jaas.conf file in the $NIFI_HOME/conf directory and have a >> java.arg.18--Djava.security.auth.login.config=<path to jaas.conf file> >> >> One question I have, in the jaas.conf file, I put the passwd in there and >> not the digest I believe...I understand this would be passed around >> cleartext, but this is just for testing purposes currently.... >> >> Nifi 1.11.4 >> external zookeeper 3.5.8 >> >> Regards, >> >> Dano >> >>
