Forwarded as received from : @Swarup Karavadi <[email protected]>
To elaborate, We are using a 3 node NiFi cluster (1.11.4) that has been secured using OIDC (Keycloak). We have set up another secured (via Keycloak) standalone NiFi (also 1.11.4) instance that contains monitoring flows (we derive metadata about our pipelines by monitoring bulletins, provenance, status & metrics in the main cluster). To achieve this, we have enabled the four S2S Reporting Tasks (one each for bulletins, provenance, metrics & status) and configured these reporting tasks to send this information to the standalone NiFi instance over HTTP protocol. This worked fine until the standalone NiFi instance was allowing anonymous HTTP requests. However, we now want to expose the standalone NiFi instance securely over the internet. We have been able to do that be securing it via Keycloak. The problem now is that our main NiFi cluster's reporting tasks are unable to send data to the standalone NiFi instance the way they previously used to - that's because the standalone NiFi instance no longer allows anonymous HTTP requests. This is the WARNING that we get from the S2SProvenanceReporting task - 2020-07-23 14:02:56,130 WARN [Http Site-to-Site PeerSelector] o.a.n.r.SiteToSiteProvenanceReportingTask SiteToSiteProvenanceReportingTask[id=4d8716f5-0173-1000-ffff-ffffd536a29c] org.apache.nifi.remote.client.PeerSelector@78775340 Unable to refresh Remote Group's peers due to sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target We figured that using an SSLContextService would maybe alleviate this issue but are unable to figure out the right way of configuring this service. Any help or guidance in this direction would be much appreciated. Do let us know if you need any extra information to better understand the problem. Both the NiFi cluster & the standalone instance are deployed on Kubernetes. Both installations sit behind a load balancer. Cheers, Swarup. On Thu, Jul 23, 2020 at 4:47 PM Sathish Phani Kurella < [email protected]> wrote: > Hi All, > > S2S Provenance Reporting works fine when using insecure(HTTP) reporting > nifi instance. But, how do we configure S2S Provenance Reporting task to a > secure nifi reporting instance(HTTPS). > > PS: I have tried to use a SSL Context Service. But that did not work. Can > somebody provide me with details on how to configure the Site2Site > Provenance Reporting Task for a secure nifi instance. > > Regards, > Sathish Phani Kurella >
