Author: S

In the previous post we secured our NiFi cluster with X.509 certificates. Now we will add one more layer of security to our cluster through Kerberos authentication.

Below are the steps to be followed to install and configure KDC.

Step 1: Install KDC server

Step 2: Modify the KDC server configuration file krb5.conf located at /etc/krb5.conf

Add your host name and update domain_realm. Below is the screenshot of modified krb5.conf file

Step 3: Create a kerberos database with kdb5_util, When prompted for a password key in a password and keep a note of it.

Step 4: Start KDC server and KDC admin server

Step 5: Add a service principal and export keytab from KDC

kadmin.local

addprinc –randkey nifi/HDF

ktadd –k /opt/nifi-HDF.keytab nifi/HDF

q

Step 6: Create a login identity using Kerberos

Step 7: Configure NCM

update security user login identity provider in nifi.properties file with kerberos-provider and also update the kerberos section of nifi.properties file with details created in above steps.

For NCM, update the cluster-ncm-provider properties in  the authority-provider file as per below screenshot

Also update the login-identity-providers.xml with kerberos details created in above steps.

Step 8: Configure Node 1

Update the cluster-node-provider properties in authority-provider file as per below screenshot

Step 9: Configure Node 2

Update the cluster-node-provider properties in authority-provider file as per below screenshot

Step 10: Once configured the properties file in all 3 instances, restart the NiFi server in all instances.

You will be prompted with a login page, key in the kerberos login identity we created in above steps.

When we login for the first time we will be redirected to justification page, where we can submit our request for access.

Once submitted, an admin can check the request and grant privileges.

We can go back to the browser where user key certificate was added (Please refer to my previous post http://www.bigdatadestination.com/nifi-securing-cluster-with-x-509-certificates/ to secure cluster with X.509 certificates) and can grant access to user test11(as we manually granted ROLE_ADMIN access for our user key in authorized-users.xml)

Now, test11 user can access the NCM with Read Only privilege.

Yippee! We have successfully configured Kerberos on our NiFi cluster and also controlled level of access to NiFi.

Watch this space http://www.bigdatadestination.com/ for more stuff.

 

 

 

NiFi can be used to process sensitive data, so administrators may find that they wish to secure the NiFi User interface. One of NiFi’s security mechanisms is mutual authentication with X.509 certificates.

I installed 3 instances of NiFi in 3 different instances of Ec2 (NCM in one instance, Node1 in second instance, Node2 in third instance). We can install 3 instances of NiFi in a single Ec2 instance as NiFi is lightweight.

Mutual authentication with X.509 certificates

The client requests resource, server presents the server certificate, client verifies server certificate.
Server requests client certificate, client presents certificate, server verifies client certificate and verifies client access rights.
Client accesses protected resource.

 

I created one Certificate Authority to sign the keys for servers, created keystores for all the 3 servers and created User key for key based authentication.

X.509 Certificates

Creating Certificate Authority

Below command generates CA private key.

Below command incorporates information such as Country Name, State, Locality, Organization name, organizational unit name and Common Name to our certificate request.

Below command converts pem encoding to der encoding which will be used by Java to generate a java keystore.

Below command adds the certificate to keystore.

Below is the screen shot of certificates generated.

Creating Server Keystore

It is recommended to use same password for both key password and keystore password. Below is the command to create server private key.

Below is the command to generate a Certificate Signing request.

Below is the command to get the key signed by CA

Below is the command to import public key for CA to our keystore.

Below is the command to import signed .crt to keystore.

Below is the screenshot of certificates generated.

We need to follow the same process for the other two instances also and create separate server keystores for each instance.

User keys for key based authentication

Below commands were used to generate user keys

Below is the screenshot of keys generated.

Upload the user1.p12 to browser certs to authenticate against our secure NiFi.

Manually add the ROLE_ADMIN to authorized-users.xml

NCM

The certificates generated in previous steps were used to configure nifi.properties file. Below are the screenshots of modified properties for NCM.

 

Node 1

The keystore for node1 was generated by following the same steps (Creating server keystore).

Once the keystore was generated the properties file was modified as per below screenshot.

 

Node 2

The keystore for node 2 was generated by following the same steps (Creating server keystore).

Once the keystore was generated the properties file was modified as per below screenshot.

 

Once configured the properties file in all 3 instances, restart the NiFi server in all instances.

Open the browser, where the user key certificate was loaded and login to secure https url of NiFi running on NCM.

Bingo! we successfully secured our cluster using Mutual authentication with X.509 certificates and NiFi now can process sensitive data securely.

Hurray! It’s my first blog and I will try to keep all the posts more practical and interesting. In the next blog we will add one more layer of security to our NiFi cluster with Kerberos.