Apache Nifi集群搭建及用kerberos实现用户认证

最近这段时间在接触数据流式处理方面的事宜,用到了Apache NIFI现把安装配置中学习的一些经验分享下。此篇文章主要是针对集群及用户权限方面,关于Apache NIFI的介绍就不做过多的说明,直接引用官方的首页的说明如下图所示:

NiFi-01.png

Apahce NIFI的单机运行是相当的简单,易用,完全就是傻瓜式的。下载解压,进行bin目录执行nifi.sh start 打开浏览器输入http://127.0.0.1:8080/nifi即可看到一个简洁漂亮的WEB UI。那么接下来我们要配置的是它的集群模式,官方说明NIFI采用的是0主节点模式,集群中的每个节点在数据集上执行相同的任务,但是每个节点都在不同的数据集上运行(详细的说明请查看官方文档),并且内置了Zookeeper服务,如下图所示:

zero-master-cluster-http-access.png

系统环境及软件版本

  • CentOS7

  • JDK1.8.0_91

  • Nifi-1.4.0

  • Kerberos5

(其它版本可参考此篇文章)

HostNameIPServices
centos7-master192.168.56.100Kerberos5 Server, Nifi Cluster Manager
centos7-cluster01192.168.56.101Kerberos5 Client, Nifi Cluster

搭建Kerberos5服务

安装KDC服务及配置

进入到Master机器,执行以下命令安装KDC服务:

1
yum -y install krb5-server krb5-libs krb5-workstation

注:测试中发现krb5-auth-dialo组件是不可用的,也无需安装

修改KDC默认配置

进入/etc目录找到/etc/krb5.conf文件打开并修改,参考如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# 这个注释需要开启,并填写默认的域
default_realm = CENTOS7-MASTER.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# 把此处的EXAMPLE.COM修改成自己的域
CENTOS7-MASTER.COM = {
kdc = centos7-master
admin_server = centos7-master
# 添加默认的域
default_domain = CENTOS7-MASTER.COM
}
[domain_realm]
# 把此处的EXAMPLE.COM修改成自己的域名
.centos7-master.com = CENTOS7-MASTER.COM
centos7-master.com = CENTOS7-MASTER.COM

修改KRB5KDC配置文件

进入/etc目录找到/var/kerberos/krb5kdc/kdc.conf文件打开,参考如下修改:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
# 修改此处的EXAMPLE.COM域名
CENTOS7-MASTER.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
kdc_ports = 88
kadmind_port = 749
}

初始化数据库

1
2
3
4
5
6
7
8
[root@centos7-master ~]# kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/principal' for realm 'CENTOS7-MASTER.COM',
master key name 'K/M@CENTOS7-MASTER.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

修改数据库权限

找到/var/kerberos/krb5kdc/kadm5.acl配置文件,给数据库管理员添加ACL权限,*代表全部权限,操作如下:

1
2
[root@centos7-master ~]# vi /var/kerberos/krb5kdc/kadm5.acl
*/admin@CENTOS7-MASTER.COM *

启动KDC服务

1
2
service krb5kdc start
service kadmin start

创建数据库管理员

参考如下命令创建管理员用户,保存好创建时设置的密码(如果忘记后期可以使用cpw命令更新),并导出keytab

1
2
3
4
5
6
7
8
9
10
[root@centos7-master ~]# kadmin.local -q "addprinc root/admin"
Authenticating as principal root/admin@CENTOS7-MASTER.COM with password.
WARNING: no policy specified for root/admin@CENTOS7-MASTER.COM; defaulting to no policy
Enter password for principal "root/admin@CENTOS7-MASTER.COM":
Re-enter password for principal "root/admin@CENTOS7-MASTER.COM":
Principal "root/admin@CENTOS7-MASTER.COM" created.
[root@centos7-master ~]# kadmin.local
kadmin: ktadd -k /data/root.keytab root/admin
kadmin: q
[root@centos7-master ~]# kinit root/admin

安装KDC Client服务

进入从Cluster机器,执行如下命令安装KDC Cliente服务:

1
yum -y install krb5-libs krb5-workstation

更新配置并测试

拷贝主节点的krb5.confroot.keytab到从节点服务,参考如下:

1
2
3
4
5
6
[root@centos7-cluster01 ~]# scp root@centos7-master:/etc/krb5.conf /etc/krb5.conf
[root@centos7-cluster01 ~]# scp root@centos7-master:/data/root.keytab /data/root.keytab
[root@centos7-cluster01 ~]# kadmin -p root/admin
Authenticating as principal root/admin with password.
Password for root/admin@CENTOS7-MASTER.COM:
kadmin:

拷贝keytab文件

拷贝root.keytab/data/root.keytab目录,注意此处指的是所有机器

创建Nifi服务证书

创建证书

解压nifi-toolkit-1.4.0-bin.tar.gz文件后进入bin目录,执行以下的命令:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@centos7-master ~]# ./tls-toolkit.sh standalone -n 'centos7-master, centos7-cluster01' -C 'CN=admin, OU=ApacheNIFI' -o './target' -f '/usr/local/bin/nifi-ncm/conf/nifi.properties'
[root@centos7-master target]# tree
.
├── centos7-cluster01
│   ├── keystore.jks
│   ├── nifi.properties
│   └── truststore.jks
├── centos7-master
│   ├── keystore.jks
│   ├── nifi.properties
│   └── truststore.jks
├── CN=admin_OU=ApacheNIFI.p12
├── CN=admin_OU=ApacheNIFI.password
├── nifi-cert.pem
└── nifi-key.key
  • -n 表示机器的hostname
  • -C 生成浏览器证书(注意: CN=admin, 后面的空格一定要保留)
  • -o 输出的目录
  • -f Nifi的配置文件位置

拷贝证书

拷贝生成好证书到主从节点服务器下NIFI安装目录中的conf文件夹,如下:

1
2
[root@centos7-master target]# scp centos7-cluster01/* centos7-cluster01:/usr/local/bin/nifi-cluster01/conf
[root@centos7-master target]# cp target/centos7-master/* /usr/local/bin/nifi-ncm/conf/

配置Zookeeper服务

注意:所有的主从节点都需要操作

创建id文件

进入到NIFI安装目录下,并创建state/zookeeper目录和myid文件,然后把对应的ID写入到文件中,操作如下:

1
2
[root@centos7-master nifi-ncm]# mkdir -p state/zookeeper
[root@centos7-master nifi-ncm]# echo -n '1' > state/zookeeper/myid

注意: 从节点上创建的myid为2,如:echo -n '2' > state/zookeeper/myid

修改配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
clientPort=2181
initLimit=10
autopurge.purgeInterval=24
syncLimit=5
tickTime=2000
dataDir=./state/zookeeper
autopurge.snapRetainCount=30
#
# Specifies the servers that are part of this zookeeper ensemble. For
# every NiFi instance running an embedded zookeeper, there needs to be
# a server entry below. For instance:
#
# server.1=nifi-node1-hostname:2888:3888
# server.2=nifi-node2-hostname:2888:3888
# server.3=nifi-node3-hostname:2888:3888
#
# The index of the server corresponds to the myid file that gets created
# in the dataDir of each node running an embedded zookeeper. See the
# administration guide for more details.
#
# 注意修改成你对应的服务器地址
server.1=centos7-master:2888:3888
server.2=centos7-cluster01:2888:3888

更新状态配置

进入到Nifif安装目录下修改conf/state-management.xml配置,在zk-provider节点下添加连接字符串

1
2
3
4
5
6
7
8
<cluster-provider>
<id>zk-provider</id>
<class>org.apache.nifi.controller.state.providers.zookeeper.ZooKeeperStateProvider</class>
<property name="Connect String">centos7-master:2181,centos7-cluster01:2181</property>
<property name="Root Node">/nifi</property>
<property name="Session Timeout">10 seconds</property>
<property name="Access Control">Open</property>
</cluster-provider>

更新NIFI配置

进入到Nifif安装目录下修改conf/nifi.properties文件,把内置的zookeeper启动和cluster设置成true,如下:

1
2
3
4
5
6
7
8
9
nifi.state.management.embedded.zookeeper.start=true
nifi.cluster.is.node=true
# zookeeper properties, used for cluster management #
nifi.zookeeper.connect.string=centos7-master:2181,centos7-cluster01:2181
nifi.zookeeper.connect.timeout=3 secs
nifi.zookeeper.session.timeout=3 secs
nifi.zookeeper.root.node=/nifi

配置Nifi Admin初始化

更新NIFI配置

进入到Nifif安装目录修改conf/nifi.properties文件,把kerberos5的登录适配加上,如下:

1
2
3
4
5
nifi.kerberos.krb5.file=/etc/krb5.conf
# kerberos service principal #
nifi.kerberos.service.principal=root/admin@CENTOS7-MASTER.COM
nifi.kerberos.service.keytab.location=/data/root.keytab

更新用户配置

进入到Nifif安装目录中的conf目录,添加authorizerauthorizers.xml,打开file-provider节点注释并添加如下内容:

1
2
3
4
5
6
7
8
9
10
11
<authorizer>
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.FileAuthorizer</class>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Users File">./conf/users.xml</property>
<property name="Initial Admin Identity">root/admin@CENTOS7-MASTER.COM</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1">CN=centos7-master, OU=NIFI</property>
<property name="Node Identity 2">CN=centos7-cluster01, OU=NIFI</property>
</authorizer>

更新登录配置

进入到Nifif安装目录中的conf目录,修改login-identity-providers.xml文件,打开kerberos-provider节点注释:

1
2
3
4
5
6
7
<provider>
<identifier>kerberos-provider</identifier>
<class>org.apache.nifi.kerberos.KerberosProvider</class>
<property name="Default Realm">CENTOS7-MASTER.COM</property>
<property name="Kerberos Config File">/etc/krb5.conf</property>
<property name="Authentication Expiration">12 hours</property>
</provider>

启动NIFI服务

先启动主节点的NIFI,而后启动从节点的NIFI,执行命令./bin/nifi.sh start, 然后打开浏览器输入https://centos7-master:9443/nifi/便会跳转到登录页面,输入在第1步骤创建的用户与密码,即可登录成功。界面显示如下:

如上面两图显示,在界面的左上角可以清楚的看到当前节点数为2,用户为root/admin@CENTOS7-MASTER.COM,其中centos7-master是协调器,centos7-cluster01是主要节点,主菜单中也增加有了ClusterUserPolicies选项。

至此Apache NIFI的集群服务与用户认证便完成好啦,后面便可开展下一步的工作。

遇到的坑:

  • 首次登录时提示用户名或密码无效,可通过kadmin更新用户的密码
  • 登录成功后提示用户没有对应的策略,重启NIFI服务即可

引用参考

收到的赏金
感谢各位的慷慨解囊!

序号昵称来源金额(元)留言
1林俗人微信2感谢博主,感谢分享!
创作实属不易,如有帮助,那就打赏博主些许茶钱吧 ^_^
0%