NiFi Registry over HTTPS

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

NiFi Registry over HTTPS

Martini, Adam
Hello all,

We have NiFi Registry 0.2.0 spun up with an nginx proxy and SSL termination such that our services is being served over https without using NiFi’s builtin security configurations.

We are able to add the registry service to NiFi using our HTTPS endpoint and everything works perfectly.  However, we see errors when we restart NiFi:
org.apache.nifi.controller.serialization.FlowSynchronizationException: java.lang.IllegalStateException: Failed to create Flow Registry for URI https://nifi-registry.test.streams.nikecloud.com/ because this NiFi is not configured with a Keystore/Truststore, so it is not capable of communicating with a secure Registry. Please populate NiFi's Keystore/Truststore properties or connect to a NiFi Registry over http instead of https.

Is there a work around that will allow us to use this nginx proxy architecture with NiFi Registry? HTTPS is historically an important requirement for us but we do not need, or desire, the complexity of a NiFi’s builtin security.

Thanks,

Adam Martini

Senior Software Engineer
Nike Digital
[hidden email]<mailto:[hidden email]>




Reply | Threaded
Open this post in threaded view
|

Re: NiFi Registry over HTTPS

Andy LoPresto
Adam,

This probably isn’t easily accomplished. You might be able to deploy with an “accept all” truststore so that any certificate is accepted, and provide a keystore that doesn’t have a private key to try and satisfy the properties loading without actually enabling HTTPS security on NiFi and the authentication mechanisms therein. I haven’t tried this, as we haven’t seen this request before.

If that doesn’t work, we might need to do some more exploration. I don’t think we would want to enable HTTPS without authentication as a normal use case, as some users would probably configure this accidentally and have a false sense of security.

Andy LoPresto
[hidden email]
[hidden email]
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Nov 3, 2018, at 10:24, Martini, Adam <[hidden email]> wrote:
>
> Hello all,
>
> We have NiFi Registry 0.2.0 spun up with an nginx proxy and SSL termination such that our services is being served over https without using NiFi’s builtin security configurations.
>
> We are able to add the registry service to NiFi using our HTTPS endpoint and everything works perfectly.  However, we see errors when we restart NiFi:
> org.apache.nifi.controller.serialization.FlowSynchronizationException: java.lang.IllegalStateException: Failed to create Flow Registry for URI https://nifi-registry.test.streams.nikecloud.com/ because this NiFi is not configured with a Keystore/Truststore, so it is not capable of communicating with a secure Registry. Please populate NiFi's Keystore/Truststore properties or connect to a NiFi Registry over http instead of https.
>
> Is there a work around that will allow us to use this nginx proxy architecture with NiFi Registry? HTTPS is historically an important requirement for us but we do not need, or desire, the complexity of a NiFi’s builtin security.
>
> Thanks,
>
> Adam Martini
>
> Senior Software Engineer
> Nike Digital
> [hidden email]<mailto:[hidden email]>
>
>
>
>