SSL and Zookeeper

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL and Zookeeper

Mark Bean
Has anyone setup zookeeper connections for a NiFi Cluster over SSL? We have
ZK itself running over SSL. How do we get the NiFi to ZK connections
secure? Is this possible? Advice, suggestions and/or documentation greatly
appreciated.

Thanks,
Mark
Reply | Threaded
Open this post in threaded view
|

Re: SSL and Zookeeper

Andy LoPresto-2
Hi Mark,

I believe SSL ZK connections are only supported in 3.5.0+ [1] and currently NiFi uses ZK 3.4.6 [2]. I don’t know the details on making a TLS connection to ZK, but my first thoughts would be to update the host/port combination in your NiFi configs to reference the ZK HTTPS port, and ensure that the certificate(s) used to identify ZK are in your NiFi truststore. 

This warrants raising a Jira to request the feature. Thanks. 


Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Oct 31, 2017, at 11:37 AM, Mark Bean <[hidden email]> wrote:

Has anyone setup zookeeper connections for a NiFi Cluster over SSL? We have
ZK itself running over SSL. How do we get the NiFi to ZK connections
secure? Is this possible? Advice, suggestions and/or documentation greatly
appreciated.

Thanks,
Mark


signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SSL and Zookeeper

Yolanda Davis
Hi Mark,

Just adding to what Andy said below. Currently there is support for
Kerberos/SASL authentication with Zookeeper.  The admin guide provides
details on that configuration and setup for embedded zookeeper and links
for guidance on external Zookeeper installations.

https://nifi.apache.org/docs/nifi-docs/html/administration-
guide.html#securing_zookeeper

-yolanda

On Tue, Oct 31, 2017 at 3:07 PM, Andy LoPresto <[hidden email]> wrote:

> Hi Mark,
>
> I believe SSL ZK connections are only supported in 3.5.0+ [1] and
> currently NiFi uses ZK 3.4.6 [2]. I don’t know the details on making a TLS
> connection to ZK, but my first thoughts would be to update the host/port
> combination in your NiFi configs to reference the ZK HTTPS port, and ensure
> that the certificate(s) used to identify ZK are in your NiFi truststore.
>
> This warrants raising a Jira to request the feature. Thanks.
>
> [1] http://zookeeper-user.578899.n2.nabble.com/SSL-between-
> java-client-and-zookeeper-td7582421.html
> [2] https://github.com/apache/nifi/blob/master/pom.xml#L748
>
> Andy LoPresto
> [hidden email]
> *[hidden email] <[hidden email]>*
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> On Oct 31, 2017, at 11:37 AM, Mark Bean <[hidden email]> wrote:
>
> Has anyone setup zookeeper connections for a NiFi Cluster over SSL? We have
> ZK itself running over SSL. How do we get the NiFi to ZK connections
> secure? Is this possible? Advice, suggestions and/or documentation greatly
> appreciated.
>
> Thanks,
> Mark
>
>
>


--
--
[hidden email]
@YolandaMDavis