You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by pa...@gmail.com on 2021/07/20 20:40:09 UTC
NiFi 1.11.4 with Zookeeper ACL enabled: failed to set state for
components
Hello!
I try to set a secure connection to Zookeeper with ACL enabled.
Add to Zookeeper JAVA_OPTS
-Djava.security.auth.login.config={{ zookeeper_config_dir }}/jaas.conf
jaas.conf
```
QuorumServer {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_zk="{{ zookeeper_security_quorumserver_user }}";
};
QuorumLearner {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="{{ zookeeper_security_quorumlearner_user }}"
password="{{ zookeeper_security_quorumlearner_password }}";
};
Server {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_super="{{ zookeeper_security_super_password }}";
};
```
Configure NiFi to use secured Zookeeper by setting property Access
Control at state-management.xml to CreatorOnly and add jaas.conf
bootstrap.conf
```
java.arg.18=-Djava.security.auth.login.config={{ nifi_conf_dir
}}/jaas.conf
java.arg.19=-Dzookeeper.sasl.client.username={{
nifi_zookeeper_security_username }}
```
nifi.properties
```
nifi.zookeeper.auth.type=sasl
```
jaas.conf
```
Client {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="{{ nifi_zookeeper_security_username }}"
password="{{ nifi_zookeeper_security_password }}";
};
```
Apache Nifi Cluster is starting, all seems OK with cluster (znode
/nifi/ was creating with ACLs, but a few moments later users claims
about error on processors querydbtable:
```
Failed to set cluster-wide state in ZooKeeper for component with ID
java.io.IOException: Failed to set cluster-wide state in ZooKeeper for
component with ID
```
I can see that with CreatorOnly enabled and jaas configuration NiFi
didnt create /nifi/components or set right ACL for root node
Here we have a working NiFi Cluster which cannot save processors state
at zookeeper because of no /nifi/components.
What did I miss?
Best Regards,
Pavel Y. Klyuev
t.me/pklyuev <http://t.me/pklyuev>