Https and clustering

[Edgardo Vega <ed...@gmail.com>]

I have successfully setup https on a single machine. In a clustered
environment, would the only machine that needs the nifi.security.* settings
be the nifi manager and the other nodes in the cluster would just use inter
node communications via unicase or multicase ports?

I also see in the documentation that Site-to-Site connection can be secured
by setting nifi.remote.input.secure. Wouldn't it already be running https
when we setup the other properties?

-- 
Cheers,

Edgardo

Re: Https and clustering

[Edgardo Vega <ed...@gmail.com>]

Thanks for the info Matt I think I got it now.

Cheers,

Edgardo

On Wed, Sep 9, 2015 at 3:44 PM, Matt Gilman <ma...@gmail.com> wrote:

> Edgardo,
>
> Typically you'll secure all nodes in your cluster in addition to the NCM.
> The NCM is responsible for replicating user requests (like create a
> processor) to the nodes throughout the cluster. If you ran the nodes
> unsecured, the requests from the NCM to the nodes would be over HTTP.
> Configuring HTTPs on the nodes too, will ensure your using HTTPs throughout
> the cluster.
>
> There are two really two phases to site to site. First is the discovery of
> available Input/Output Ports on a given NiFi instance. These are discovered
> by one NiFi sending an HTTP(s) request to another NiFi. This happens when
> the user drops a Remote Process Group on the canvas. If the target NiFi is
> running securely that request is over HTTPs. Once the target NiFi has
> granted access to the source NiFi, a separate socket connection is
> established to actually send/receive data. The nifi.remote.input.secure
> property allows you to use a secure socket when sending/receiving the data.
>
> Matt
>
> On Tue, Sep 8, 2015 at 2:16 PM, Edgardo Vega <ed...@gmail.com>
> wrote:
>
> > I have successfully setup https on a single machine. In a clustered
> > environment, would the only machine that needs the nifi.security.*
> settings
> > be the nifi manager and the other nodes in the cluster would just use
> inter
> > node communications via unicase or multicase ports?
> >
> > I also see in the documentation that Site-to-Site connection can be
> secured
> > by setting nifi.remote.input.secure. Wouldn't it already be running https
> > when we setup the other properties?
> >
> > --
> > Cheers,
> >
> > Edgardo
> >
>



-- 
Cheers,

Edgardo

Re: Https and clustering

[Matt Gilman <ma...@gmail.com>]

Edgardo,

Typically you'll secure all nodes in your cluster in addition to the NCM.
The NCM is responsible for replicating user requests (like create a
processor) to the nodes throughout the cluster. If you ran the nodes
unsecured, the requests from the NCM to the nodes would be over HTTP.
Configuring HTTPs on the nodes too, will ensure your using HTTPs throughout
the cluster.

There are two really two phases to site to site. First is the discovery of
available Input/Output Ports on a given NiFi instance. These are discovered
by one NiFi sending an HTTP(s) request to another NiFi. This happens when
the user drops a Remote Process Group on the canvas. If the target NiFi is
running securely that request is over HTTPs. Once the target NiFi has
granted access to the source NiFi, a separate socket connection is
established to actually send/receive data. The nifi.remote.input.secure
property allows you to use a secure socket when sending/receiving the data.

Matt

On Tue, Sep 8, 2015 at 2:16 PM, Edgardo Vega <ed...@gmail.com> wrote:

> I have successfully setup https on a single machine. In a clustered
> environment, would the only machine that needs the nifi.security.* settings
> be the nifi manager and the other nodes in the cluster would just use inter
> node communications via unicase or multicase ports?
>
> I also see in the documentation that Site-to-Site connection can be secured
> by setting nifi.remote.input.secure. Wouldn't it already be running https
> when we setup the other properties?
>
> --
> Cheers,
>
> Edgardo
>