You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by tk...@apache.org on 2016/02/27 04:24:12 UTC
svn commit: r1732598 - in /nifi/site/trunk/docs/nifi-docs/html:
administration-guide.html developer-guide.html
expression-language-guide.html getting-started.html overview.html
user-guide.html
Author: tkurc
Date: Sat Feb 27 03:24:12 2016
New Revision: 1732598
URL: http://svn.apache.org/viewvc?rev=1732598&view=rev
Log:
NIFI-1556: updating nifi-docs for 0.5.1
Modified:
nifi/site/trunk/docs/nifi-docs/html/administration-guide.html
nifi/site/trunk/docs/nifi-docs/html/developer-guide.html
nifi/site/trunk/docs/nifi-docs/html/expression-language-guide.html
nifi/site/trunk/docs/nifi-docs/html/getting-started.html
nifi/site/trunk/docs/nifi-docs/html/overview.html
nifi/site/trunk/docs/nifi-docs/html/user-guide.html
Modified: nifi/site/trunk/docs/nifi-docs/html/administration-guide.html
URL: http://svn.apache.org/viewvc/nifi/site/trunk/docs/nifi-docs/html/administration-guide.html?rev=1732598&r1=1732597&r2=1732598&view=diff
==============================================================================
--- nifi/site/trunk/docs/nifi-docs/html/administration-guide.html (original)
+++ nifi/site/trunk/docs/nifi-docs/html/administration-guide.html Sat Feb 27 03:24:12 2016
@@ -1,20 +1,4 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- -->
- <!DOCTYPE html>
+<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
@@ -1796,30 +1780,51 @@ in the cluster. This allows one node to
<div class="paragraph">
<p>When a component decides to store or retrieve state, it does so by providing a "Scope" - either Node-local or Cluster-wide. The
mechanism that is used to store and retrieve this state is then determined based on this Scope, as well as the configured State
-Providers. The <em>nifi.properties</em> file contains three different properties that are relevant to configuring these State Providers.
-The first is the <code>nifi.state.management.configuration.file</code> property specifies an external XML file that is used for configuring
-the local and cluster-wide State Providers. This XML file may contain configurations for multiple providers, so the
-<code>nifi.state.management.provider.local</code> property provides the identifier of the local State Provider configured in this XML file.
-Similarly, the <code>nifi.state.management.provider.cluster</code> property provides the identifier of the cluster-wide State Provider
-configured in this XML file.</p>
-</div>
-<div class="paragraph">
-<p>This XML file consists of a top-level <code>state-management</code> element, which has one or more <code>local-provider</code> and zero or more
-<code>cluster-provider</code> elements. Each of these elements then contains an <code>id</code> element that is used to specify the identifier that can
-be referenced in the <em>nifi.properties</em> file, as well as a <code>class</code> element that specifies the fully-qualified class name to use
-in order to instantiate the State Provider. Finally, each of these elements may have zero or more <code>property</code> elements. Each
-<code>property</code> element has an attribute, <code>name</code> that is the name of the property that the State Provider supports. The textual content
-of the <code>property</code> element is the value of the property.</p>
-</div>
-<div class="paragraph">
-<p>Once these State Providers have been configured in the <em>state-management.xml</em> file (or whatever file is configured), those Providers
-may be referenced by their identifiers. By default, the Local State Provider is configured to be a <code>WriteAheadLocalStateProvider</code> that
-persists the data to the <em>$NIFI_HOME/state</em> directory. The default Cluster State Provider is configured to be a <code>ZooKeeperStateProvider</code>.
-The default ZooKeeper-based provider must have its <code>Connect String</code> property populated before it can be used. It is also advisable,
-if multiple NiFi instances will use the same ZooKeeper instance, that the value of the <code>Root Node</code> property be changed. For instance,
-one might set the value to <code>/nifi/<team name>/production</code>. A <code>Connect String</code> takes the form of comma separated <host>:<port> tuples,
-such as my-zk-server1:2181,my-zk-server2:2181,my-zk-server3:2181. In the event a port is not specified for any of the hosts, the ZooKeeper
-default of 2181 is assumed.</p>
+Providers. The <em>nifi.properties</em> file contains three different properties that are relevant to configuring these State Providers.</p>
+</div>
+<table class="tableblock frame-all grid-all spread">
+<colgroup>
+<col style="width: 50%;">
+<col style="width: 50%;">
+</colgroup>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>Property</strong></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>Description</strong></p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">nifi.state.management.configuration.file</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The first is the property that specifies an external XML file that is used for configuring the local and/or cluster-wide State Providers. This XML file may contain configurations for multiple providers</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">nifi.state.management.provider.local</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The property that provides the identifier of the local State Provider configured in this XML file</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">nifi.state.management.provider.cluster</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Similarly, the property provides the identifier of the cluster-wide State Provider configured in this XML file.</p></td>
+</tr>
+</tbody>
+</table>
+<div class="paragraph">
+<p>This XML file consists of a top-level <code>state-management</code> element, which has one or more <code>local-provider</code> and zero or more <code>cluster-provider</code>
+elements. Each of these elements then contains an <code>id</code> element that is used to specify the identifier that can be referenced in the
+<em>nifi.properties</em> file, as well as a <code>class</code> element that specifies the fully-qualified class name to use in order to instantiate the State
+Provider. Finally, each of these elements may have zero or more <code>property</code> elements. Each <code>property</code> element has an attribute, <code>name</code> that is the name
+of the <code>property</code> that the State Provider supports. The textual content of the property element is the value of the property.</p>
+</div>
+<div class="paragraph">
+<p>Once these State Providers have been configured in the <em>state-management.xml</em> file (or whatever file is configured), those Providers may be
+referenced by their identifiers.</p>
+</div>
+<div class="paragraph">
+<p>By default, the Local State Provider is configured to be a <code>WriteAheadLocalStateProvider</code> that persists the data to the
+<em>$NIFI_HOME/state/local</em> directory. The default Cluster State Provider is configured to be a <code>ZooKeeperStateProvider</code>. The default
+ZooKeeper-based provider must have its <code>Connect String</code> property populated before it can be used. It is also advisable, if multiple NiFi instances
+will use the same ZooKeeper instance, that the value of the <code>Root Node</code> property be changed. For instance, one might set the value to
+<code>/nifi/<team name>/production</code>. A <code>Connect String</code> takes the form of comma separated <host>:<port> tuples, such as
+my-zk-server1:2181,my-zk-server2:2181,my-zk-server3:2181. In the event a port is not specified for any of the hosts, the ZooKeeper default of
+2181 is assumed.</p>
</div>
<div class="paragraph">
<p>When adding data to ZooKeeper, there are two options for Access Control: <code>Open</code> and <code>CreatorOnly</code>. If the <code>Access Control</code> property is
@@ -1856,12 +1861,33 @@ behave as a cluster. However, there are
In order to avoid the burden of forcing administrators to also maintain a separate ZooKeeper instance, NiFi provides the option of starting an
embedded ZooKeeper server.</p>
</div>
+<table class="tableblock frame-all grid-all spread">
+<colgroup>
+<col style="width: 50%;">
+<col style="width: 50%;">
+</colgroup>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>Property</strong></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>Description</strong></p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">nifi.state.management.embedded.zookeeper.start</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Specifies whether or not this instance of NiFi should run an embedded ZooKeeper server</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">nifi.state.management.embedded.zookeeper.properties</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Properties file that provides the ZooKeeper properties to use if <nifi.state.management.embedded.zookeeper.start> is set to true</p></td>
+</tr>
+</tbody>
+</table>
<div class="paragraph">
<p>This can be accomplished by setting the <code>nifi.state.management.embedded.zookeeper.start</code> property in <em>nifi.properties</em> to <code>true</code> on those nodes
that should run the embedded ZooKeeper server. Generally, it is advisable to run ZooKeeper on either 3 or 5 nodes. Running on fewer than 3 nodes
provides less durability in the face of failure. Running on more than 5 nodes generally produces more network traffic than is necessary. Additionally,
running ZooKeeper on 4 nodes provides no more benefit than running on 3 nodes, ZooKeeper requires a majority of nodes be active in order to function.
-However, it is up to the administrator to determine the number of nodes most appropriate to the particular deployment of NiFi.</p>
+However, it is up to the administrator to determine the number of nodes most appropriate to the particular deployment of NiFi. An embedded ZooKeeper
+server cannot be run on the NCM.</p>
</div>
<div class="paragraph">
<p>If the <code>nifi.state.management.embedded.zookeeper.start</code> property is set to <code>true</code>, the <code>nifi.state.management.embedded.zookeeper.properties</code> property
@@ -1874,9 +1900,9 @@ listen on for client connections must be
in the <em>zookeeper.properties</em> file.</p>
</div>
<div class="paragraph">
-<p>When using an embedded ZooKeeper, the <em>conf/zookeeper.properties</em> file has a property named <code>dataDir</code>. By default, this value is set to <code>./state/zookeeper</code>.
+<p>When using an embedded ZooKeeper, the ./<em>conf/zookeeper.properties</em> file has a property named <code>dataDir</code>. By default, this value is set to <code>./state/zookeeper</code>.
If more than one NiFi node is running an embedded ZooKeeper, it is important to tell the server which one it is. This is accomplished by creating a file named
-<em>myid</em> and placing it in ZooKeeper’s data directory. The contents of this file should be the index of the server as specific by the <code>server.<number></code>. So for
+<em>myid</em> and placing it in ZooKeeperâs data directory. The contents of this file should be the index of the server as specific by the <code>server.<number></code>. So for
one of the ZooKeeper servers, we will accomplish this by performing the following commands:</p>
</div>
<div class="listingblock">
@@ -1940,57 +1966,84 @@ support for encryption via SSL. Support
<p>In order to secure the communications, we need to ensure that both the client and the server support the same configuration. Instructions for configuring the
NiFi ZooKeeper client and embedded ZooKeeper server to use Kerberos are provided below.</p>
</div>
+<div class="paragraph">
+<p>If Kerberos is not already setup in your environment, you can find information on installing and setting up a Kerberos Server at
+<a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Configuring_a_Kerberos_5_Server.html"><em>https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Configuring_a_Kerberos_5_Server.html</em></a>
+. This guide assumes that Kerberos already has been installed in the environment in which NiFi is running.</p>
+</div>
+<div class="paragraph">
+<p>Note, the following procedures for kerberizing an Embedded Zookeeper server in your NiFI Node and kerberizing a zookeeper NiFI client will require that
+Kerberos client libraries be installed. This is accomplished in Fedora-based Linux distributions via:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre class="highlight"><code>yum install krb5-workstation</code></pre>
+</div>
+</div>
+<div class="paragraph">
+<p>Once this is complete, the /etc/krb5.conf will need to be configured appropriately for your organizationâs Kerberos environment.</p>
+</div>
<div class="sect3">
-<h4 id="zk_kerberos_client"><a class="anchor" href="#zk_kerberos_client"></a>Kerberizing NiFi’s ZooKeeper Client</h4>
+<h4 id="zk_kerberos_server"><a class="anchor" href="#zk_kerberos_server"></a>Kerberizing Embedded ZooKeeper Server</h4>
<div class="paragraph">
-<p>The preferred mechanism for authenticating users with ZooKeeper is to use Kerberos. In order to use Kerberos to authenticate, we must configure a few
-system properties, so that the ZooKeeper client knows who the user is and where the KeyTab file is. All nodes configured to store cluster-wide state
-using <code>ZooKeeperStateProvider</code> and using Kerberos should follow these steps.</p>
+<p>The krb5.conf file on the systems with the embedded zookeeper servers should be identical to the one on the system where the krb5kdc service is running.
+When using the embedded ZooKeeper server, we may choose to secure the server by using Kerberos. All nodes configured to launch an embedded ZooKeeper and
+using Kerberos should follow these steps. When using the embedded ZooKeeper server, we may choose to secure the server by using Kerberos. All nodes
+configured to launch an embedded ZooKeeper and using Kerberos should follow these steps.</p>
</div>
<div class="paragraph">
-<p>First, we must create the Principal that we will use when communicating with ZooKeeper. This is generally done via the <code>kadmin</code> tool:</p>
+<p>In order to use Kerberos, we first need to generate a Kerberos Principal for our ZooKeeper servers. The following command is run on the server where the
+krb5kdc service is running. This is accomplished via the kadmin tool:</p>
</div>
<div class="listingblock">
<div class="content">
-<pre class="highlight"><code>kadmin: addprinc "nifi@EXAMPLE.COM"</code></pre>
+<pre class="highlight"><code>kadmin: addprinc "zookeeper/myHost.example.com@EXAMPLE.COM"</code></pre>
</div>
</div>
<div class="paragraph">
-<p>A Kerberos Principal is made up of three parts: the primary, the instance, and the realm. Here, we are creating a Principal with the primary <code>nifi</code>,
-no instance, and the realm <code>EXAMPLE.COM</code>. The primary (<code>nifi</code>, in this case) is the identifier that will be used to identify the user when authenticating
-via Kerberos.</p>
+<p>Here, we are creating a Principal with the primary <code>zookeeper/myHost.example.com</code>, using the realm <code>EXAMPLE.COM</code>. We need to use a Principal whose
+name is <code><service name>/<instance name></code>. In this case, the service is <code>zookeeper</code> and the instance name is <code>myHost.example.com</code> (the fully qualified name of our host).</p>
</div>
<div class="paragraph">
-<p>After we have created our Principal, we will need to create a KeyTab for the Principal:</p>
+<p>Next, we will need to create a KeyTab for this Principal, this command is run on the server with the NiFi instance with an embedded zookeeper server:</p>
</div>
<div class="listingblock">
<div class="content">
-<pre class="highlight"><code>kadmin: xst -k nifi.keytab nifi@EXAMPLE.COM</code></pre>
+<pre class="highlight"><code>kadmin: xst -k zookeeper-server.keytab zookeeper/myHost.example.com@EXAMPLE.COM</code></pre>
</div>
</div>
<div class="paragraph">
-<p>This will create a file in the current directory named <code>nifi.keytab</code>. We can now copy that file into the <em>$NIFI_HOME/conf/</em> directory. We should ensure
+<p>This will create a file in the current directory named <code>zookeeper-server.keytab</code>. We can now copy that file into the <code>$NIFI_HOME/conf/</code> directory. We should ensure
that only the user that will be running NiFi is allowed to read this file.</p>
</div>
<div class="paragraph">
-<p>Next, we need to configure NiFi to use this KeyTab for authentication. Since ZooKeeper uses the Java Authentication and Authorization Service (JAAS), we need to
-create a JAAS-compatible file. In the <code>$NIFI_HOME/conf/</code> directory, create a file named <code>zookeeper-jaas.conf</code> and add to it the following snippet:</p>
+<p>We will need to repeat the above steps for each of the instances of NiFi that will be running the embedded ZooKeeper server, being sure to replace <em>myHost.example.com</em> with
+<em>myHost2.example.com</em>, or whatever fully qualified hostname the ZooKeeper server will be run on.</p>
+</div>
+<div class="paragraph">
+<p>Now that we have our KeyTab for each of the servers that will be running NiFi, we will need to configure NiFiâs embedded ZooKeeper server to use this configuration.
+ZooKeeper uses the Java Authentication and Authorization Service (JAAS), so we need to create a JAAS-compatible file In the <code>$NIFI_HOME/conf/</code> directory, create a file
+named <code>zookeeper-jaas.conf</code> (this file will already exist if the Client has already been configured to authenticate via Kerberos. Thatâs okay, just add to the file).
+We will add to this file, the following snippet:</p>
</div>
<div class="listingblock">
<div class="content">
-<pre class="highlight"><code>Client {
+<pre class="highlight"><code>Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
- keyTab="./conf/nifi.keytab"
+ keyTab="./conf/zookeeper-server.keytab"
storeKey=true
useTicketCache=false
- principal="nifi@EXAMPLE.COM";
+ principal="zookeeper/myHost.example.com@EXAMPLE.COM";
};</code></pre>
</div>
</div>
<div class="paragraph">
-<p>Finally, we need to tell NiFi to use this as our JAAS configuration. This is done by setting a JVM System Property, so we will edit the <em>conf/bootstrap.conf</em> file.
-We add the following line anywhere in this file in order to tell the NiFi JVM to use this configuration:</p>
+<p>Be sure to replace the value of <em>principal</em> above with the appropriate Principal, including the fully qualified domain name of the server.</p>
+</div>
+<div class="paragraph">
+<p>Next, we need to tell NiFi to use this as our JAAS configuration. This is done by setting a JVM System Property, so we will edit the <code>conf/bootstrap.conf</code> file.
+If the Client has already been configured to use Kerberos, this is not necessary, as it was done above. Otherwise, we will add the following line to our <em>bootstrap.conf</em> file:</p>
</div>
<div class="listingblock">
<div class="content">
@@ -1998,91 +2051,95 @@ We add the following line anywhere in th
</div>
</div>
<div class="paragraph">
-<p>We can initialize our Kerberos ticket by running the following command:</p>
+<p>Note: this additional line in the file doesnât have to be number 15, it just has to be added to the bootstrap.conf file, use whatever number is appropriate for your configuration.</p>
+</div>
+<div class="paragraph">
+<p>We will want to initialize our Kerberos ticket by running the following command:</p>
</div>
<div class="listingblock">
<div class="content">
-<pre class="highlight"><code>kinit nifi</code></pre>
+<pre class="highlight"><code>kinit âkt zookeeper-server.keytab "zookeeper/myHost.example.com@EXAMPLE.COM"</code></pre>
</div>
</div>
<div class="paragraph">
-<p>Note, the above <code>kinit</code> command requires that Kerberos client libraries be installed. This is accomplished in Fedora-based Linux distributions via:</p>
+<p>Again, be sure to replace the Principal with the appropriate value, including your realm and your fully qualified hostname.</p>
+</div>
+<div class="paragraph">
+<p>Finally, we need to tell the Kerberos server to use the SASL Authentication Provider. To do this, we edit the <code>$NIFI_HOME/conf/zookeeper.properties</code> file and add the following
+lines:</p>
</div>
<div class="listingblock">
<div class="content">
-<pre class="highlight"><code>yum install krb5-workstation krb5-libs krb5-auth-dialog</code></pre>
+<pre class="highlight"><code>authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
+jaasLoginRenew=3600000
+requireClientAuthScheme=sasl</code></pre>
</div>
</div>
<div class="paragraph">
-<p>Once this is complete, the /etc/krb5.conf will need to be configured appropriately for your organization’s Kerberos envrionment.</p>
+<p>The last line is optional but specifies that clients MUST use Kerberos to communicate with our ZooKeeper instance.</p>
</div>
<div class="paragraph">
-<p>Now, when we start NiFi, it will use Kerberos to authentication as the <code>nifi</code> user when communicating with ZooKeeper.</p>
+<p>Now, we can start NiFi, and the embedded ZooKeeper server will use Kerberos as the authentication mechanism.</p>
</div>
</div>
<div class="sect3">
-<h4 id="zk_kerberos_server"><a class="anchor" href="#zk_kerberos_server"></a>Kerberizing Embedded ZooKeeper Server</h4>
+<h4 id="zk_kerberos_client"><a class="anchor" href="#zk_kerberos_client"></a>Kerberizing NiFi’s ZooKeeper Client</h4>
<div class="paragraph">
-<p>When using the embedded ZooKeeper server, we may choose to secure the server by using Kerberos. All nodes configured to launch an embedded ZooKeeper
-and using Kerberos should follow these steps.</p>
+<p>Note: The NiFi nodes running the embedded zookeeper server will also need to follow the below procedure since they will also be acting as a client at
+the same time.</p>
</div>
<div class="paragraph">
-<p>If Kerberos is not already setup in your environment, you can find information on installing and setting up a Kerberos Server at
-<a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Configuring_a_Kerberos_5_Server.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Configuring_a_Kerberos_5_Server.html</a>
-. This guide assumes that Kerberos already has been installed in the environment in which NiFi is running.</p>
+<p>The preferred mechanism for authenticating users with ZooKeeper is to use Kerberos. In order to use Kerberos to authenticate, we must configure a few
+system properties, so that the ZooKeeper client knows who the user is and where the KeyTab file is. All nodes configured to store cluster-wide state
+using <code>ZooKeeperStateProvider</code> and using Kerberos should follow these steps.</p>
</div>
<div class="paragraph">
-<p>In order to use Kerberos, we first need to generate a Kerberos Principal for our ZooKeeper server. This is accomplished via the <code>kadmin</code> tool:</p>
+<p>First, we must create the Principal that we will use when communicating with ZooKeeper. This is generally done via the <code>kadmin</code> tool:</p>
</div>
<div class="listingblock">
<div class="content">
-<pre class="highlight"><code>kadmin: addprinc "zookeeper/myHost.example.com@EXAMPLE.COM"</code></pre>
+<pre class="highlight"><code>kadmin: addprinc "nifi@EXAMPLE.COM"</code></pre>
</div>
</div>
<div class="paragraph">
-<p>Here, we are creating a Principal with the primary <code>zookeeper/myHost.example.com</code>, using the realm <code>EXAMPLE.COM</code>. We need to use a Principal whose
-name is <code><service name>/<instance name></code>. In this case, the service is <code>zookeeper</code> and the instance name is <code>myHost.example.com</code> (the fully qualified name of our host).</p>
+<p>A Kerberos Principal is made up of three parts: the primary, the instance, and the realm. Here, we are creating a Principal with the primary <code>nifi</code>,
+no instance, and the realm <code>EXAMPLE.COM</code>. The primary (<code>nifi</code>, in this case) is the identifier that will be used to identify the user when authenticating
+via Kerberos.</p>
</div>
<div class="paragraph">
-<p>Next, we will need to create a KeyTab for this Principal:</p>
+<p>After we have created our Principal, we will need to create a KeyTab for the Principal:</p>
</div>
<div class="listingblock">
<div class="content">
-<pre class="highlight"><code>kadmin: xst -k zookeeper-server.keytab zookeeper/myHost.example.com@EXAMPLE.COM</code></pre>
+<pre class="highlight"><code>kadmin: xst -k nifi.keytab nifi@EXAMPLE.COM</code></pre>
</div>
</div>
<div class="paragraph">
-<p>This will create a file in the current directory named <code>zookeeper-server.keytab</code>. We can now copy that file into the <code>$NIFI_HOME/conf/</code> directory. We should ensure
-that only the user that will be running NiFi is allowed to read this file.</p>
+<p>This keytab file can be copied to the other NiFi nodes with embedded zookeeper servers.</p>
</div>
<div class="paragraph">
-<p>We will need to repeat the above steps for each of the instances of NiFi that will be running the embedded ZooKeeper server, being sure to replace <em>myHost.example.com</em> with
-<em>myHost2.example.com</em>, or whatever fully qualified hostname the ZooKeeper server will be run on.</p>
+<p>This will create a file in the current directory named <code>nifi.keytab</code>. We can now copy that file into the <em>$NIFI_HOME/conf/</em> directory. We should ensure
+that only the user that will be running NiFi is allowed to read this file.</p>
</div>
<div class="paragraph">
-<p>Now that we have our KeyTab for each of the servers that will be running NiFi, we will need to configure NiFi’s embedded ZooKeeper server to use this configuration.
-ZooKeeper uses the Java Authentication and Authorization Service (JAAS), so we need to create a JAAS-compatible file In the <code>$NIFI_HOME/conf/</code> directory, create a file
-named <code>zookeeper-jaas.conf</code> (this file will already exist if the Client has already been configured to authenticate via Kerberos. That’s okay, just add to the file).
-We will add to this file, the following snippet:</p>
+<p>Next, we need to configure NiFi to use this KeyTab for authentication. Since ZooKeeper uses the Java Authentication and Authorization Service (JAAS), we need to
+create a JAAS-compatible file. In the <code>$NIFI_HOME/conf/</code> directory, create a file named <code>zookeeper-jaas.conf</code> and add to it the following snippet:</p>
</div>
<div class="listingblock">
<div class="content">
-<pre class="highlight"><code>Server {
+<pre class="highlight"><code>Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
- keyTab="./conf/zookeeper-server.keytab"
+ keyTab="./conf/nifi.keytab"
storeKey=true
useTicketCache=false
- principal="zookeeper/myHost.example.com@EXAMPLE.COM";
+ principal="nifi@EXAMPLE.COM";
};</code></pre>
</div>
</div>
<div class="paragraph">
-<p>Be sure to replace the value of <em>principal</em> above with the appropriate Principal, including the fully qualified domain name of the server.</p>
-</div>
-<div class="paragraph">
-<p>Next, we need to tell NiFi to use this as our JAAS configuration. This is done by setting a JVM System Property, so we will edit the <code>conf/bootstrap.conf</code> file.
-If the Client has already been configured to use Kerberos, this is not necessary, as it was done above. Otherwise, we will add the following line to our <em>bootstrap.conf</em> file:</p>
+<p>Finally, we need to tell NiFi to use this as our JAAS configuration. This is done by setting a JVM System Property, so we will edit the <em>conf/bootstrap.conf</em> file.
+We add the following line anywhere in this file in order to tell the NiFi JVM to use this configuration:</p>
</div>
<div class="listingblock">
<div class="content">
@@ -2090,32 +2147,15 @@ If the Client has already been configure
</div>
</div>
<div class="paragraph">
-<p>We will want to initialize our Kerberos ticket by running the following command:</p>
-</div>
-<div class="listingblock">
-<div class="content">
-<pre class="highlight"><code>kinit "zookeeper/myHost.example.com@EXAMPLE.COM"</code></pre>
-</div>
-</div>
-<div class="paragraph">
-<p>Again, be sure to replace the Principal with the appropriate value, including your realm and your fully qualified hostname.</p>
-</div>
-<div class="paragraph">
-<p>Finally, we need to tell the Kerberos server to use the SASL Authentication Provider. To do this, we edit the <code>$NIFI_HOME/conf/zookeeper.properties</code> file and add the following
-lines:</p>
+<p>We can initialize our Kerberos ticket by running the following command:</p>
</div>
<div class="listingblock">
<div class="content">
-<pre class="highlight"><code>authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
-jaasLoginRenew=3600000
-requireClientAuthScheme=sasl</code></pre>
+<pre class="highlight"><code>kinit -kt nifi.keytab nifi@EXAMPLE.COM</code></pre>
</div>
</div>
<div class="paragraph">
-<p>The last line is optional but specifies that clients MUST use Kerberos to communicate with our ZooKeeper instance.</p>
-</div>
-<div class="paragraph">
-<p>Now, we can start NiFi, and the embedded ZooKeeper server will use Kerberos as the authentication mechanism.</p>
+<p>Now, when we start NiFi, it will use Kerberos to authentication as the <code>nifi</code> user when communicating with ZooKeeper.</p>
</div>
</div>
<div class="sect3">
@@ -3290,7 +3330,7 @@ If multicast is used, the following nifi
</div>
<div id="footer">
<div id="footer-text">
-Last updated 2016-02-16 10:19:45 EST
+Last updated 2016-02-23 18:48:07 EST
</div>
</div>
</body>
Modified: nifi/site/trunk/docs/nifi-docs/html/developer-guide.html
URL: http://svn.apache.org/viewvc/nifi/site/trunk/docs/nifi-docs/html/developer-guide.html?rev=1732598&r1=1732597&r2=1732598&view=diff
==============================================================================
--- nifi/site/trunk/docs/nifi-docs/html/developer-guide.html (original)
+++ nifi/site/trunk/docs/nifi-docs/html/developer-guide.html Sat Feb 27 03:24:12 2016
@@ -1,20 +1,4 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- -->
- <!DOCTYPE html>
+<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
@@ -3183,7 +3167,7 @@ worry about bothering us. Just ping the
</div>
<div id="footer">
<div id="footer-text">
-Last updated 2016-02-16 10:19:45 EST
+Last updated 2016-02-23 18:48:07 EST
</div>
</div>
</body>
Modified: nifi/site/trunk/docs/nifi-docs/html/expression-language-guide.html
URL: http://svn.apache.org/viewvc/nifi/site/trunk/docs/nifi-docs/html/expression-language-guide.html?rev=1732598&r1=1732597&r2=1732598&view=diff
==============================================================================
--- nifi/site/trunk/docs/nifi-docs/html/expression-language-guide.html (original)
+++ nifi/site/trunk/docs/nifi-docs/html/expression-language-guide.html Sat Feb 27 03:24:12 2016
@@ -1,20 +1,4 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- -->
- <!DOCTYPE html>
+<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
@@ -3191,7 +3175,7 @@ an embedded Expression, though it does n
</div>
<div id="footer">
<div id="footer-text">
-Last updated 2016-02-16 10:19:45 EST
+Last updated 2016-02-23 18:48:07 EST
</div>
</div>
</body>
Modified: nifi/site/trunk/docs/nifi-docs/html/getting-started.html
URL: http://svn.apache.org/viewvc/nifi/site/trunk/docs/nifi-docs/html/getting-started.html?rev=1732598&r1=1732597&r2=1732598&view=diff
==============================================================================
--- nifi/site/trunk/docs/nifi-docs/html/getting-started.html (original)
+++ nifi/site/trunk/docs/nifi-docs/html/getting-started.html Sat Feb 27 03:24:12 2016
@@ -1,20 +1,4 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- -->
- <!DOCTYPE html>
+<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
@@ -1592,7 +1576,7 @@ work back to the Apache NiFi community s
</div>
<div id="footer">
<div id="footer-text">
-Last updated 2016-02-16 10:19:45 EST
+Last updated 2016-02-23 18:48:07 EST
</div>
</div>
</body>
Modified: nifi/site/trunk/docs/nifi-docs/html/overview.html
URL: http://svn.apache.org/viewvc/nifi/site/trunk/docs/nifi-docs/html/overview.html?rev=1732598&r1=1732597&r2=1732598&view=diff
==============================================================================
--- nifi/site/trunk/docs/nifi-docs/html/overview.html (original)
+++ nifi/site/trunk/docs/nifi-docs/html/overview.html Sat Feb 27 03:24:12 2016
@@ -1,20 +1,4 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- -->
- <!DOCTYPE html>
+<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
@@ -891,7 +875,7 @@ about loading, and to exchange data on s
</div>
<div id="footer">
<div id="footer-text">
-Last updated 2016-02-16 10:19:45 EST
+Last updated 2016-02-23 18:48:07 EST
</div>
</div>
</body>
Modified: nifi/site/trunk/docs/nifi-docs/html/user-guide.html
URL: http://svn.apache.org/viewvc/nifi/site/trunk/docs/nifi-docs/html/user-guide.html?rev=1732598&r1=1732597&r2=1732598&view=diff
==============================================================================
--- nifi/site/trunk/docs/nifi-docs/html/user-guide.html (original)
+++ nifi/site/trunk/docs/nifi-docs/html/user-guide.html Sat Feb 27 03:24:12 2016
@@ -1,20 +1,4 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- -->
- <!DOCTYPE html>
+<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
@@ -2770,7 +2754,7 @@ lineage graph and select "Find parents"
</div>
<div id="footer">
<div id="footer-text">
-Last updated 2016-02-16 10:19:45 EST
+Last updated 2016-02-23 18:48:07 EST
</div>
</div>
</body>