kevdoran

# NiFi Client
mkdir -p ~/tmp && \
echo '{ "packageName": "nifi" }' > ~/tmp/swagger-nifi-python-config.json && \
rm -rf ~/tmp/nifi-python-client && \
swagger-codegen generate \
    --lang python \
    --config swagger-nifi-python-config.json \
    --api-package apis \
    --model-package models \
    --template-dir /path/to/nipyapi/templates \

kevdoran

Here are the steps used to generate server/client TLS certs/keys for use with NiFi and NiPyAPI.

# use NiFi tls-toolkit to generate CA, server key/cert, client key/cert
./nifi-toolkit-1.4.0/bin/tls-toolkit.sh standalone --certificateAuthorityHostname localhost  --hostnames localhost --subjectAlternativeNames nifi,registry,secure-nifi,secure-registry --nifiDnSuffix ", OU=nifi" --keyStorePassword localhostKeystorePassword --trustStorePassword localhostTruststorePassword --clientCertDn "CN=user1, OU=nifi" --clientCertPassword clientPassword --days 9999 --outputDirectory nipyapi-tests
 
# change to tls-toolkit output directory
cd ./nipyapi-tests
 
# copy server's key/trust stores

mkdir keys

kevdoran

#
# to use this, run `docker-compose up` in the directory holding this gist.
# or wget/curl the file and pipe it it into `docker-compose up`
#

version: "3.5"

services:

  reverse-proxy:

kevdoran

{
  "agentInfo": {
    "identifier": "test-agent",
    "agentClass": "test-class",
    "agentManifest": {
            "buildInfo": {
                        "compiler": "/usr/bin/c++",
                        "flags": " -std=c++11 -DOPENSSL_SUPPORT",
                        "revision": "0785b32507e89ae9fa649a1df47f98f19fade4bb",
                        "timestamp": 1544732055,

kevdoran

# Example EFM Config
# One-way TLS with server authentication only (no client authentication)
# This uses a work-around by running a reverse proxy that always passes "Anonymous" as an authenticated identity
# Any client that can access the EFM server through the reverse proxy will have full access 

# Web Server TLS Properties
efm.server.ssl.enabled=true
efm.server.ssl.keyStore=./conf/keystore.jks
efm.server.ssl.keyStoreType=jks
efm.server.ssl.keyStorePassword=yourKeyStorePasswordHere

kevdoran

# Example EFM Config
# Web UI users authenticate using Knox SSO
# MiNiFi Agents authenticate using two-way TLS with client certificates

# Web Server TLS Properties
efm.server.ssl.enabled=true
efm.server.ssl.keyStore=./conf/keystore.jks
efm.server.ssl.keyStoreType=jks
efm.server.ssl.keyStorePassword=yourKeyStorePasswordHere
efm.server.ssl.keyPassword=yourKeyPasswordHere

kevdoran

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!--
  ~ Licensed to the Apache Software Foundation (ASF) under one or more
  ~ contributor license agreements.  See the NOTICE file distributed with
  ~ this work for additional information regarding copyright ownership.
  ~ The ASF licenses this file to You under the Apache License, Version 2.0
  ~ (the "License"); you may not use this file except in compliance with
  ~ the License.  You may obtain a copy of the License at
  ~
  ~     http://www.apache.org/licenses/LICENSE-2.0

kevdoran

{
  "flowContents": {
    "identifier": "fef6cdbb-7a66-3309-b607-ed9300f32fd1",
    "instanceIdentifier": "d342db06-0180-1000-c05e-bac142fdf5de",
    "name": "Inbound Data From MiNiFi",
    "comments": "",
    "position": {
      "x": 584,
      "y": 152
    },

kevdoran

{
  "flowContents": {
    "identifier": "fef6cdbb-7a66-3309-b607-ed9300f32fd1",
    "instanceIdentifier": "d342db06-0180-1000-c05e-bac142fdf5de",
    "name": "Inbound Data From MiNiFi",
    "comments": "",
    "position": {
      "x": 584,
      "y": 152
    },

kevdoran

#!/bin/sh

set -euxo pipefail

nifi_dir='/Users/kdoran/dev/code/nifi'
version='1.21.0'
#        ^^^^^^
# MAKE SURE TO CHANGE THE VERSION ABOVE
# MAKE SURE TO CHECKOUT THE rel/nifi-${version} TAG PRIOR TO RUNNING THIS SCRIPT