Apache NiFi 1.28.1 集群 + Kerberos 认证 + 多租户模式部署
1. 系统要求
- Java 8 或 Java 11
2. 物料包准备
| 包名 | 下载地址 | 说明 |
|---|---|---|
| nifi-1.28.1-bin.zip | https://archive.apache.org/dist/nifi/1.28.1/nifi-1.28.1-bin.zip | NiFi 安装包 |
| nifi-toolkit-1.28.1-bin.zip | https://archive.apache.org/dist/nifi/1.28.1/nifi-toolkit-1.28.1-bin.zip | NiFi 工具包 |
| jdk-11.0.28_linux-x64_bin.tar.gz | https://www.oracle.com/java/technologies/downloads/ | 网站需注册登录 |
3. 集群规划
3.1 主机列表
| IP | 主机名 | 内存(GB) | CPU核数 | 磁盘 | 操作系统 | CPU 架构 |
|---|---|---|---|---|---|---|
| 10.0.0.13 | arc-pro-dc01 | 16 | 1 | 500GB | CentOS 7.9.2009 | x86_64 |
| 10.0.0.14 | arc-pro-dc02 | 16 | 1 | 500GB | CentOS 7.9.2009 | x86_64 |
| 10.0.0.15 | arc-pro-dc03 | 16 | 1 | 500GB | CentOS 7.9.2009 | x86_64 |
3.2 已安装服务
| arc-pro-dc01 | arc-pro-dc02 | arc-pro-dc03 | |
|---|---|---|---|
| Zookeeper | Zookeeper Server | Zookeeper Server | Zookeeper Server |
| Kerberos | Kerberos 客户端 | Kerberos 服务端 | Kerberos 客户端 |
说明:
- 每个服务器的 IP 均是静态的
- 每个服务器的防火墙都已关闭
- 每个服务器的 SELINUX 已经禁用
- 每个服务器均存在一个管理员用户 admin,该用户可以免密码执行 sudo 命令;
- 在 arc-pro-dc01 机器上,可以使用 admin 用户免密码 ssh 到其他机器;
- 服务器之间的时间同步;
- 所有操作均使用 admin 用户完成,NiFi 集群的所属用户为 admin;
- Kerberos 默认的 realm 为:EXAMPLE.COM
- Principal 格式为
*/admin@EXAMPLE.COM,则此主体拥有管理员权限
为使集群满足以上要求,参考下列文章进行配置:
- 使用 VMware Workstation 安装 CentOS-7 虚拟机
- 使用 Ansible 批量完成 CentOS 7 操作系统基础配置
- Ansible + Docker 部署 Zookeeper 集群
- Kerberos 安装和使用
3.3 集群规划
| arc-pro-dc01 | arc-pro-dc02 | arc-pro-dc03 | |
|---|---|---|---|
| NiFi | NiFi 服务 | NiFi 服务 | NiFi 服务 |
4. 部署步骤
4.1 上传物料包
在所有节点执行
$ sudo mkdir -p /opt/app
$ sudo chown admin:admin /opt/app# nifi-1.28.1-bin.zip、nifi-toolkit-1.28.1-bin.zip、jdk-11.0.28_linux-x64_bin.tar.gz 上传到 /opt/app 目录下$ cd /opt/app/
$ unzip nifi-1.28.1-bin.zip
$ ln -s nifi-1.28.1 nifi
$ unzip nifi-toolkit-1.28.1-bin.zip
$ tar -zxf jdk-11.0.28_linux-x64_bin.tar.gz
$ rm -f nifi-1.28.1-bin.zip nifi-toolkit-1.28.1-bin.zip jdk-11.0.28_linux-x64_bin.tar.gz$ ll | egrep 'nifi|jdk'
drwxrwxr-x 9 admin admin 126 Sep 24 14:58 jdk-11.0.28
lrwxrwxrwx 1 admin admin 11 Sep 24 14:57 nifi -> nifi-1.28.1
drwxrwxr-x 7 admin admin 131 Nov 15 2024 nifi-1.28.1
drwxr-xr-x 6 admin admin 104 Nov 15 2024 nifi-toolkit-1.28.1
4.2 准备 NiFi 专用的 JDK
在所有节点执行
$ pwd
/opt/app$ sudo mkdir -p /usr/java
# 说明:jdk 的安装包名称为 jdk-21_linux-x64_bin.tar.gz,解压后目录名中包含版本,根据下载包的时间不同,这个版本可能会不一样
$ sudo mv jdk-11.0.28 /usr/java/
$ sudo ls /usr/java/jdk-11.0.28
bin conf include jmods legal lib man README.html release$ cd /opt/app/nifi
# 在 nifi 的环境变量中定义 JAVA_HOME 为 jdk11
# 命令的作用是:在第一行下方插入一行,内容为 export JAVA_HOME=/usr/java/jdk-11.0.28
$ sed -i '1a export JAVA_HOME=\/usr\/java\/jdk-11.0.28' bin/nifi-env.sh
4.3 创建 NiFI 使用的 Principal
在 Kerberos 服务端(arc-pro-dc02)执行
# -pw 设置主体 nifi/@EXAMPLE.COM 的密码
$ sudo kadmin.local -q "addprinc -pw 123456 nifi@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
WARNING: no policy specified for nifi@EXAMPLE.COM; defaulting to no policy
Principal "nifi@EXAMPLE.COM" created.# 创建 keytab 文件所在的目录
$ sudo mkdir -p /etc/keytab# 将主体 nifi/@EXAMPLE.COM 的信息加入 keytab 文件中
$ sudo kadmin.local -q "ktadd -norandkey -k /etc/keytab/nifi.keytab nifi@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal nifi@EXAMPLE.COM with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/keytab/nifi.keytab.
Entry for principal nifi@EXAMPLE.COM with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/keytab/nifi.keytab.
Entry for principal nifi@EXAMPLE.COM with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/keytab/nifi.keytab.
Entry for principal nifi@EXAMPLE.COM with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/etc/keytab/nifi.keytab.
Entry for principal nifi@EXAMPLE.COM with kvno 1, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/keytab/nifi.keytab.
Entry for principal nifi@EXAMPLE.COM with kvno 1, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/keytab/nifi.keytab.
Entry for principal nifi@EXAMPLE.COM with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/keytab/nifi.keytab.
Entry for principal nifi@EXAMPLE.COM with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:/etc/keytab/nifi.keytab.# 将 /etc/keytab/nifi.keytab 分发给其他两个节点,nifi.keytab 都放在 /etc/keytab 目录下,提前创建好目录
$ sudo scp /etc/keytab/nifi.keytab arc-pro-dc01:/etc/keytab/
$ sudo scp /etc/keytab/nifi.keytab arc-pro-dc03:/etc/keytab/
4.4 修改配置文件 /etc/krb5.conf
在所有节点同步修改
# 确保下面这行配置是注释掉的
# renew_lifetime = 7d
4.5 生成 TLS 证书
在任意节点操作一次
$ cd /opt/app/nifi-toolkit-1.28.1/
$ sed -i '1a export JAVA_HOME=\/usr\/java\/jdk-11.0.28' bin/tls-toolkit.sh$ bin/tls-toolkit.sh standalone \
--clientCertDn 'CN=NIFI, OU=NIFI' \
--hostnames 'arc-pro-dc01,arc-pro-dc02,arc-pro-dc03' \
--keyAlgorithm RSA \
--keySize 2048 \
--days 36500 \
--keyPassword keyPassword@123456 \
--keyStorePassword keyStorePassword@123456 \
--trustStorePassword trustStorePassword@123456 \
--outputDirectory ./certs# 输出
...
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - tls-toolkit standalone completed successfully$ ll certs/
total 16
drwx------ 2 admin admin 71 Sep 25 15:47 arc-pro-dc01
drwx------ 2 admin admin 71 Sep 25 15:47 arc-pro-dc02
drwx------ 2 admin admin 71 Sep 25 15:47 arc-pro-dc03
-rw------- 1 admin admin 3676 Sep 25 15:47 CN=NIFI_OU=NIFI.p12
-rw------- 1 admin admin 43 Sep 25 15:47 CN=NIFI_OU=NIFI.password
-rw------- 1 admin admin 1229 Sep 25 15:47 nifi-cert.pem
-rw------- 1 admin admin 1675 Sep 25 15:47 nifi-key.key# 分发证书和配置文件
$ cd /opt/app/nifi-toolkit-1.28.1/certs/$ scp *.p12 *.password arc-pro-dc01/* arc-pro-dc01:/opt/app/nifi-1.28.1/conf/
$ scp *.p12 *.password arc-pro-dc02/* arc-pro-dc02:/opt/app/nifi-1.28.1/conf/
$ scp *.p12 *.password arc-pro-dc03/* arc-pro-dc03:/opt/app/nifi-1.28.1/conf/
4.6 修改配置文件 state-management.xml
/opt/app/nifi-1.28.1/conf/state-management.xml 所有节点同步配置
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<stateManagement><local-provider><id>local-provider</id><class>org.apache.nifi.controller.state.providers.local.WriteAheadLocalStateProvider</class><property name="Directory">./state/local</property><property name="Always Sync">false</property><property name="Partitions">16</property><property name="Checkpoint Interval">2 mins</property></local-provider><cluster-provider><id>zk-provider</id><class>org.apache.nifi.controller.state.providers.zookeeper.ZooKeeperStateProvider</class><property name="Connect String">10.0.0.13:2181,10.0.0.14:2181,10.0.0.15:2181</property><property name="Root Node">/nifi</property><property name="Session Timeout">10 seconds</property><property name="Access Control">Open</property></cluster-provider>
</stateManagement>
4.7 修改配置文件 nifi.properties
/opt/app/nifi-1.28.1/conf/nifi.properties 所有节点同步配置,重点核对以下配置
nifi.zookeeper.connect.string=10.0.0.13:2181,10.0.0.14:2181,10.0.0.15:2181
nifi.security.user.login.identity.provider=kerberos-provider
nifi.security.user.authorizer=file-provider
nifi.cluster.is.node=true
nifi.web.proxy.context.path=/nifi
nifi.web.proxy.host=arc-pro-dc01:9443,arc-pro-dc02:9443,arc-pro-dc03:9443
nifi.sensitive.props.key=SensitivePassword@123456
# Kerberos 配置
nifi.kerberos.krb5.file=/etc/krb5.conf
# 4.3 步骤创建的 principal
nifi.kerberos.service.principal=nifi@EXAMPLE.COM
# 4.3 步骤分发的 keytab 文件
nifi.kerberos.service.keytab.location=/etc/keytab/nifi.keytab
命令替换:
$ sed -i \-e 's|^nifi.zookeeper.connect.string=.*|nifi.zookeeper.connect.string=10.0.0.13:2181,10.0.0.14:2181,10.0.0.15:2181|' \-e 's|^nifi.security.user.login.identity.provider=.*|nifi.security.user.login.identity.provider=kerberos-provider|' \-e 's|^nifi.security.user.authorizer=.*|nifi.security.user.authorizer=file-provider|' \-e 's|^nifi.cluster.is.node=.*|nifi.cluster.is.node=true|' \-e 's|^nifi.web.proxy.context.path=.*|nifi.web.proxy.context.path=/nifi|' \-e 's|^nifi.web.proxy.host=.*|nifi.web.proxy.host=arc-pro-dc01:9443,arc-pro-dc02:9443,arc-pro-dc03:9443|' \-e 's|^nifi.kerberos.krb5.file=.*|nifi.kerberos.krb5.file=/etc/krb5.conf|' \-e 's|^nifi.kerberos.service.principal=.*|nifi.kerberos.service.principal=nifi@EXAMPLE.COM|' \-e 's|^nifi.kerberos.service.keytab.location=.*|nifi.kerberos.service.keytab.location=/etc/keytab/nifi.keytab|' \-e 's|^nifi.sensitive.props.key=.*|nifi.sensitive.props.key=SensitivePassword@123456|' \/opt/app/nifi/conf/nifi.properties
4.8 修改配置文件 login-identity-providers.xml
/opt/app/nifi-1.28.1/conf/login-identity-providers.xml 所有节点同步配置
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<loginIdentityProviders><provider><identifier>single-user-provider</identifier><class>org.apache.nifi.authentication.single.user.SingleUserLoginIdentityProvider</class><property name="Username"/><property name="Password"/></provider><provider><identifier>kerberos-provider</identifier><class>org.apache.nifi.kerberos.KerberosProvider</class><property name="Default Realm">EXAMPLE.COM</property><property name="Authentication Expiration">12 hours</property></provider>
</loginIdentityProviders>
4.9 修改配置文件 authorizers.xml
/opt/app/nifi-1.28.1/conf/authorizers.xml 所有节点同步配置
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers><userGroupProvider><identifier>file-user-group-provider</identifier><class>org.apache.nifi.authorization.FileUserGroupProvider</class><property name="Users File">./conf/users.xml</property><property name="Legacy Authorized Users File"></property><property name="Initial User Identity 1"></property></userGroupProvider><accessPolicyProvider><identifier>file-access-policy-provider</identifier><class>org.apache.nifi.authorization.FileAccessPolicyProvider</class><property name="User Group Provider">file-user-group-provider</property><property name="Authorizations File">./conf/authorizations.xml</property><property name="Initial Admin Identity"></property><property name="Legacy Authorized Users File"></property><property name="Node Identity 1"></property><property name="Node Group"></property></accessPolicyProvider><authorizer><identifier>managed-authorizer</identifier><class>org.apache.nifi.authorization.StandardManagedAuthorizer</class><property name="Access Policy Provider">file-access-policy-provider</property></authorizer><authorizer><identifier>file-provider</identifier><class>org.apache.nifi.authorization.FileAuthorizer</class><property name="Authorizations File">./conf/authorizations.xml</property><property name="Users File">./conf/users.xml</property><property name="Initial Admin Identity">nifi@EXAMPLE.COM</property><property name="Legacy Authorized Users File"></property><property name="Node Identity 1">CN=arc-pro-dc01, OU=NIFI</property><property name="Node Identity 2">CN=arc-pro-dc02, OU=NIFI</property><property name="Node Identity 3">CN=arc-pro-dc03, OU=NIFI</property></authorizer><authorizer><identifier>single-user-authorizer</identifier><class>org.apache.nifi.authorization.single.user.SingleUserAuthorizer</class></authorizer>
</authorizers>
4.10 修改配置文件 bootstrap.conf(可选)
/opt/app/nifi-1.28.1/conf/bootstrap.conf 所有节点同步配置,根据服务器资源情况按需修改
# JVM memory settings
java.arg.2=-Xms1g
java.arg.3=-Xmx1g
4.11 启动 NiFI
所有节点执行
$ cd /opt/app/nifi
$ bin/nifi.sh start$ bin/nifi.sh status
2025-09-24 16:08:56,704 INFO [main] org.apache.nifi.bootstrap.Command Apache NiFi is currently running, listening to Bootstrap on port 38667, PID=98487
4.12 访问页面
访问任意节点:
- https://10.0.0.13:9443/nifi
- https://10.0.0.14:9443/nifi
- https://10.0.0.15:9443/nifi
说明:账号密码为 nifi/123456
因为在 4.3 创建 Principal 时的命令:
sudo kadmin.local -q "addprinc -pw 123456 nifi@EXAMPLE.COM"
如果创建的 Principal 是 nifi/admin@EXAMPLE.COM,则登录用户是 nifi/admin,即 Principal @EXAMPLE.COM 之前的内容。
首次登录后,显示“The Flow Controller is initializing the Data Flow.”这是因为,集群要进行选举,可能花费几分钟。
查看 logs/nifi-app.log,可以看到:集群正在投票,选举会在 289 秒内完成(确实需要这么长时间)
2025-09-25 15:08:34,330 INFO [main]
o.a.nifi.controller.StandardFlowService Requested by cluster coordinator to retry connection in 5 seconds with explanation:
Cluster is still voting on which Flow is the correct flow for the cluster.
Election will complete in 289 seconds
选举完成后,刷新页面:
5. 多租户授权简单测试
在 kerberos 服务端执行
$ sudo kadmin.local -q "addprinc -pw 123456 tom@EXAMPLE.COM"
切换用户:
/福聚苑社区/团购系统/社区团购/福聚苑/团购/社区/环境/福聚苑小区/在线团购/社区购物)
保姆级教程,云服务器安装部署,Windows内存不够允许看看)