Security

DC/OS NiFi Service encryption, authentication, and authorization

DC/OS NiFi Security

The DC/OS NiFi service supports DC/OS NiFi’s native transport encryption, authentication, and authorization mechanisms. The service provides automation and orchestration to simplify the usage of these important features.

Transport Encryption and Kerberos Authentication

With transport encryption enabled, DC/OS NiFi will automatically deploy all nodes with the correct configuration to encrypt communication via SSL. The nodes will communicate securely between themselves using SSL. SSL authentication requires that all DC/OS NiFi Nodes present a valid certificate from which their identity can be derived for communicating between themselves. DC/OS NiFi uses the CN of the SSL certificate as the principal for a given Node. For example, CN=nifi-0-node.demonifi, O=“Mesosphere, Inc”, L=San Francisco, ST=CA, C=US.

The service uses the DC/OS CA to generate the SSL artifacts that it uses to secure the service. Any client that trusts the DC/OS CA will consider the service’s certificates valid.

NOTE: Enabling transport encryption is required to use SSL authentication for authentication, but is optional for Kerberos authentication.

Prerequisites

  • A DC/OS Service Account with a secret stored in the DC/OS Secret Store.
  • DC/OS superuser permissions for modifying the permissions of the Service Account.

Configure Transport Encryption

NOTE: A complete guide to Configuring DC/OS Access for DC/OS NiFi can be found here.

Set up the service account

Grant the service account the correct permissions. The required permissions are:

dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:agent:task:user:${USER} create
dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:task:user:${USER} create
dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:framework:role:${FOLDER_ROLE} create
dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:reservation:principal:${SERVICE_ACCOUNT} delete
dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:reservation:role:${FOLDER_ROLE} create
dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:volume:principal:${SERVICE_ACCOUNT} delete
dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:volume:role:${FOLDER_ROLE} create
dcos security org users grant ${SERVICE_ACCOUNT} dcos:secrets:default:/<service name>/* full
dcos security org users grant ${SERVICE_ACCOUNT} dcos:secrets:list:default:/<service name> read
dcos security org users grant ${SERVICE_ACCOUNT} dcos:adminrouter:ops:ca:rw full
dcos security org users grant ${SERVICE_ACCOUNT} dcos:adminrouter:ops:ca:ro full
  • In DC/OS before 2.0 FOLDER_ROLE is path for service with slashes replaced by double undescores e.g. fully__qualified__path__{$SERVICE_NAME}-role.
  • In DC/OS 2.0 and later FOLDER_ROLE is the name of the top-level group where the service is located.

Transport Encryption for Clients

With Transport Encryption enabled, service clients will need to be configured to use the DC/OS CA bundle to verify the connections they make to the service. Consult your client’s documentation for trusting a CA and configure your client appropriately.

Authentication

DC/OS NiFi supports two authentication mechanisms, SSL and Kerberos. The two are supported independently and may not be combined. If both SSL and Kerberos authentication are enabled, the service will use Kerberos authentication.

NOTE: Kerberos authentication can, however, be combined with transport encryption.

CA based authentication between nodes

DC/OS NiFi requires certificate based authentication between nodes. DC/OS NiFi uses the CN of the SSL certificate as the principal for a given Node. For example, CN=nifi-0-node.demonifi, O=“Mesosphere, Inc”, L=San Francisco, ST=CA, C=US.

Kerberos Authentication for End Users

Kerberos authentication relies on a central authority to verify that DC/OS NiFi clients are who they say they are. DC/OS NiFi integrates with your existing Kerberos infrastructure to verify the identity of clients.

Prerequisites

  • The hostname and port of a Key Distribution Center (KDC) reachable from your DC/OS cluster
  • Sufficient access to the KDC to create Kerberos principals
  • Sufficient access to the KDC to retrieve a keytab for the generated principals
  • The DC/OS Enterprise CLI
  • DC/OS Superuser permissions

Configure Kerberos Authentication

  1. Create principals. The DC/OS NiFi service requires a Kerberos principal for the service principal and user principal. Each principal must be of the form:

    nifiprincipal@<service realm>
    nifiadmin@<service realm>
    
  2. Place Service Keytab in DC/OS Secret Store. The DC/OS NiFi service uses a keytab containing the above service and user principals (service keytab). After creating the principals above, generate the service keytab, making sure to include all the node principals. The DC/OS security modules will handle decoding the file when it is used by the service.

    Create secret named nifiadmin_kerberos_secret for password of Kerberos User Principal: nifiadmin

    NOTE: Secrets access is controlled by DC/OS Spaces, which function like namespaces. Any secret in the same DC/OS Space as the service will be accessible by the service.

  3. Install the DC/OS NiFi service with the following options in addition to your own:

    {
     "service": {
      "name": "/demo/nifi",
       "security": {
       "kerberos": {
         "kdc": {
           "hostname": "kdc.marathon.autoip.dcos.thisdcos.directory",
           "port": 2500
         },
         "keytab_secret": "<keytab secret>",
         "primary": "nifi",
         "realm": "LOCAL",
         "service_principal": "nifiprincipal@LOCAL",
         "user_principal": "nifiadmin@LOCAL",
         "user_principal_keytab": "nifiadmin_kerberos_secret"
       },
       "kerberos_tls": {
         "enable": true
       }
     },
     "service_account": "dcos_nifi",
     "service_account_secret": "dcos_nifi_secret",
     "virtual_network_enabled": true,
     "virtual_network_name": "dcos"
     },
     "secrets": {"enable": true}
     }
    

Configuring DC/OS Access for DC/OS NiFi

Provisioning a service account

This section describes how to configure DC/OS access for NiFi. Depending on your security mode, NiFi may require service authentication for access to DC/OS.

A service like NiFi typically performs certain privileged actions on the cluster, which might require authenticating with the cluster. A service account associated with the service is used to authenticate with the DC/OS cluster. It is recommended to provisioning a separate service account for each service that would perform privileged operations. Service accounts authenticate using public-private keypair. The public key is used to create the service account in the cluster, while the corresponding private key is stored in the secret store. The service account and the service account secret are passed to the service as install time options.

Security mode Service Account
Disabled Not available
Permissive Optional
Strict Required

If you install a service in permissive mode and do not specify a service account, Metronome and Marathon will act as if requests made by this service are made by an account with the superuser permission.

Prerequisites:

Create a Key Pair

In this step, a 2048-bit RSA public-private key pair is created using the Enterprise DC/OS CLI.

Create a public-private key pair and save each value into a separate file within the current directory.

dcos security org service-accounts keypair <private-key>.pem <public-key>.pem

NOTE: You can use the DC/OS Secret Store to secure the key pair.

Create a Service Account

From a terminal prompt, create a new service account (for example, nifi) containing the public key (<your-public-key>.pem).

dcos security org service-accounts create -p <your-public-key>.pem -d <description> nifi

You can verify your new service account using the following command.

dcos security org service-accounts show nifi

Create a Secret

Create a secret (nifi/<secret-name>) with your service account and private key specified (<private-key>.pem).

NOTE: If you store your secret in a path that matches the service name, for example, service name and secret path are both nifi, then only the service named nifi can access it.

dcos security secrets create-sa-secret <private-key>.pem <service-account-id> nifi/<secret-name>

NOTE: If you are running, now EOL-ed, DC/OS 1.11 or older you would need to add --strict to the above command. For example, dcos security secrets --strict create-sa-secret .pem nifi/sa-secret .

You can list the secrets with this command:

dcos security secrets list /

Create and Assign Permissions

Use the following DC/OS CLI commands to rapidly provision the NiFi service account with the required permissions.

  1. Create the permission.

IMPORTANT: The value to be used for <service-role> will be based on the service name, package version and DC/OS version. The table below shows a few examples of service names and the corresponding Mesos roles they would use. This version of nifi is quota support built in. To determine whether the service group, you are deploying a service to, has enforceRole set to true or false please check this KB article.

If you need help configuring the permissions for nifi, please feel to reach out to D2iQ support by filing a support ticket. Replace the instances of <service-role> with the correct name (<name>-role).

Service name <service-role>
DC/OS 1.13 or older
DC/OS 2.0 or newer AND enforceRole=false
<service-role>
DC/OS 2.0 or newer AND enforceRole=true
/nifi nifi-role nifi-role
/nifi-prod nifi-prod-role nifi-prod-role
/team01/nifi team01__nifi-role team01
/team01/prod/nifi team01__prod__nifi-role team01

Permissive

Run these commands with the service account name you created for the service in the Create a Service Account step above. For example we are using nifi

dcos security org users grant nifi dcos:mesos:master:framework:role:<service-role> create --description "Allow registering as a framework of role <service-role> with Mesos master"
dcos security org users grant nifi dcos:mesos:master:reservation:role:<service-role> create --description "Allow creating Mesos resource reservations of role <service-role>"
dcos security org users grant nifi dcos:mesos:master:volume:role:<service-role> create --description "Allow creating Mesos persistent volumes of role <service-role>"
dcos security org users grant nifi dcos:mesos:master:reservation:principal:nifi delete --description "Allow unreserving Mesos resource reservations with principal nifi"
dcos security org users grant nifi dcos:mesos:master:volume:principal:nifi delete --description "Allow deleting Mesos persistent volumes with principal nifi"

Strict

Run these commands with the service account name you created for the service in the Create a Service Account step above. For example we are using nifi

dcos security org users grant nifi dcos:mesos:master:task:user:nobody create --description "Allow running a task as linux user nobody"
dcos security org users grant nifi dcos:mesos:master:framework:role:<service-role> create --description "Allow registering as a framework of role <service-role> with Mesos master"
dcos security org users grant nifi dcos:mesos:master:reservation:role:<service-role> create --description "Allow creating Mesos resource reservations of role <service-role>"
dcos security org users grant nifi dcos:mesos:master:volume:role:<service-role> create --description "Allow creating Mesos persistent volumes of role <service-role>"
dcos security org users grant nifi dcos:mesos:master:reservation:principal:nifi delete --description "Allow unreserving Mesos resource reservations with principal nifi"
dcos security org users grant nifi dcos:mesos:master:volume:principal:nifi delete --description "Allow deleting Mesos persistent volumes with principal nifi"