0

I am trying to use docker compose for Nifi and Nifi registry secure instances. My compose has NIFI_REGISTRY_WEB_HTTPS_PORT=18443 and other security properties. Similarly, Nifi is also having properies.

Nifi container is considering the env variables and working as expected. But Nifi registry is not considering environment variables. It is running on default http port only even i specify https port.

here is my compose.


version: "3.7"
services:
# version control for nifi flows
    registry:
        hostname: DWH_Nifi_registry
        container_name: nifi_registry_container_persistent
        image: 'apache/nifi-registry:1.22.0'  # latest image as of 2023-June.
        restart: on-failure
        user: root
        ports:
            - '18443:18443'
        environment:
            - NIFI_REGISTRY_WEB_HTTPS_PORT=18443
            - NIFI_REGISTRY_SECURITY_KEYSTORE=/opt/certs/keystore.jks
            - NIFI_REGISTRY_SECURITY_KEYSTORETYPE=JKS
            - NIFI_REGISTRY_SECURITY_KEYSTOREPASSWD=IN7D
            - NIFI_REGISTRY_SECURITY_KEYPASSWD=IN7D
            - NIFI_REGISTRY_SECURITY_TRUSTSTORE=/opt/certs/truststore.jks
            - NIFI_REGISTRY_SECURITY_TRUSTSTORETYPE=JKS
            - NIFI_REGISTRY_SECURITY_TRUSTSTOREPASSWD=u9PZ
            - LOG_LEVEL=INFO
            - NIFI_REGISTRY_DB_DIR=/opt/nifi-registry/nifi-registry-current/database
            - NIFI_REGISTRY_FLOW_PROVIDER=file
            - NIFI_REGISTRY_FLOW_STORAGE_DIR=/opt/nifi-registry/nifi-registry-current/flow_storage
        volumes:
            - ./nifi_registry/database:/opt/nifi-registry/nifi-registry-current/database
            - ./nifi_registry/flow_storage:/opt/nifi-registry/nifi-registry-current/flow_storage
            - ./nifi-toolkit-1.22.0/certs/localhost/keystore.jks:/opt/certs/keystore.jks
            - ./nifi-toolkit-1.22.0/certs/localhost/truststore.jks:/opt/certs/truststore.jks
        networks:
            - nifi_persistent_network
# data extraction, transformation and load service
    nifi:
        hostname: DWH_Nifi_prod
        container_name: nifi_container_persistent
        image: 'apache/nifi:1.19.0'  # latest image as of 2023-June.
        restart: on-failure
        user: root
        ports:
            - '8443:8443'
        environment:
            - NIFI_WEB_HTTPS_PORT=8443
            - NIFI_CLUSTER_IS_NODE=false
            - SINGLE_USER_CREDENTIALS_USERNAME=admin
            - SINGLE_USER_CREDENTIALS_PASSWORD=random??
            - AUTH=tls
            - NIFI_CLUSTER_NODE_PROTOCOL_PORT=8082
            - NIFI_ELECTION_MAX_WAIT=30 sec
            - NIFI_SENSITIVE_PROPS_KEY='1234567890'
            - KEYSTORE_PATH=/opt/certs/keystore.jks
            - KEYSTORE_TYPE=JKS
            - KEYSTORE_PASSWORD=IN7D
            - TRUSTSTORE_PATH=/opt/certs/truststore.jks
            - TRUSTSTORE_TYPE=JKS
            - TRUSTSTORE_PASSWORD=u9PZi
            - NIFI_SECURITY_USER_AUTHORIZER=single-user-authorizer
            - NIFI_SECURITY_USER_LOGIN_IDENTITY_PROVIDER=single-user-provider
        healthcheck:
            test: "${DOCKER_HEALTHCHECK_TEST:-curl localhost:8443/nifi/}"
            interval: "60s"
            timeout: "3s"
            start_period: "5s"
            retries: 5
        volumes:
            - ./nifi/database_repository:/opt/nifi/nifi-current/database_repository
            - ./nifi/flowfile_repository:/opt/nifi/nifi-current/flowfile_repository
            - ./nifi/content_repository:/opt/nifi/nifi-current/content_repository
            - ./nifi/provenance_repository:/opt/nifi/nifi-current/provenance_repository
            - ./nifi/state:/opt/nifi/nifi-current/state
            - ./nifi/logs:/opt/nifi/nifi-current/logs
            - ./nifi-toolkit-1.22.0/certs/localhost/keystore.jks:/opt/certs/keystore.jks
            - ./nifi-toolkit-1.22.0/certs/localhost/truststore.jks:/opt/certs/truststore.jks
            # uncomment the next line after copying the /conf directory from the container to your local directory to persist NiFi flows
            - ./nifi/conf:/opt/nifi/nifi-current/conf
        networks:
            - nifi_persistent_network
networks:
  nifi_persistent_network:
    driver: bridge

Once docker compose is up, Nifi instance is running on secure port 8443 and i can validate the properties being used in nifi.properties file by exec into docker container.

Coming to Nifi registry instance, it is still using default 18080 port and not the one i mentioned in compose. I checked into the container's conf/nifi-registry.properties, nothing got populated for the variables mentioned in docker-compose environment. when i try to check if at least environment variable is set, its positive.

echo $NIFI_REGISTRY_WEB_HTTPS_PORT
18443

Can someone please help me in understanding what is going wrong with Nifi-Registry ?

santhosh
  • 439
  • 8
  • 17

1 Answers1

0

according to documentation

https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#security_configuration

It is important when enabling HTTPS that the nifi.registry.web.http.port property be unset.

so, you have to set NIFI_REGISTRY_WEB_HTTP_PORT= to disable http - then https will be enabled.

daggett
  • 26,404
  • 3
  • 40
  • 56
  • Thanks @daggett i tried this but still docker env variables were not considered. So I added a new env variable called AUTH=tls and it started picking the secure variables. Now I run into a different issue -> Can we use same certificates for Nifi and Nifi-Registry ? As i configured same for both services, one (nifi) is working properly but the other (nifi-registry) complains "An error occurred during a connection to localhost:18443. SSL peer cannot verify your certificate." any clue here ? or it would be much helpful if you can share your docker compose for secure nifi and nifi-registry. – santhosh Jun 23 '23 at 15:24