Configuring DC/OS access for NiFi

Configuring DC/OS access for NiFi

This topic describes how to configure DC/OS access for NiFi. Depending on your security mode, NiFi requires service authentication for access to DC/OS.

Security mode Service Account
Disabled Not available
Permissive Optional
Strict Required

If you install a service in permissive mode and do not specify a service account, Metronome and Marathon will act as if requests made by this service are made by an account with the superuser permission.

Prerequisites:

Create a Key Pair

In this step, a 2048-bit RSA public-private key pair is created uses the DC/OS Enterprise CLI.

Create a public-private key pair and save each value into a separate file within the current directory.

dcos security org service-accounts keypair <private-key>.pem <public-key>.pem

NOTE: You can use the DC/OS Secret Store to secure the key pair.

Create a Service Account

From a terminal prompt, create a new service account (<service-account-id>) containing the public key (<your-public-key>.pem).

dcos security org service-accounts create -p <your-public-key>.pem -d "dcos_nifi" <service-name>

You can verify your new service account using the following command.

dcos security org service-accounts show <service-account-id>

Create a Secret

Create a secret (nifi/<secret-name>) with your service account (<service-account-id>) and private key specified (<private-key>.pem).

If you store your secret in a path that matches the service name (e.g. service name and secret path are nifi), then only the service named nifi can access it.

Permissive

dcos security secrets create-sa-secret <private-key>.pem <service-name> <service name secret>

Strict

dcos security secrets create-sa-secret --strict <private-key>.pem <service-name> <service name secret>

You can list the secrets with the following command:

dcos security secrets list /

Assign Permissions

dcos security org users grant <service name> dcos:superuser full --description "grant permission to superuser"