Role Detail

chilcano.apache-nifi-toolkit

An Ansible Role that installs Apache NiFi Toolkit and and runs commands to get x.509, Java KeyStore, TrustStore required to configure NiFi securely.
Downloads
24
Type Ansible
Minimum Ansible Version 2.0
Installation $ ansible-galaxy install chilcano.apache-nifi-toolkit
Tags
bigdata
certificate
dataflow
datamediation
datarouting
eip
iot
nifi
security
ssl
system
tls
Last Commit
Last Imported
OS Platforms
Platform Version
Debian etch
Debian jessie
Debian lenny
Debian sid
Debian squeeze
Debian stretch
Debian wheezy
EL 6
EL 7
Fedora 16
Fedora 17
Fedora 18
Fedora 19
Fedora 20
Fedora 21
Fedora 22
Fedora 23
Fedora 24
Fedora 25
Fedora 26
Ubuntu artful
Ubuntu lucid
Ubuntu maverick
Ubuntu natty
Ubuntu oneiric
Ubuntu precise
Ubuntu quantal
Ubuntu raring
Ubuntu saucy
Ubuntu trusty
Ubuntu utopic
Ubuntu vivid
Ubuntu wily
Ubuntu xenial
Ubuntu yakkety
Ubuntu zesty
Last 10 Imports
Completed Status
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS

Ansible Role: apache-nifi-toolkit

An Ansible Role that installs, configures Apache NiFi Toolkit and runs commands to get X.509 and NiFi configuration files. The Apache NiFi Toolkit is a tool to facilitate the secure setup of NiFi, in other words, this toolkit generates the NiFi configuration and X.509 Certificates, Java Key Store and Java Trust Store required for a secure configuration of NiFi. Further information can be found here: https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit

This Role provides the following features:

  • Installs Apache NiFi Toolkit.
  • Performs Apache NiFi Toolkit commands. The standalone is the unique NiFi TLS Toolkit Service implemented.
  • Synchronizes (remote to local host) and keeps in an unique place all generated NiFi's configuration, X.509 Certificates and Java KeyStore and Java Trust Store files.

Requirements

  • Java.

Role Variables

Default variables are in defaults/main.yml.

Dependencies

This Ansible Role has not dependencies, although NiFi Toolkit requires Java. To install Java I will use the (geerlingguy.java)[https://github.com/geerlingguy/ansible-role-java] role but with a few changes to install Oracle Java 8 in Debian. You have these changes available from my fork at (chilcano.java / branch oracle-java-debian)[https://github.com/chilcano/ansible-role-java/tree/oracle-java-debian]. Just clone that branch.

But if you are going to use the Apache NiFi Toolkit in Ubuntu or CentOS, you will not need the above changes. Just download the geerlingguy.java as below, or install manually Java 7 or 8 in your box:

$ sudo ansible-galaxy install geerlingguy.java

Example Playbook

---
- hosts: nftk1
  become: yes
  vars_files:
    - vars.yml
  roles:
    - role: ../../playbooks/roles/ansible-role-java
      java_packages:
        - oracle-java8-installer
        - ca-certificates
        - oracle-java8-set-default
      java_cleanup: false
      java_home: "/usr/lib/jvm/java-8-oracle"

    - role: chilcano.apache-nifi-toolkit
      nftk:
        version: "1.2.0"
        packaging_bin: "tar.gz"
        packaging_src: "zip"
        action:
          clean:
            installation: false
            repository: false
            dependencies: false
          install: true
          run_cmd: true
          sync: true
        download:
          http_uri: "http://mirror.ox.ac.uk/sites/rsync.apache.org"
      nftk_run:
        cmd: "standalone -n 'nf1.intix.info' --nifiDnSuffix ',OU=INTIX' -C 'CN=chilcano, OU=INTIX' -O -c 'nftk1_ca'"
        clientpasswd: "demo00a"
        keypasswd: "demo00b"
        truststorepasswd: "demo00c"
        keystorepasswd: "demo00d"
      nftk_cfg.dir_repo: "nftk_repo"
      nftk_sync_dir_local: "/Users/Chilcano/1github-repo/binaries"

The inventory file contains:

[nifitks]
nftk1

nftk1 ansible_host=192.168.77.4

[nifitks:vars]
ansible_user=vagrant
ansible_ssh_private_key_file="/Users/Chilcano/.vagrant.d/insecure_private_key"

This Ansible Playbook will install Oracle Java, install Apache NiFi Toolkit and perform this command $ ./bin/tls-toolkit.sh standalone -n 'nf1.intix.info' --nifiDnSuffix ',OU=INTIX' -C 'CN=chilcano, OU=INTIX' -O -c 'nftk1_ca'. All Keys, Certs and Configs will be created in $NIFI_TOOLKIT_HOME/nftk_repo and will be synced to localhost under this directory /Users/Chilcano/1github-repo/binaries. The /Users/Chilcano/1github-repo/binaries directory needs to be created before. Being synced allow us to get easily and use all files required to configure NiFi securely, one or many times, standalone or cluster.

The final folder structure with Keys, Certificates and configuration files will be as shown below:

Apache NiFi Toolkit - folder structure and files generated

Updated

  • Now the Role copy binary/installer from local filesystem, if it doesn't exist, then try to download from URL. Finally downloaded binary will be copied to local filesystem to be reused.

License

MIT / BSD

Author Information

This role was created in 2017 by Roger Carhuatocto, author of HolisticSecurity.io Blog.

None