[
https://issues.apache.org/jira/browse/NIFI-5443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16631819#comment-16631819
]
Peter Wilcsinszky commented on NIFI-5443:
-----------------------------------------
Authorizers.xml is only one issue that needs to be taken care of when starting
new nodes. Another one is the authorizations.xml,users.xml,flow.xml.gz triple,
which is mutable config and needs special care. For example it is problematic
to disconnect and stop a node for a while and then add the same nodes back with
the same content to the cluster. This is however typical in a Kubernetes setup
where NiFi nodes are managed by a statefulset and have underlying persistent
volume mounts.
What proved to be working in this case is to start the statefulset with an
inital cluster size that the operator considers safe and also efficient to
serve as an all time base for the cluster. Configure these nodes to have filled
authorizers.xml and also to save the above mentioned mutable triple config
(authorizations.xml,users.xml,flow.xml.gz) to persistent volume. These nodes
are then considered the core of the cluster with persistent cluster
configuration. The number of these nodes can be 2-3 depending on the required
redundancy as new nodes will require at least one of these core nodes to be
able to join the cluster, since they will simply inherit the triple.
Then let the new nodes have an empty authorizers.xml and put the triple mutable
config on the container's filesystem to avoid persisting it across restarts.
Whenever a new node joins the cluster it requires access to a core node to
inherit configuration while core nodes should always be able to stand up on
their own. This makes adding/removing extra nodes easier.
I've seen this working well but it needs more time to prove to be a battle
tested setup. Also pointing out any flaws with the above description would be
welcome.
> Improve cluster configuration for dynamic scaling
> -------------------------------------------------
>
> Key: NIFI-5443
> URL: https://issues.apache.org/jira/browse/NIFI-5443
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 1.7.1
> Reporter: Andy LoPresto
> Priority: Critical
> Labels: cluster, docker, kubernetes, rkt, scale, security
>
> Currently, NiFi is designed for static clusters, with frequent references in
> configuration files to a priori knowledge of node hostnames, ports, etc.
> Efforts should be taken to make NiFi easier to dynamically scale. This can
> involve containerization improvements via Docker/rkt, deployment improvements
> via Kubernetes, and abstraction of the configuration values needed to stand
> up the cluster. A node should be able to join the cluster, and, given the
> correct keystore and truststore, immediately communicate with other existing
> nodes in the cluster without requiring direct configuration changes to them,
> or a restart of any node.
> * {{authorizers.xml}}
> * node identities
> * permissions ({{RW}} on {{/proxy}})
> * ZooKeeper configuration
> * etc.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
