question Re: How to display a NiFi login window for http web browser in Support Questions

How to display a NiFi login window for http web browser

ayaskant19 — Sun, 05 Mar 2017 22:37:17 GMT

Hi All,

Wanted to display the log in window for apache nifi http server. Can anyone please let me know the setting to display the log in window for http instead of https.

Re: How to display a NiFi login window for http web browser

bbende — Tue, 07 Mar 2017 05:10:21 GMT

The same question was already answered twice:

https://community.hortonworks.com/questions/87146/how-can-we-pop-up-log-in-window-asking-user-id-and.html

https://community.hortonworks.com/questions/87122/how-can-we-pop-up-the-log-in-window-while-accessin.html

To clarify you can not login over "http", only via "https". It would not be secure to send your LDAP credentials from the browser to the NiFi server over unencrypted http.

Re: How to display a NiFi login window for http web browser

MattWho — Tue, 07 Mar 2017 05:12:40 GMT

@Ayaskant Das

@Joe Petro

NiFi must be secured to run over HTTPS using a server certificates (loaded into a keystore) and a truststore before you can enable some form of user authentication. You can create your own keystore and truststore using the below procedure:

https://community.hortonworks.com/articles/17293/how-to-create-user-generated-keys-for-securing-nif.html

Note: If you are going to be using LDAP or Kerberos for user authentication, you can skip the last part of the above procedure about generating a user SSL certificate to load in your browser.

Thanks,

Matt

Re: How to display a NiFi login window for http web browser

jpetro416 — Thu, 09 Mar 2017 03:50:45 GMT

Thanks, I don't understand why NiFi wouldn't have a default login page for an admin user. It seems strange that no user login is required on http and can only be done via https. Every other HDP component has at least a basic UI login.

Re: How to display a NiFi login window for http web browser

alopresto — Thu, 09 Mar 2017 07:17:54 GMT

A default login page for an admin user served over HTTP provides the illusion of security -- security theater -- but does absolutely nothing to improve the security of the system while adding obstacles to ease of use.

Re: How to display a NiFi login window for http web browser

siddpande — Sat, 24 Nov 2018 00:37:51 GMT

That is true, but some times such an option can be good for a little access control and avoiding not seriously harmfull but unwanted activities on the server.

Re: How to display a NiFi login window for http web browser

alopresto — Wed, 28 Nov 2018 02:54:58 GMT

We fundamentally disagree on the utility and value of that feature. Providing a login page which does not secure the transmission of sensitive credentials against trivial intercept and can be bypassed easily does not provide sufficient value and leads to a number of problems:

Users will assume it is secure and not change it from the default/configure stronger login options such as LDAP/Kerberos/client certificate authentication. We make a conscious effort not to offer weak security options as defaults because many users are unaware and will not change them
Users will not be aware that the credentials can be intercepted and stolen (these credentials may be reused from other applications and pose a large threat)
Users will not be aware that the login page can be bypassed (HTTP traffic can be monitored, and any credentials or tokens (NiFi is stateless, so it does not use session identifiers) can be intercepted and reused)

For these reasons, NiFi does not offer an option for authentication or authorization controls over plaintext HTTP. HTTPS must be configured to enable those mechanisms to avoid a false sense of security and prevent user/admin complacency.

Re: How to display a NiFi login window for http web browser

jpetro416 — Thu, 29 Nov 2018 03:55:37 GMT

If that's the case, then why does Ambari have a login page without https? Sometimes it's useful to setup the login first, then add a security layer. It helps with troubleshooting and not having a login for Ambari (for example) would be confusing! So why is this any different?

Re: How to display a NiFi login window for http web browser

alopresto — Mon, 19 Aug 2019 08:37:34 GMT

@Joe P I cannot reply to your comment for some reason, so I'm putting my response here.

I do not set the security policy for Ambari or any other Apache project. Every project evaluates security differently and makes decisions to reach a balance they find acceptable.

I am only one member of the NiFi community as well, but our community has agreed on this policy for NiFi. We invite all community members and users to contribute ideas and engage in discussion on design decisions. You are welcome to request the changes you want, but I will say that the previous discussion around that obviously went in this direction and I don't see any new information in your position than was previously discussed.

Re: How to display a NiFi login window for http web browser

sriramhadoop27 — Tue, 12 Feb 2019 19:43:38 GMT

@Joe P did you set up https i.e. did you enable SSL on the server?