question Apache NiFi Integration with LDAP and Authentication via Groups in Support Questions

Apache NiFi Integration with LDAP and Authentication via Groups

nikhil1 — Mon, 20 Mar 2017 14:34:42 GMT

LDAP has been successfully integrated with Apache NiFi 1.1.2, however the main question is, how do we specify permissions based on groups rather than users?

Setting Initial Admin Identity to as : cn=userA,ou=xyz,dc=xyz,dc=xyz

Lets say there is groupA (posix group) and groupB (normal group) in the LDAP Directory and userA and userB.

userA is the default admin so it already has access to NiFi. How do we provide access to userB based on groups rather than adding the user manually in NiFi first?

Created groupA and groupB in NiFi and added all policies necessary.

1) When NiFi checks in LDAP, does it validate against the posix group in LDAP or just the normal group?

2) Tried using both USE_DN and USE_USERNAME in the Identity Strategy but it still says no permissions for userB.

3) Added userB within NiFi and linked it to the above NiFi groups and now login to NiFi works with the password available within LDAP.

How can we configure NiFi to allow different permissions to different LDAP Groups and without adding the users within LDAP into NiFi ?

Re: Apache NiFi Integration with LDAP and Authentication via Groups

pvillard — Mon, 20 Mar 2017 15:06:55 GMT

Hi @Nikhil Chaudhary,

At the moment, LDAP-group based policies is not possible, this is something we are working on and should be available in a short future. In the meantime, you need to add the users in NiFi and then add the users to the groups in NiFi to have group based policies. At the moment, LDAP is just here to authenticate the users with a login and password, authorizations are only enforced using the username (and group memberships from NiFi only).

Hope this helps.