question Re: Securing Apache Nifi 2.0.0-M2 and configure HTTPS in Support Questions

Securing Apache Nifi 2.0.0-M2 and configure HTTPS

darkcoffeelake — Tue, 19 Mar 2024 13:28:08 GMT

Hey everyone, I was surfing the web since this morning looking for a way/guide/tutorial on how to secure Nifi so I can connect via https and not http but couldn't find anything that was compatible with the 2.0.0-M2 version.

I am new to Nifi and i just want to secure my access to it.

most of the guides i've stumbled upon use the nifi-toolkit with the command

./bin/tls-toolkit.sh standalone -C "CN=my_username, OU=NiFi"

to generate and sign the client certificate for the access, alongside some tweaks in the nifi.properties file.
but in the toolkit version of nifi-2.0.0-M2, there is no file called tls-toolkit.sh
so im kinda lost here as there is only :

and according to the documentations with these scripts i didnt know how to secure nifi with the standalone method.

could someone please help provide some insights on how to secure nifi with https?
thanks

Re: Securing Apache Nifi 2.0.0-M2 and configure HTTPS

DianaTorres — Tue, 19 Mar 2024 18:24:22 GMT

@darkcoffeelake Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our NiFi experts @mburgess @MattWho who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.

Re: Securing Apache Nifi 2.0.0-M2 and configure HTTPS

MattWho — Wed, 20 Mar 2024 19:52:11 GMT

@darkcoffeelake

NiFi out-of-the-box setup generates simply keystore and truststore automatically and set the login provider to single-user-provider and authorizer to single-user-authorizer. This out-of-the-box setup is simplifies secured access for evaluation of NiFi. It is not a production ready setup in that it does not support multi-user authentication, granular access controls, or NiFi cluster setups.

There are bunch of steps that go into securing Apache NiFi for production ready environments. Securing NiFi not only sets up NiFi over an HTTPS connection, but also requires that user authentication and authorization is setup.

NiFi will require a keystore and truststore which youcan create yourself or use publicly available service to create them for you (example would be tinycert). The keystore created for you NiFi must meet the following requirements for NiFi:

Contains only 1 PrivateKey entry.
Does not use wildcards in the DN of PrivateKey certificate.
Has both clientAuth and serverAuth Extended key Usage (EKU)
Has SubjectAlternativeNames (SAN) entry(s) matching NiFi hostname and any other name that may be used to access the NiFi.

The truststore needs to contain the complete trust chain for your NiFi keystore certficate. A certifcate might be self signed (meaning both issuer and signer are same DN), it may be signed by an intermediate CA, or rootCA. If signed by an intermeidiate CA, your truststore would need to have the trustedCertEntry (public key) for the intermediate CA (intermediate CA is any CA where signer and issuer are different DNs) and the trusted certEntry for that signer and so until you reach the root CA in the chain (root CA will have same signer and issuer DN).

Once you have your certificates, you'll need to decide how your users are going to authenticate with NiFi. NiFi does not have a embedded provider that supports multi-user authentication. Here is what is available to choose from:

User Authentication

LDAP and Kerberos are probably the most commonly used.

Once you have decided how you are going to authenticate your users, you'll need to setup authorization for those users. here are your options here:

Multi-Tenant Authorization

The simplest authorizers.xml setup would utilize the StandardManagedAuthorizer, FileAccessPolicyProvider, and FileUserGroupProvider.
a sample configuration can be seen here:
https://nifi.apache.org/documentation/nifi-2.0.0-M1/html/administration-guide.html#file-based-ldap-authentication

If setup correctly, on first startup, the above authorizers.xml will generate and seed the users.xml and authorizations.xml file so that your initial admin user (a ldap user or kerberos user for example) with the necessary authorization policies to access the NiFi UI. From the NiFi UI, that initial admin user can setup additional user identity authorizations.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Re: Securing Apache Nifi 2.0.0-M2 and configure HTTPS

Dataengineer1 — Mon, 25 Mar 2024 08:52:31 GMT

Hi @MattWho

Thank you for your answer.

Can you make a video for setup an instance of Nifi with a self signed Domain?

Re: Securing Apache Nifi 2.0.0-M2 and configure HTTPS

saquibsk — Mon, 25 Mar 2024 11:12:11 GMT

Hello @Dataengineer1 ,

Even I was looking for similar sort of solution, latest version seems different from the older one. New toolkit does not have the standalone command to generate the certificate.

Check below video might help you. ( This is old vlog)

https://www.youtube.com/watch?v=LanpbWR7Gv8

Re: Securing Apache Nifi 2.0.0-M2 and configure HTTPS

Dataengineer1 — Mon, 25 Mar 2024 11:29:23 GMT

Hi @saquibsk

Thank for your reply.

For generating these keys. I used the toolkit: https:// www.apache.org/dyn/closer.lua?path=/nifi/1.25.0/nifi-toolkit-1.25.0-bin.zip

Re: Securing Apache Nifi 2.0.0-M2 and configure HTTPS

saquibsk — Mon, 25 Mar 2024 11:39:36 GMT

Hi @Dataengineer1,

Did you get a chance to impliment it?

Try below to impliment it. If worked please create document and upload in community to help others 🙂

https://www.youtube.com/watch?v=j-JXo3xPxOk

Re: Securing Apache Nifi 2.0.0-M2 and configure HTTPS

saquibsk — Mon, 01 Apr 2024 07:30:37 GMT

Hi @Dataengineer1 ,

Did you get a chance to implement it? Would you kindly share the resolution if it is done?

Re: Securing Apache Nifi 2.0.0-M2 and configure HTTPS

DianaTorres — Mon, 08 Apr 2024 15:43:44 GMT

@darkcoffeelake Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks.