Community Articles

Find and share helpful community-sourced technical articles.
avatar
Super Collaborator

In this article, we will have a walk through of integrating LDAP with NiFi Registry.

The precondition for LDAP to work with NiFi-Registry is that SSL need to be enabled. This article also covers the "How To" enable SSL for NiFI Registry.

For the sake of simplicity, I am using self signed certificates (JKS, using keytool). Steps for creating self signed certificates are as below :-

Generate KeyStore

keytool -genkey -keyalg RSA -validity 3650 -alias <alias_name> -keypass <pwd> -storepass <pwd> -dname "cn=hostname, ou=home, o=ak, c=us" -keystore nifi_reg_keystore.jks 

Export a certificate with the public key

keytool -export -alias <alias_name> -file nifi_reg.cer -storepass <pwd> -keystore nifi_reg_keystore.jks

Generate TrustStore

keytool -import -noprompt -alias nr-c0 -file nifi_reg.cer -storepass changeitchangeit -keystore nifi_reg_truststore.jks

62394-cert-generation.png


Below, is a representation of the NiFi Registry UI with default http and anonymous user login.

62395-default-nr-screen.png


Now we will login to Ambari and use the above generated certificate details to complete setting up SSL. On the configuration tab, search for the SSL settings. The section to be edited is as below:-

62396-02-ssl-conf-to-edit.png

Populate the form with the details of the truststore and keystore that we generated above.

62397-03-fill-details.png

At this stage, SSL setup for NiFi Registry is complete, however we have't assigned any users to login to the UI. Either we generate a certificate for an Initial Admin, or create an initial admin from the LDAP user base.

We will use an LDAP user as the Initial Admin for the NiFi Registry. The configuration information for the same is as below,

There are 4 sections that need to be edited,

Configure Initial Admin

62398-initial-admin.png

Configure Security Identity Provider (nifi.registry.security.identity.provider)

62399-id-provider.png

Configure login-identity-providers.xml

  • Remove the 2 lines that say
    • To enable the ldap-identity-provider remove 2 lines. This is 1 of 2.
    • To enable the ldap-identity-provider remove 2 lines. This is 2 of 2.
  • Fill details specific to your LDAP server. I am using a SIMPLE auth strategy with a non ssl LDAP server. Below are relevant sections from my configuration window

62400-login-id-provider.png


Configure authorizers.xml

  • Remove the 2 lines that say
    • To enable the ldap-user-group-provider remove 2 lines. This is 1 of 2.
    • To enable the ldap-user-group-provider remove 2 lines. This is 2 of 2.
  • Configure ldap-user-group-provider
  • Configure accessPolicyProvider

The below screenshot shows the relevant section for configuring the ldap-user-group-provider

62403-user-group-provider.png

Screenshot below shows the configuration changes needed to the access policy provider. Set User Group Provider to ldap-user-group-provider.

62402-access-policy-provider.png

At this stage, we are in a position to save all the configuration changes and restart the NiFI Registry services. Follow the Ambari prompts and you should see as below

62404-restart-req.png

62405-restart-completed.png


Now we should be good to access the NiFi Registry UI and login as the Initial Admin that is configured. guest1 in my example.

Access NiFi Registry UI from Quick Links

62406-access-reg-ui.png

Login Using the Initial Admin Credentials

62411-reg-ui.png

Verify login is successful

62408-logged-in-user.png

Verify users are available/sync-ed

62409-available-users.png

You should be able to proceed using the NiFi registry from here on.

6,995 Views