In this article, we will have a walk through of integrating LDAP with NiFi Registry.
The precondition for LDAP to work with NiFi-Registry is that SSL need to be enabled. This article also covers the "How To" enable SSL for NiFI Registry.
For the sake of simplicity, I am using self signed certificates (JKS, using keytool). Steps for creating self signed certificates are as below :-
Generate KeyStore
keytool -genkey -keyalg RSA -validity 3650 -alias <alias_name> -keypass <pwd> -storepass <pwd> -dname "cn=hostname, ou=home, o=ak, c=us" -keystore nifi_reg_keystore.jks
Export a certificate with the public key
keytool -export -alias <alias_name> -file nifi_reg.cer -storepass <pwd> -keystore nifi_reg_keystore.jks
Generate TrustStore
keytool -import -noprompt -alias nr-c0 -file nifi_reg.cer -storepass changeitchangeit -keystore nifi_reg_truststore.jks
Below, is a representation of the NiFi Registry UI with default http and anonymous user login.
Now we will login to Ambari and use the above generated certificate details to complete setting up SSL. On the configuration tab, search for the SSL settings. The section to be edited is as below:-
Populate the form with the details of the truststore and keystore that we generated above.
At this stage, SSL setup for NiFi Registry is complete, however we have't assigned any users to login to the UI. Either we generate a certificate for an Initial Admin, or create an initial admin from the LDAP user base.
We will use an LDAP user as the Initial Admin for the NiFi Registry. The configuration information for the same is as below,
There are 4 sections that need to be edited,
Configure Initial Admin
Configure Security Identity Provider (nifi.registry.security.identity.provider)
Configure login-identity-providers.xml
- Remove the 2 lines that say
- To enable the ldap-identity-provider remove 2 lines. This is 1 of 2.
- To enable the ldap-identity-provider remove 2 lines. This is 2 of 2.
- Fill details specific to your LDAP server. I am using a SIMPLE auth strategy with a non ssl LDAP server. Below are relevant sections from my configuration window
Configure authorizers.xml
- Remove the 2 lines that say
- To enable the ldap-user-group-provider remove 2 lines. This is 1 of 2.
- To enable the ldap-user-group-provider remove 2 lines. This is 2 of 2.
- Configure ldap-user-group-provider
- Configure accessPolicyProvider
The below screenshot shows the relevant section for configuring the ldap-user-group-provider
Screenshot below shows the configuration changes needed to the access policy provider. Set User Group Provider to ldap-user-group-provider.
At this stage, we are in a position to save all the configuration changes and restart the NiFI Registry services. Follow the Ambari prompts and you should see as below
Now we should be good to access the NiFi Registry UI and login as the Initial Admin that is configured. guest1 in my example.
Access NiFi Registry UI from Quick Links
Login Using the Initial Admin Credentials
Verify login is successful
Verify users are available/sync-ed
You should be able to proceed using the NiFi registry from here on.
