Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Apache NiFi Integration with LDAP and Authentication via Groups

Labels:
avatar
author-rank nikhil1
Explorer

Created ‎03-20-2017 07:34 AM

LDAP has been successfully integrated with Apache NiFi 1.1.2, however the main question is, how do we specify permissions based on groups rather than users?

Setting Initial Admin Identity to as : cn=userA,ou=xyz,dc=xyz,dc=xyz

Lets say there is groupA (posix group) and groupB (normal group) in the LDAP Directory and userA and userB.

userA is the default admin so it already has access to NiFi. How do we provide access to userB based on groups rather than adding the user manually in NiFi first?

Created groupA and groupB in NiFi and added all policies necessary.

1) When NiFi checks in LDAP, does it validate against the posix group in LDAP or just the normal group?

2) Tried using both USE_DN and USE_USERNAME in the Identity Strategy but it still says no permissions for userB.

3) Added userB within NiFi and linked it to the above NiFi groups and now login to NiFi works with the password available within LDAP.

How can we configure NiFi to allow different permissions to different LDAP Groups and without adding the users within LDAP into NiFi ?

4,996 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank pvillard author-rank
Guru

Created ‎03-20-2017 08:06 AM

Hi @Nikhil Chaudhary,

At the moment, LDAP-group based policies is not possible, this is something we are working on and should be available in a short future. In the meantime, you need to add the users in NiFi and then add the users to the groups in NiFi to have group based policies. At the moment, LDAP is just here to authenticate the users with a login and password, authorizations are only enforced using the username (and group memberships from NiFi only).

Hope this helps.

View solution in original post

4,115 Views
0
5 REPLIES 5

avatar
author-rank pvillard author-rank
Guru

Created ‎03-20-2017 08:06 AM

Hi @Nikhil Chaudhary,

At the moment, LDAP-group based policies is not possible, this is something we are working on and should be available in a short future. In the meantime, you need to add the users in NiFi and then add the users to the groups in NiFi to have group based policies. At the moment, LDAP is just here to authenticate the users with a login and password, authorizations are only enforced using the username (and group memberships from NiFi only).

Hope this helps.

4,116 Views
0

avatar
author-rank nikhil1
Explorer

Created ‎03-21-2017 03:13 AM

Hello @Pierre Villard

Thank you for the answer. Definitely helps.

4,115 Views
0 Kudos

avatar
author-rank martin_voigt
New Contributor

Created ‎09-06-2017 12:48 PM

Hi @Pierre Villard

is there an update on this feature request?

Thanks, Martin

4,115 Views
0 Kudos

avatar
author-rank dchaffey
Guru

Created ‎03-22-2018 09:01 AM

UPDATE: Note that this feature was introduced in NiFi-1.5.0 / HDF-3.1 and is now GA.

https://docs.hortonworks.com/HDPDocuments/HDF3/HDF-3.1.1/bk_security/content/ch05s04.html

4,115 Views
0 Kudos

avatar
author-rank fernandodini_re
New Contributor

Created ‎12-12-2017 05:14 PM

Hi @Pierre Villard

Do you have any update on this issue? We really need to autheticate using groups instead of users.

Thanks, Dini.

,

Hi @Pierre Villard

Do you have any update on this issue? I really need to use groups to authenticate through LDAP..

Tks.

4,115 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements