Support Questions

Find answers, ask questions, and share your expertise

Apache NiFi Integration with LDAP and Authentication via Groups

avatar
Explorer

LDAP has been successfully integrated with Apache NiFi 1.1.2, however the main question is, how do we specify permissions based on groups rather than users?

Setting Initial Admin Identity to as : cn=userA,ou=xyz,dc=xyz,dc=xyz

Lets say there is groupA (posix group) and groupB (normal group) in the LDAP Directory and userA and userB.

userA is the default admin so it already has access to NiFi. How do we provide access to userB based on groups rather than adding the user manually in NiFi first?

Created groupA and groupB in NiFi and added all policies necessary.

1) When NiFi checks in LDAP, does it validate against the posix group in LDAP or just the normal group?

2) Tried using both USE_DN and USE_USERNAME in the Identity Strategy but it still says no permissions for userB.

3) Added userB within NiFi and linked it to the above NiFi groups and now login to NiFi works with the password available within LDAP.

How can we configure NiFi to allow different permissions to different LDAP Groups and without adding the users within LDAP into NiFi ?

1 ACCEPTED SOLUTION

avatar

Hi @Nikhil Chaudhary,

At the moment, LDAP-group based policies is not possible, this is something we are working on and should be available in a short future. In the meantime, you need to add the users in NiFi and then add the users to the groups in NiFi to have group based policies. At the moment, LDAP is just here to authenticate the users with a login and password, authorizations are only enforced using the username (and group memberships from NiFi only).

Hope this helps.

View solution in original post

5 REPLIES 5

avatar

Hi @Nikhil Chaudhary,

At the moment, LDAP-group based policies is not possible, this is something we are working on and should be available in a short future. In the meantime, you need to add the users in NiFi and then add the users to the groups in NiFi to have group based policies. At the moment, LDAP is just here to authenticate the users with a login and password, authorizations are only enforced using the username (and group memberships from NiFi only).

Hope this helps.

avatar
Explorer

Hello @Pierre Villard

Thank you for the answer. Definitely helps.

avatar
New Contributor

Hi @Pierre Villard

is there an update on this feature request?

Thanks, Martin

avatar

UPDATE: Note that this feature was introduced in NiFi-1.5.0 / HDF-3.1 and is now GA.

https://docs.hortonworks.com/HDPDocuments/HDF3/HDF-3.1.1/bk_security/content/ch05s04.html

avatar
New Contributor

Hi @Pierre Villard

Do you have any update on this issue? We really need to autheticate using groups instead of users.

Thanks, Dini.

,

Hi @Pierre Villard

Do you have any update on this issue? I really need to use groups to authenticate through LDAP..

Tks.