Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Apache NiFi Integration with LDAP and Authentication via Groups

Labels:
avatar
author-rank nikhil1
Explorer

Created ‎03-20-2017 07:34 AM

LDAP has been successfully integrated with Apache NiFi 1.1.2, however the main question is, how do we specify permissions based on groups rather than users?

Setting Initial Admin Identity to as : cn=userA,ou=xyz,dc=xyz,dc=xyz

Lets say there is groupA (posix group) and groupB (normal group) in the LDAP Directory and userA and userB.

userA is the default admin so it already has access to NiFi. How do we provide access to userB based on groups rather than adding the user manually in NiFi first?

Created groupA and groupB in NiFi and added all policies necessary.

1) When NiFi checks in LDAP, does it validate against the posix group in LDAP or just the normal group?

2) Tried using both USE_DN and USE_USERNAME in the Identity Strategy but it still says no permissions for userB.

3) Added userB within NiFi and linked it to the above NiFi groups and now login to NiFi works with the password available within LDAP.

How can we configure NiFi to allow different permissions to different LDAP Groups and without adding the users within LDAP into NiFi ?

4,606 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank pvillard author-rank
Guru

Created ‎03-20-2017 08:06 AM

Hi @Nikhil Chaudhary,

At the moment, LDAP-group based policies is not possible, this is something we are working on and should be available in a short future. In the meantime, you need to add the users in NiFi and then add the users to the groups in NiFi to have group based policies. At the moment, LDAP is just here to authenticate the users with a login and password, authorizations are only enforced using the username (and group memberships from NiFi only).

Hope this helps.

View solution in original post

3,725 Views
5 REPLIES 5

avatar
author-rank pvillard author-rank
Guru

Created ‎03-20-2017 08:06 AM

Hi @Nikhil Chaudhary,

At the moment, LDAP-group based policies is not possible, this is something we are working on and should be available in a short future. In the meantime, you need to add the users in NiFi and then add the users to the groups in NiFi to have group based policies. At the moment, LDAP is just here to authenticate the users with a login and password, authorizations are only enforced using the username (and group memberships from NiFi only).

Hope this helps.

3,726 Views

avatar
author-rank nikhil1
Explorer

Created ‎03-21-2017 03:13 AM

Hello @Pierre Villard

Thank you for the answer. Definitely helps.

3,725 Views
0 Kudos

avatar
author-rank martin_voigt
New Contributor

Created ‎09-06-2017 12:48 PM

Hi @Pierre Villard

is there an update on this feature request?

Thanks, Martin

3,725 Views
0 Kudos

avatar
author-rank dchaffey
Guru

Created ‎03-22-2018 09:01 AM

UPDATE: Note that this feature was introduced in NiFi-1.5.0 / HDF-3.1 and is now GA.

https://docs.hortonworks.com/HDPDocuments/HDF3/HDF-3.1.1/bk_security/content/ch05s04.html

3,725 Views
0 Kudos

avatar
author-rank fernandodini_re
New Contributor

Created ‎12-12-2017 05:14 PM

Hi @Pierre Villard

Do you have any update on this issue? We really need to autheticate using groups instead of users.

Thanks, Dini.

,

Hi @Pierre Villard

Do you have any update on this issue? I really need to use groups to authenticate through LDAP..

Tks.

3,725 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements