Support Questions

jai1gupta · ‎10-27-2023

I am new to Apache NiFi and have a fresh apache NiFi instance on my local system and i want to create 3 users and authenticate them with openID/google oAuth from their email ID( instead of seeing the usual NiFi login screen, i want to see the google authentication window where i can use my email id to login).

i tried to follow the bryan bende's article on it but it feels very outdated for now. (https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect)

please help me with this and provide me with a step-by-step breakdown on how can i achieve this?

Thanks

MattWho · ‎10-30-2023

@jai1gupta
Yes NiFi out-of-the-box in the latest releases is secured to run over HTTPS.
However, that out of the box default setup is very basic (non production setup) to allow users to work within a secured NiFi. Its default setup utilizes the Single-User-Provider authentication login provider (configured in login-identity-providers.xml) and single-user-authorizer configured in the authorizers.xml. This out-of the-box provider does not support multi-user capability. For multi-user production ready deployments with ability to define very granular access controls, you'll need to use a different authentication provider (Most commonly used is probably the ldap-provider) and different authorize (most commonly used is the StandardManagedAuthorizer configured to use the file-user-group-provider and file-access-policy-provider). NiFi does not offer any built in multi-user provider that allows you to create local to NiFi users with passwords.

keeping above in mind, you are trying to use the OpenID authentication method. This still means you must be using a different Authorizer. The single-user-authorizer can only be used with the Single-user-provider. More detail around your setup, OpenID exceptions, etc is needed to help here.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

jai1gupta · ‎10-27-2023

@MattWho @SAMSAL @cotopaul

MattWho · ‎10-27-2023

@jai1gupta
Authentication is broad topic. What have you configured so far?
Is your NiFi secured over https already?

With following that article where did you run into an issue?
What errors or exceptions are you seeing?

You should not be seeing a NiFi login window unless you have a login-identity-provider configured in your NiFi. Probably not going to get anyone to rewrite a step-by-step process here. You may have configuration issues unrelated to the steps for enabling the oAuth authentication method. The more detail you can provide the better answer you will get.

Aside from the Single user authentication and authorization providers, NiFi does not manage multiple local user accounts. Authentication of multiple user is handled by some external service like oAuth provider you are trying to configure here.

After Authentication comes authorization which NiFi must handle of course. After successful authentication, NiFi has a users identity that is then used to lookup what authorizations have been granted to that user to control level of access to the NiFi UI and its features. The File-User-Group-Provider in conjunction with the file-access-policy-provider in the authorizers.xml file are used to define and set authorization policies against a configured single user identity. Once that user has gained access to the UI, that "admin" user will have the authorization needed to add additional user identities for the express use of assigning authorizations to them.

Thanks,
Matt

jai1gupta · ‎10-27-2023

Hi @MattWho thanks for the fast reply. i'm using nifi 1.23.2. so after version 1.14 isn't nifi secured over https by default?

MattWho · ‎10-30-2023

@jai1gupta
Yes NiFi out-of-the-box in the latest releases is secured to run over HTTPS.
However, that out of the box default setup is very basic (non production setup) to allow users to work within a secured NiFi. Its default setup utilizes the Single-User-Provider authentication login provider (configured in login-identity-providers.xml) and single-user-authorizer configured in the authorizers.xml. This out-of the-box provider does not support multi-user capability. For multi-user production ready deployments with ability to define very granular access controls, you'll need to use a different authentication provider (Most commonly used is probably the ldap-provider) and different authorize (most commonly used is the StandardManagedAuthorizer configured to use the file-user-group-provider and file-access-policy-provider). NiFi does not offer any built in multi-user provider that allows you to create local to NiFi users with passwords.

keeping above in mind, you are trying to use the OpenID authentication method. This still means you must be using a different Authorizer. The single-user-authorizer can only be used with the Single-user-provider. More detail around your setup, OpenID exceptions, etc is needed to help here.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Cloudera Community

Support Questions

Apache NiFi user authentication + creation of multiple users using openID