Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Authentication and authorization methods in apache NiFi

avatar
New Contributor

Greetings, everyone.
I'm kind of new to NiFi and trying to implement some simple authorization method that is not default (single-user). All I want to do is a couple static users with some permissions and login screen asking for credentials - 2 roots and 2 read-only will be more than enough for example.
I've tried to search for my answer in other topics both in cloudera and documentation, but didn't find any useful info. As far as I'm concerned, Nifi currently support 3 methods - single-user, LDAP and Kerberos.
Do I really need to use some LDAP to make this happen or there's more simplified solution in that case? If so - can anyone share some ideas what exactly I need to do?
I use Nifi 2.0.0-M2 at the moment. Let me know if some additional info is needed.

Thanks a lot in advance and have a great day!

1 ACCEPTED SOLUTION

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
5 REPLIES 5

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
New Contributor

Thanks a lot for such a detailed answer, @MattWho .
I actually have on-premise AD, but the access to it is kind of complicated.
I'm curious now - will it be easier to try and connect Nifi to this AD or to deploy OpenLDAP on the same server, what do you think?

avatar
Super Mentor

@AlexisRub 

Not sure how to answer that for you.  Typically production users who have access to a corporately managed LDAP/AD would use that with their NiFi.  This provide better security as corporate can mange that adding of new users or removal of users no longer with the organization.   If you also setup the ldap-user-group-provider in NiFi authorizers.xml along with setting of the ldap-provider in the login-identity-providers.xml you'll have a proper production setup.  Let's say a new person joins the company and is added to the AD.  the ldap-user-group-provider (depending on filters) could automatically pull in that new user identity to NiFi allowing your NiFi admin to setup access policies for them easily.  And with the ldap-provider that user could then authenticate to your NiFi (successful authentication does not mean they would have authorized access).  Even better is this opens the ability to use ldap/AD managed groups for authorization.  Let's say you have AD group named nifiadmins. You could sync this group and its members to NiFi via the ldap-user-group-provider and set up local authorization policies using that group identity.   So later some user is added or removed from the AD "nifiadmins" group.  When NiFi syncs with ldap/AD via ldap -user-group-provider (default is every 30 mins), that user would be added or removed as a known member of that group and would gain or lose authorizations without needing any manual action within NiFi to make that happen.   This is most common setup fro production end users with established ldap/AD groups for different teams that will access NiFi.  Different teams can then be authorized access to only specific process groups and actions.

I setup a local ldap which creates a bunch of fake users and groups that i can manage for testing purposes., but not something I would do in a production setup. I would leave the corporate management of user to those responsible for that access control.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

avatar
New Contributor

To implement simple authorization in NiFi, configure user authentication, define users/groups, set up access policies, configure login identity providers, and test the setup. This allows for basic user management without LDAP or Kerberos.

avatar
Super Mentor

@gregbowers 

You say "This allows for basic user management without LDAP or Kerberos.", but what method of user authentication are you suggesting to be used for user authentication?

Users and groups that are added via the UI and to which you apply various policies are NOT users that are managed by NiFi for authentication.  Those added user are for setting authorizations policies only.  Authentication must be handed by an authentication provider.  The single-user-provider only support a single user and not multi-users @AlexisRub is looking to support.    So what other provider are you suggesting is configured in the login identity providers?   The only options that can be configured in the login-identity-providers.xml in Apache NiFi are single-user-provider, ldap-provider, and kerberos-provider.    

Are you suggesting some additional third party custom provider?

Thank you,
Matt