Support Questions

Find answers, ask questions, and share your expertise

Controlling level of access in NiFi question

avatar
Rising Star

Hello,

I am trying to configure a clustered NiFi environment, which is currently not going to use HTTPS (configured in the NiFi.properties file). I read the below section of the manual: Chapter 6 - Controlling levels of Access and found it 'open for interpretation'. http://docs.hortonworks.com/HDPDocuments/HDF1/HDF-1.2.0.1/bk_AdminGuide/content/controlling-levels-o...

1) When I read this section, it implies that I must create a ADMIN user in the authorized-users.xml file and that I must supply a value for: <user dn="[user dn - read only and admin]">.

In this example:

<users>
    <user dn="[user dn - read only and admin]">
        <role name="ROLE_ADMIN"/>
    </user>
</users>

Then later on in this section of the manual, it says this ADMIN user can only be accessed by HTTPS connections (which I have been told not to set up now.)

So do I need to provide a value for: user dn - read only and admin?

1a) If yes, and the new NiFi local Administrator doesn't know what to put in for "USER DN", is there a default value I can use? (this is not something I normally work with)

2) Then at the very end of this section of the manual, it says:

"When users want access to the NiFi UI, they navigate to the configured URL and are prompted to request access. When someone has requested access, the ADMIN user sees a star on the Users icon in the Management Toolbar, alerting the ADMIN to the fact that a request is pending. Upon opening the User Management Page, the pending request is visible, and the ADMIN can grant access and click on the pencil icon to set the user's roles appropriately."

So this implies irregardless if I am securing this NiFi configuration via HTTPS definitions in the nifi.properties file, that I must have a ADMIN user defined in authorized-users.xml, to be able to use the UI to perform the above task.

Responses to these questions would be greatly appreciated. Thank you.

1 ACCEPTED SOLUTION

avatar
Rising Star

Hello one more time Matt Clark, 🙂

The link below, gives the kind of details I am looking for, in a step by step document.

This was a tremendously helpful question and responses from you and Aldrin Piri I just found by hunting around on the community site:

From: https://community.hortonworks.com/questions/11891/how-to-troubleshoot-nifi-non-secure-cluster.html

Question by thomas sandidge Jan 27 2016 at 01:33 AM Nifi

How to troubleshoot NiFi non-secure cluster.

= = =

The point of my feedback is, hunting around this Community site takes time and you have to know what and how to search for information.... this is why I was suggesting that one comprehensive Article be created, showing all the details to create a Clustered NiFi configuration from scratch. Thanks again for all of your great help and for the articles you have written.

View solution in original post

6 REPLIES 6

avatar
Master Mentor

Hello,

In order to secure access to your NiFi instance/cluster, NiFi must be configured to run securely via https. Section 6 of the guide linked above correctly states that your NiFi must be configured to run securely (HTTPS) and have an authentication mechanism (user certificates. ldap, or kerberos) in place. Without a secure setup, all users who access the NiFi UI get in with anonymous access which gives all of them full access so all aspects of the NiFi UI.

The DN is what uniquely identifies each user and/or server that accesses your NiFi. If using ssl certificates as your authentication mechanism, the DN will be found inside the certificate and would have been generated during the certificates creation phase. There is an article here ( https://community.hortonworks.com/articles/17293/how-to-create-user-generated-keys-for-securing-nif.... ) that walks you through creating your own keystores and truststores for securing your NiFi (https). It also covers creating user certificates if that is the authentication mechanism you choose to use.

You can also use ldap or kerberos as your authentication mechanism, but you will need to setup or use an existing ldap or kerberos infastructure.

Users with the "admin" role have the ability to authenticate in to the secured NiFi UI. From there they can access the user management interface via this icon 4658-screen-shot-2016-05-30-at-94250-am.png. This interface will allow users that have the "admin" role to approve the access of other users who have requested through the secured NiFi UI. The reason you need to manually add the first "admin" user is because otherwise you have no users who can access the UI to approve requests.

If you are unsure how to extract your user DN from your configure authentication mechanism, you can do the following:

1. You still need to setup your NiFi securely. You can use the procedure linked above to create the needed keystores and truststores to do so.

2. Configure your nifi.properties file for secure (https) and non-secure (http) access. You will need to use unique ports for each. (8080 for http and 8443 for https for example).

3. Navigate to the https address for your NiFi instance. If you are using user certificates, you will need to have followed that section of the above linked article to create your user key and load it in to your browser. If setup for ldap, provide your ldap username and password when the NiFI UI prompts you.

4. You will then be prompted to request access if you successfully authenticated. This is the authorization request portion. after requesting access the screen will say pending approval.

5. You can now navigate to the non-secure (http) address for your NiFi which lets everyone in as anonymous with full access. Go to the user management UI via the icon shown above and grant your user the "admin" role.

You can now go back to the secured NiFi UI address and gain controlled access. Don't forget to go back in your nifi.properties file and remove the http configure to prevent uncontrolled annoymous access at this point.

There are other roles that authorize authenticated users to do different things within the UI:

1. adminstrator: Can add or remove authorized roles for other users. Can purge flow configuration change history.

2. Data Flow Manager: Can build, manipulate, modify, start, stop, and/or delete dataflows on the NiFi canvas.

3. Read Only: Can access UI and view the configuration of items on the canvas, but cannot build, manipulate, modify, start, stop, and/or delete any of it.

4. Provenance: Users with this added role can search any stored provenance data.

I am not sure where the confusion came from with regards to setting up controlled access via http, but if you can point me in the right direction I will do my best to get the documentation updated so it is more clear.

Thank you,

Matt

avatar
Rising Star

Hi Matt,

That was a beautiful explanation, and much appreciated, if I was going to secure the configuration. I was told not to secure this configuration.

By reading your explanation for # 5:

5. You can now navigate to the non-secure (http) address for your NiFi which lets everyone in as anonymous with full access. ==> Go to the user management UI via the icon shown above and grant your user the "admin" role.

Feedback: Is this is telling me, that even in an unsecured environment, I can go through the UI and grant myself the "Admin' role? If yes, then I am guessing at a minimum, I still need to do something with this entry in the file?

<users>

<userdn="[user dn - read only and admin]">

<rolename="ROLE_ADMIN"/>

</user>

</users>

- I haven't had to do anything with editing an .xml file in a long time, so could the answer to this situation be, make the the following changes to this entry?

<users>

<userdn="[ADMIN - read only and admin]">

<rolename="ROLE_ADMIN"/>

</user>

</users>

Things that could be changed or enhanced in the manual:

1) The manual assumes readers of the manual have editing experience in .xml files. Maybe the manual could say: if you are going to use the ADMIN user concept, edit this entry as follows:

then supply the example....

Note: There is a great example to use when editing one the notification file: conf/bootstrap-notification-services.xml in the NiFi Admin guide.

A complete example of configuring the Email service would look like the following:

     <service>
        <id>email-notification</id>
        <class>org.apache.nifi.bootstrap.notification.email.EmailNotificationService</class>
        <property name="SMTP Hostname">smtp.gmail.com</property>
        <property name="SMTP Port">587</property>
        <property name="SMTP Username">username@gmail.com</property>
        <property name="SMTP Password">super-secret-password</property>
        <property name="SMTP TLS">true</property>
        <property name="From">"NiFi Service Notifier"</property>
        <property name="To">username@gmail.com</property>
     </service>

2) Defining a few sentences in the manual to answer this scenario, would also be helpful: If the ADMIN user is actually associated with the concept of a 'Role' of privileges, do we need to activate the ADMIN user id in this file by removing the comment and supplying any other required information, even if this is NOT a secured configuration? Assuming that even in non secured configurations, some specific User will need to administer the NiFi configuration via the UI, versus allowing any user who can log in administer the tool? If that was an incorrect assumption on my part, please advise. Thank you.

avatar
Master Mentor

PJ,

Roles only work with a secured NiFi. The intent of step 5 was to give a backdoor method for properly populating the first needed entry in the authorized-users.xml file. You can either follow step 5 (backdoor method for creating first needed Admin user for https setup) or you can get your DN from your cert or ldap to manually populate that authorized-users.xml. Bottom line is if you are being told you cannot secure your NiFi and to leave it running unsecure with http, you cannot create user roles. User roles are only used by a secured https configured NiFi. If someone is telling you that you can setup user roles within a http configured NiFi, they are unfortunately misinformed.

An example entry is below should you decide to secure your NiFi so you can make use of this feature in the future:

<users>

<userdn="CN=John Doe, OU=MyBusiness, O=MyOrg, L=Baltimore, ST=MD, C=US">

<rolename="ROLE_ADMIN"/>

</user>

</users>

Keep in mind that in order for this to work, the userdn above has to match exactly how it is recorded in the users certificate or within ldap for user John Doe in this example. What this does is authorize the authenticated user "John Doe" with the "Admin" role.

A user can be assigned multiple roles as well. An example of how that would look is as follows:

<users>

<userdn="CN=John Doe, OU=MyBusiness, O=MyOrg, L=Baltimore, ST=MD, C=US">

<rolename="ROLE_ADMIN"/>

<rolename="ROLE_DFM"/>

<rolename="ROLE_PROVENANCE"/>

</user>

</users>

In that example, the authenticated user "John Doe" has been authorized with "Admin", "Dataflow Manager", and "Provenance" user roles.

Hope this adds clarity to my previous response.

Thanks,

Matt

avatar
Rising Star

Hello one more time Matt Clark, 🙂

The link below, gives the kind of details I am looking for, in a step by step document.

This was a tremendously helpful question and responses from you and Aldrin Piri I just found by hunting around on the community site:

From: https://community.hortonworks.com/questions/11891/how-to-troubleshoot-nifi-non-secure-cluster.html

Question by thomas sandidge Jan 27 2016 at 01:33 AM Nifi

How to troubleshoot NiFi non-secure cluster.

= = =

The point of my feedback is, hunting around this Community site takes time and you have to know what and how to search for information.... this is why I was suggesting that one comprehensive Article be created, showing all the details to create a Clustered NiFi configuration from scratch. Thanks again for all of your great help and for the articles you have written.

avatar
Master Mentor

Thank you for your feedback. I will look into creating an article to cover this topic. Perhaps "How to setup my first non-secured NiFi cluster."

avatar
Rising Star

@mclark Hi Matt, I really appreciate your replies. This is great idea for you to create: "How to setup my first non-secured NiFi cluster.".