Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Default authenticaion in Nifi

Labels:
avatar
author-rank zIfo
New Contributor

Created ‎11-05-2023 09:54 PM

Hi,

    We are trying to authenticate Nifi with single-user-authorizer using the auto-generated username and password itself. We thought of changing the token expiration time. But, we couldn't find any configuration for token expiration for this default authentication. There is an api which gives the expiation time of the token but the token is still active even after the expiration time we got from the api. 

Is there any configuration to change the duration of active token?  Or Is there a way to get the actual token expiration time?

Where can I find the document for working of token expiration for nifi default authentication?

430 Views
0 Kudos
2 REPLIES 2

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎11-06-2023 06:09 AM

@zIfo 
The default Single-User-Authorizer (Authorization) and Single-user-provider (authentication) are not intended for production use.  These were added as of  Apache NiFi 1.14 to facilitate a secure out-of-the-box NiFi startup for evaluation and testing.  

They provide very basic authentication and authorization. Single user with complete and full access to everything.  So by using this default provider you have no ability to support multiple users with very granular levels of authorization.  The Token on the NiFi server side should expire after 8 hours.  The JWT token stored in the browser may be around longer.

You did not share the version of Apache NiFi you have installed, but perhaps the following explains what you are experiencing :
https://issues.apache.org/jira/browse/NIFI-9049

But to support NiFi Clusters and NiFi multi-tenant authentication and authorization, you should move to a production ready authentication provider (LDAP commonly used) and authorizer (Managed authorizer commonly used).

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

408 Views
0 Kudos

avatar
author-rank zIfo
New Contributor

Created ‎11-06-2023 06:28 AM

@MattWho Thanks for the response. We are using Nifi 1.21.0 version and we are using it internally in our application. Hence, we are currently planning to have Single-User-Authorizer as of now. In future, we will go for authentication provider. 

Is there any way to change that 8hours expiration time? And what is the time of expiration I get from the api - /access/token/expiration?. The token is not getting expired with the time we get from that api.

406 Views
0 Kudos
webinar banner
Announcements
What's New @ Cloudera
Cloudera Operational Database (COD) supports instance group ...
What's New @ Cloudera
Cloudera Operational Database (COD) has updated the instanc...
What's New @ Cloudera
Cloudera Operational Database (COD) supports configuring roo...
What's New @ Cloudera
Cloudera Operational Database (COD) has updated the HDFS ins...
Product Announcements
[ANNOUNCE] CDP Private Cloud Base 7.1.7 Service Pack 3 Relea...
View More Announcements
meetups banner