Support Questions

ushasri · ‎04-24-2023

Dears,

My usecase is to extract user name entered and store it in an attribute and load it into a column of a database. How can I extract user name entered by user while logging in.

Thankyou!

MattWho · ‎04-24-2023

@ushasri

NiFi does not provide a local provider for user authentication via username and password. NiFI supports numerous authentication methods you can configure.
- Authentication via a mutual TLS exchange: Always enabled once NiFi is secured and the first method always attempted. Mutual TLS is how NiFi nodes authenticate with one another, how Secured NiFi authenticates to other secured NiFis, how secured NiFi authenticates with secured NiFi-Registry, etc....
- Spnego: Kerberos authentication method that does not require users to provide a kerberos principal and password for authentication.

- Kerberos-provider: Requires user to provide username and password for authentication. Successful authentication results in a bearer token issued to user and a corresponding NiFi side server token for the user.

- Ldap-provider: Requires user to provide username and password for authentication. Successful authentication results in a bearer token issued to user and a corresponding NiFi side server token for the user.

- OpenID connect

- SAML

In a multi-node NiFi cluster, the authentication process and resulting bearer token is only valid for the node on which the authentication was verified. Can't be used to authenticate with another node. Issued bearer tokens have an expiration. Default is 12 hours at which time the NiFi server removes the server side token. This forces user to re-authenticate and obtain a new client bearer token.

Every action that a user performs via NiFi's UI must be both authenticated and authorized. This mean that the user must authenticate via a certificate, bearer token, etc. with every request. The authenticated client user identity is then used to verify that the user/client is authorized to perform the requested operation or access the requested endpoint (such as loading the NiFi UI).

Whenever a user authenticates within a NiFi instance, that NiFi instance will produce a log entry in the nifi-user.log with the authenticated user's user identity. Subsequent to that is the requested endpoint that user is trying to access and result of that authorization.

NOTE: Components added to the NiFi canvas by a user are not executed as that user. all components are executed by the NiFi service user.

Adding the username to a FlowFile attribute becomes challenging since the nothing in the NiFi canvas executes as that user. Also running any kind of automation within the UI to make a rest-api call to NiFi would itself require user authentication and authorization.

The question here is what are you trying to accomplish by extracting a username and adding it to a database? Guess you could create a dataflow that reads the nifi-user.log and extracts authentication related log lines, although, this would be very noisy since a single user who has obtained a bearer token for 12 hours may perform an unknown number of operations within the UI or via rest-api calls each resulting in logging about authentication.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

ushasri · ‎04-24-2023

Dears,

We are login into nifi using URL by giving Username and password in the web browser itself.

So,our question is we need to extract that username and loaded that username (ex:Admin) in database column using nifi flow.

Could you please suggest any approach if available through nifi.

Thank you.

cotopaul · ‎04-24-2023

Hi @ushasri,

What @MattWho explained is that if you are using multiple users (or a single user used by several people) on your NiFi Instance, what you are trying to achieve is not quite possible .... or not in an easy way, as you will require lots of work and hard-coded information.

If you certain that you want to do such a thing, you could use a TailFile Processor and tail the nifi-user.log file, for any newly added lines. You will get a bunch of lines like: (and a bunch means really A LOT)

2023-04-24 16:15:37,525 INFO [NiFi Web Server-126216] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 123.123.123.123 [<admin><CN=localhost-yabadabady, OU=NIFI><CN=localhost-yabadabadu, OU=NIFI>] GET https://localhost-yabadabady:9091/nifi-api/flow/current-user
2023-04-24 16:15:37,525 INFO [NiFi Web Server-126216] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [admin] 123.123.123.123 GET https://localhost-yabadabady:9091/nifi-api/flow/current-user

From those lines, you can extract whatever information you need and send it down your stream to have it inserted in your database. It is recommended to first analyze the logfile and see what lines are truly required and only extract those, otherwise, like Matt said, prepare to get a very noisy file. As you can see, any action performed generates at least 2 lines: 1 for request and 1 for acceptance.

For extracting your lines, you have many options, depending on what you are trying to achieve like ExtractText and SplitContent. Next, you can use an RouteOnAttribute to identify what you want to keep, then go into your Database with a processor like PutDatabaseRecord or PutSQL. So the logic is up to you, depending on your use case.

PS: if going further with this action, make sure that you followed all the recommendations and best practices when installing NiFi --> especially those related to the infrastructure parameters like OPEN Files and MAX USER PROCESSES (ulimit -a)

ushasri · ‎04-25-2023

Hi Dears,

Will you please let me know where we can find nifi-user.log file for tail?

Thank you.

cotopaul · ‎04-25-2023

The file can be found within your NiFi logs folder, where you have your other logs as well.

Cloudera Community

Support Questions

Extract Username In NIFI