Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

HandleHttpRequest / StandardRestrictedSSLContextService

Labels:
avatar
author-rank svenhans
New Contributor

Created ‎05-23-2023 07:11 AM

How do I restrict the access to an endpoint provided by HandleHttpRequest to specific users?

 

I did setup successfully a HandleHttpRequest-HandleHttpResponse chain, with Client Authentication = "Need Authentication". I provided a key- and truststore and users with a client certificate trusted by CA cert in the truststore can access the endpoint. 

However, I do not want everybody in my company to access this endpoint, I want to restrict this to a small group of users (actually to one single server). 

For testing purposes I created an empty truststore and imported into this truststore only my client certificate. However, now I cannot access the endpoint anymore (ERR_BAD_SSL_CLIENT_AUTH_CERT). 

How do I configure the JKS truststore to only trust one specific client? Or how do I configure HandleHttpRequest processor? 

If this is not possible, are there any other possibilities?

Could I somehow use a Nifi-REST-API-Token?

Could I somehow authenticate with the help of LDAP?

 

Thank you!

 

933 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎05-26-2023 10:31 AM

@svenhans The truststore would contain the public certificate for your user and not the PrivateKeyEntry.  Is that what you added to the truststore?  Is your clientAuth certificate signed by a CA?

Another option is to handle this programmatically via your NiFi dataflow.  Immediately after your HandleHTTPRequest processor, you could add a RouteOnAttribute processor that checks the value of the "http.remote.user" attribute added by the HandleHttpRequest and terminates any FlowFile where the remote-user is not allowed.


If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

View solution in original post

878 Views
0 Kudos
4 REPLIES 4

avatar
author-rank DianaTorres author-rank
Community Manager

Created ‎05-23-2023 08:15 AM

@svenhans Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our NiFi experts @MattWho @SAMSAL  who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.

Regards,

Diana Torres,
Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
914 Views
0 Kudos

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎05-26-2023 10:31 AM

@svenhans The truststore would contain the public certificate for your user and not the PrivateKeyEntry.  Is that what you added to the truststore?  Is your clientAuth certificate signed by a CA?

Another option is to handle this programmatically via your NiFi dataflow.  Immediately after your HandleHTTPRequest processor, you could add a RouteOnAttribute processor that checks the value of the "http.remote.user" attribute added by the HandleHttpRequest and terminates any FlowFile where the remote-user is not allowed.


If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

879 Views
0 Kudos

avatar
author-rank svenhans
New Contributor

Created ‎05-30-2023 01:14 AM

@MattWho In my test the truststore did contain just a single certificate, the public certificate of the authorized user (not private key). However this did not work, the TLS handshake did fail.

In the end I did solve my problem like you suggested, with RouteOnAttribute on "http.subject.dn".

It would be nice to have a processor for accessing AD to compare if the selected dn is member of some AD-group.

836 Views
0 Kudos

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎05-30-2023 11:19 AM

@svenhans 

I would recommend you file an Apache NiFi Jira ticket for your new component processor request.
https://issues.apache.org/jira/projects/NIFI

Let's say an AD/LDAP lookup processor was create. that means supplying the ldap search configuration properties along with manager DN and manager password in order to do the lookup.  To avoid exposing that to other users in NiFi, maybe creating an LDAPLookup Controller service would be better.  Then create a processor like getLDAPUser that gets configured to use that LDAPLookup CS along with a StandardSSL CS with user defined AD/LDAP attributes to return and require a user Identity property value.   

Of course you run the risk of other who have access to your NiFi copying your processor and using it to fetch any details they want about your AD/LDAP users.

 

Matt

815 Views
0 Kudos
webinar banner
Announcements
What's New @ Cloudera
Cloudera Operational Database (COD) supports instance group ...
What's New @ Cloudera
Cloudera Operational Database (COD) has updated the instanc...
What's New @ Cloudera
Cloudera Operational Database (COD) supports configuring roo...
What's New @ Cloudera
Cloudera Operational Database (COD) has updated the HDFS ins...
Product Announcements
[ANNOUNCE] CDP Private Cloud Base 7.1.7 Service Pack 3 Relea...
View More Announcements
meetups banner