Support Questions
Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

How can I securely run NiFi 1.6.0 but still allow anyone to access it?

Explorer

I have a NiFi 1.6.0 that is currently running securely, but I am trying to figure out how to allow anyone to access it without just using http. I previous versions of NiFi you were able to set client auth to false and anyone could anonymously access even with https and I am trying to find a way to do that in 1.6.0

1 ACCEPTED SOLUTION

Master Guru
@Brandon Spratt

You are absolutely correct that older versions of NiFi allowed user to configure both the "nifi.web.http.port" and "nifi.web.https.port" properties in NiFi at the same time. NiFi would at that time then allow any user to access the NiFi UI via the unsecured http URL or via the HTTPS secured URL.

-

The need client auth property never had anything to do with user access to NiFi. That property was specific to node to node communications only. False simply meant that nodes acting as clients talking securely to other nodes (acting as server) did not need to verify trust of the server's presented certificate in the TLS/SSL handshake.

-

Allowing user to access a secured NiFi via a http configured URL presents a huge security risk, so that capability was removed. Once NiFi is secured by enabling https, even if http is still configured access will be blocked to the http URL(s).

-

Can you elaborate on the use case for allowing users to anonymously access a secured NiFi? This opens a security hole where any client (user or other system) can get access to the data passing through that NiFi.

-

As a work-around you could generate a user certificate that gives all access to every NiFi policy and make that certificate freely available to all your users.

-

Thank you,

Matt

-

If you find an answer the best addresses your initial question, please take a moment to login to the forum and click the "Accept" link below that provided answer.

View solution in original post

3 REPLIES 3

Master Guru
@Brandon Spratt

You are absolutely correct that older versions of NiFi allowed user to configure both the "nifi.web.http.port" and "nifi.web.https.port" properties in NiFi at the same time. NiFi would at that time then allow any user to access the NiFi UI via the unsecured http URL or via the HTTPS secured URL.

-

The need client auth property never had anything to do with user access to NiFi. That property was specific to node to node communications only. False simply meant that nodes acting as clients talking securely to other nodes (acting as server) did not need to verify trust of the server's presented certificate in the TLS/SSL handshake.

-

Allowing user to access a secured NiFi via a http configured URL presents a huge security risk, so that capability was removed. Once NiFi is secured by enabling https, even if http is still configured access will be blocked to the http URL(s).

-

Can you elaborate on the use case for allowing users to anonymously access a secured NiFi? This opens a security hole where any client (user or other system) can get access to the data passing through that NiFi.

-

As a work-around you could generate a user certificate that gives all access to every NiFi policy and make that certificate freely available to all your users.

-

Thank you,

Matt

-

If you find an answer the best addresses your initial question, please take a moment to login to the forum and click the "Accept" link below that provided answer.

Explorer

@Matt Clarke

The reason that we would like to allow users to anonymously access a secured NiFi is because we have the instance running in a secure environment and we would like for anyone who has access to that environment to have access to view templates in that instance and make copies with changes to improve it so that they can later be presented as an option for a way to improve our system. We could add everyones certificate but it would be much easier to just have it open to everyone as there are many people who will be viewing it.

Master Guru

If NiFi is sitting in a secured environment, why the need to secure NiFi? Could you just leave it http only?

There is no work-around to enable http access in to a HTTPS enabled NiFi.