Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

How can I securely run NiFi 1.6.0 but still allow anyone to access it?

Labels:
avatar
author-rank bjspratt1
Explorer

Created ‎05-31-2018 04:57 PM

I have a NiFi 1.6.0 that is currently running securely, but I am trying to figure out how to allow anyone to access it without just using http. I previous versions of NiFi you were able to set client auth to false and anyone could anonymously access even with https and I am trying to find a way to do that in 1.6.0

1,205 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎05-31-2018 05:32 PM

@Brandon Spratt

You are absolutely correct that older versions of NiFi allowed user to configure both the "nifi.web.http.port" and "nifi.web.https.port" properties in NiFi at the same time. NiFi would at that time then allow any user to access the NiFi UI via the unsecured http URL or via the HTTPS secured URL.

-

The need client auth property never had anything to do with user access to NiFi. That property was specific to node to node communications only. False simply meant that nodes acting as clients talking securely to other nodes (acting as server) did not need to verify trust of the server's presented certificate in the TLS/SSL handshake.

-

Allowing user to access a secured NiFi via a http configured URL presents a huge security risk, so that capability was removed. Once NiFi is secured by enabling https, even if http is still configured access will be blocked to the http URL(s).

-

Can you elaborate on the use case for allowing users to anonymously access a secured NiFi? This opens a security hole where any client (user or other system) can get access to the data passing through that NiFi.

-

As a work-around you could generate a user certificate that gives all access to every NiFi policy and make that certificate freely available to all your users.

-

Thank you,

Matt

-

If you find an answer the best addresses your initial question, please take a moment to login to the forum and click the "Accept" link below that provided answer.

View solution in original post

1,044 Views
3 REPLIES 3

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎05-31-2018 05:32 PM

@Brandon Spratt

You are absolutely correct that older versions of NiFi allowed user to configure both the "nifi.web.http.port" and "nifi.web.https.port" properties in NiFi at the same time. NiFi would at that time then allow any user to access the NiFi UI via the unsecured http URL or via the HTTPS secured URL.

-

The need client auth property never had anything to do with user access to NiFi. That property was specific to node to node communications only. False simply meant that nodes acting as clients talking securely to other nodes (acting as server) did not need to verify trust of the server's presented certificate in the TLS/SSL handshake.

-

Allowing user to access a secured NiFi via a http configured URL presents a huge security risk, so that capability was removed. Once NiFi is secured by enabling https, even if http is still configured access will be blocked to the http URL(s).

-

Can you elaborate on the use case for allowing users to anonymously access a secured NiFi? This opens a security hole where any client (user or other system) can get access to the data passing through that NiFi.

-

As a work-around you could generate a user certificate that gives all access to every NiFi policy and make that certificate freely available to all your users.

-

Thank you,

Matt

-

If you find an answer the best addresses your initial question, please take a moment to login to the forum and click the "Accept" link below that provided answer.

1,045 Views

avatar
author-rank bjspratt1
Explorer

Created ‎05-31-2018 06:38 PM

@Matt Clarke

The reason that we would like to allow users to anonymously access a secured NiFi is because we have the instance running in a secure environment and we would like for anyone who has access to that environment to have access to view templates in that instance and make copies with changes to improve it so that they can later be presented as an option for a way to improve our system. We could add everyones certificate but it would be much easier to just have it open to everyone as there are many people who will be viewing it.

1,044 Views
0 Kudos

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎05-31-2018 07:07 PM

If NiFi is sitting in a secured environment, why the need to secure NiFi? Could you just leave it http only?

There is no work-around to enable http access in to a HTTPS enabled NiFi.

1,044 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements