Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How do I implement basic authentication on Nifi's HandleHttpRequest processor?

avatar
Explorer

I want to implement basic authentication mechanism on Nifi's HandleHttpRequest processor. When I receive a request containing JSON data, I want to check if the username and password is correct or not. Based on the results, I want to redirect request. How can I implement this basic authentication on Nifi without using SSLContextService?

2 REPLIES 2

avatar
New Contributor

Hi,

 

Did you find how to do it?

 

Regards.

avatar
Master Mentor

@gvkarthik93 

The HandleHTTPRequest processor only support user based authentication via a mutual TLS handshake.  But there is no authorization built in to the processor.  So if the truststore configured in the configured SSLContextService contains the needed trustedCertEntries to trust a user/client certificate presented in the handshake, that user would be allowed to send traffic to this listener.

The processor could then route the success relationship via a connection to a routeOnAttribute processor that checks the dn set in the "http.subject.dn" FlowFile attribute created by the HandleHttpRequest  processor to see if matches a list of DN. Based in that outcome decide to either route the FlowFile to a HandleHTTPResponse processor that responds with not authorized or route down an authorized path and respond accordingly.  

I want to check if the username and password is correct or not

Check against what?
NiFi has no local users with passwords for authentication, nor do any NiFi processors have any integration in to an external user authenticator like ldap.

Even if you were to pass a username and password via a header on the request, there is no native processor that could take that username and password and verify it.  Maybe you could use a scripting processor to validate the username and password against an external service like ldap.  But between HandleHTTPRequest and that scripting processor, that user's name and password would be in plaintext within the FlowFiles attributes which is not ideal. 

Also keep in mind that if you do not use TLS at all, anything you send over the connection is not encrypted and in plain text.

Hope this helps answer your query,
Matt