Support Questions

Find answers, ask questions, and share your expertise

How to display a NiFi login window for http web browser

avatar
Contributor

Hi All,

Wanted to display the log in window for apache nifi http server. Can anyone please let me know the setting to display the log in window for http instead of https.

1 ACCEPTED SOLUTION

avatar
Master Mentor
@Ayaskant Das

@Joe Petro

NiFi must be secured to run over HTTPS using a server certificates (loaded into a keystore) and a truststore before you can enable some form of user authentication. You can create your own keystore and truststore using the below procedure:

https://community.hortonworks.com/articles/17293/how-to-create-user-generated-keys-for-securing-nif....

Note: If you are going to be using LDAP or Kerberos for user authentication, you can skip the last part of the above procedure about generating a user SSL certificate to load in your browser.

Thanks,

Matt

View solution in original post

9 REPLIES 9

avatar
Master Guru

The same question was already answered twice:

https://community.hortonworks.com/questions/87146/how-can-we-pop-up-log-in-window-asking-user-id-and...

https://community.hortonworks.com/questions/87122/how-can-we-pop-up-the-log-in-window-while-accessin...

To clarify you can not login over "http", only via "https". It would not be secure to send your LDAP credentials from the browser to the NiFi server over unencrypted http.

avatar
Expert Contributor

Thanks, I don't understand why NiFi wouldn't have a default login page for an admin user. It seems strange that no user login is required on http and can only be done via https. Every other HDP component has at least a basic UI login.

avatar

A default login page for an admin user served over HTTP provides the illusion of security -- security theater -- but does absolutely nothing to improve the security of the system while adding obstacles to ease of use.

avatar
Contributor

That is true, but some times such an option can be good for a little access control and avoiding not seriously harmfull but unwanted activities on the server.

avatar

We fundamentally disagree on the utility and value of that feature. Providing a login page which does not secure the transmission of sensitive credentials against trivial intercept and can be bypassed easily does not provide sufficient value and leads to a number of problems:

  1. Users will assume it is secure and not change it from the default/configure stronger login options such as LDAP/Kerberos/client certificate authentication. We make a conscious effort not to offer weak security options as defaults because many users are unaware and will not change them
  2. Users will not be aware that the credentials can be intercepted and stolen (these credentials may be reused from other applications and pose a large threat)
  3. Users will not be aware that the login page can be bypassed (HTTP traffic can be monitored, and any credentials or tokens (NiFi is stateless, so it does not use session identifiers) can be intercepted and reused)

For these reasons, NiFi does not offer an option for authentication or authorization controls over plaintext HTTP. HTTPS must be configured to enable those mechanisms to avoid a false sense of security and prevent user/admin complacency.

avatar

@Joe P I cannot reply to your comment for some reason, so I'm putting my response here.

94407-screen-shot-2018-11-28-at-121109-pm.png

I do not set the security policy for Ambari or any other Apache project. Every project evaluates security differently and makes decisions to reach a balance they find acceptable.

I am only one member of the NiFi community as well, but our community has agreed on this policy for NiFi. We invite all community members and users to contribute ideas and engage in discussion on design decisions. You are welcome to request the changes you want, but I will say that the previous discussion around that obviously went in this direction and I don't see any new information in your position than was previously discussed.

avatar
Expert Contributor

If that's the case, then why does Ambari have a login page without https? Sometimes it's useful to setup the login first, then add a security layer. It helps with troubleshooting and not having a login for Ambari (for example) would be confusing! So why is this any different?

avatar
Master Mentor
@Ayaskant Das

@Joe Petro

NiFi must be secured to run over HTTPS using a server certificates (loaded into a keystore) and a truststore before you can enable some form of user authentication. You can create your own keystore and truststore using the below procedure:

https://community.hortonworks.com/articles/17293/how-to-create-user-generated-keys-for-securing-nif....

Note: If you are going to be using LDAP or Kerberos for user authentication, you can skip the last part of the above procedure about generating a user SSL certificate to load in your browser.

Thanks,

Matt

avatar
Contributor

@Joe P did you set up https i.e. did you enable SSL on the server?