Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How to set passwords for multiple users in Apache Nifi

avatar
New Contributor

I want to have multiple users in Nifi.

 

I don't want to use LDAP because I don't have a LDAP.

 

I don't want to use Kerberos because I don't have a Kerberos.

 

I don't want to use Apache Knox because I don't have a Apache Knox.

 

I don't want to integrate with the thing because I don't have the thing.

 

I just want to have 3 users, each with their own username and password.

 

I've gotten to the point where I have three users but I have no idea what password to use for the non-admin users.

 

 

1 ACCEPTED SOLUTION

avatar
Super Mentor

@Breezer 
NiFi was historically never built to manage local users.  NiFi provides no mechanism for creating and managing multiple users locally.

That being said, the Apache NiFi community found that many new users to NiFi were simply starting up unsecure NiFi instances on publicly accessible networks and decided to make changes so that by default NiFi would start with out of the box configuration secured over https.    This change was released as part of the Apache NiFi 1.14 release and involved the following changes to make this work.

1. NiFi toolkit is used automatically to generate a keystore and truststore using self signed certs to secure NiFi.
2. A secured NiFi will require users/clients to authenticate and be authorized to interact with the NiFi UI in various ways. This means that out of the box there would need to be an authorizer and a means to define some user that could then be auto authorized to the needed policies.  These changes were all part of https://issues.apache.org/jira/browse/NIFI-8220

The single-user-authorizer and single-user-provider were never intended for use in production as they do not provide granular multi-user level of authentication and authorization (which is what you are looking for).  The simply provide for a single user who is authorized to every NiFi policy allowing for a secured environment out of the box.

Since NiFi never has and does not have any intention of managing users locally (creating multiple local users with passwords managed through NiFi UI) in the future, you'll need to utilize one of the other available user authentication methods if you want an environment which supports multiple users with unique authorizations.  Those methods are explained here:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication

I see you don't want to rely on some external authentication provider like ldap, kerbersos, knox, etc. and that is fine.  User authentication can also be achieved via a mutual TLS handshake.  All this requires is generating a unique user certificate for each of your 3 users.

A basic setup like this would require you to configure your NiFi to use the follwoing:

  1. Authentication:
    1. Clear the "single-user-provider" for the "nifi.security.user.login.provider" property in the nifi.properties file.
    2. Use the NiFi TLS toolkit to generate your certifcates: https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#tls_toolkit. Or you could use an external free certificate provider like Tinycert to create a certificate for each your NiFi instance(s) and a certifcate for each of your users.
  2. Authorization:
    1. Change the "single-user-authorizer" for the " nifi.security.user.authorizer" property in the nifi.properties file to "managed-authorizer".
    2. Build a new authorizers.xml that uses the "managed-authorizer" (https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#standardmanagedauthorizer), "file-access-policy-provider" (https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#fileaccesspolicyprovider), and "file-user-group-provider" (https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#fileusergroupprovider).  

Example: Authorizers.xml configuration:

<authorizers>

    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 1"><full DN from user certifcate 1></property>
        <property name="Initial User Identity 2"><full DN from user certifcate 2></property>
        <property name="Initial User Identity 3"><full DN from user certifcate 3></property>
    </userGroupProvider>

    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity"><full DN from user certificate 1></property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1"></property>
    </accessPolicyProvider>

    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

This authorizers.xml setup will add your three user identities to NiFI for purpose of authorizing them against NiFi policies only.  One of those users will be designated as the "initial admin" in the file-access-policy-provider.  This user will be assigned to the required policies needed for that user to act as admin.  That admin user can then access NiFi and setup authorization policies for the other two users.

The Certificates created for your users would be provided to each user.  The user can then load that certificate into their browser.  When the user navigates the the HTTPS NiFi URL, NiFi will request that client provide a certifcate and the loaded certificate can be used.  This handles the unique user authentication.

More details on setting up additional authorization policies for yoru users can be found here:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#config-users-access-policies

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

View solution in original post

4 REPLIES 4

avatar
Community Manager

@Breezer Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our NiFi experts @cotopaul @SAMSAL and @MattWho  who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.


Regards,

Diana Torres,
Community Moderator


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
Super Mentor

@Breezer 
NiFi was historically never built to manage local users.  NiFi provides no mechanism for creating and managing multiple users locally.

That being said, the Apache NiFi community found that many new users to NiFi were simply starting up unsecure NiFi instances on publicly accessible networks and decided to make changes so that by default NiFi would start with out of the box configuration secured over https.    This change was released as part of the Apache NiFi 1.14 release and involved the following changes to make this work.

1. NiFi toolkit is used automatically to generate a keystore and truststore using self signed certs to secure NiFi.
2. A secured NiFi will require users/clients to authenticate and be authorized to interact with the NiFi UI in various ways. This means that out of the box there would need to be an authorizer and a means to define some user that could then be auto authorized to the needed policies.  These changes were all part of https://issues.apache.org/jira/browse/NIFI-8220

The single-user-authorizer and single-user-provider were never intended for use in production as they do not provide granular multi-user level of authentication and authorization (which is what you are looking for).  The simply provide for a single user who is authorized to every NiFi policy allowing for a secured environment out of the box.

Since NiFi never has and does not have any intention of managing users locally (creating multiple local users with passwords managed through NiFi UI) in the future, you'll need to utilize one of the other available user authentication methods if you want an environment which supports multiple users with unique authorizations.  Those methods are explained here:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication

I see you don't want to rely on some external authentication provider like ldap, kerbersos, knox, etc. and that is fine.  User authentication can also be achieved via a mutual TLS handshake.  All this requires is generating a unique user certificate for each of your 3 users.

A basic setup like this would require you to configure your NiFi to use the follwoing:

  1. Authentication:
    1. Clear the "single-user-provider" for the "nifi.security.user.login.provider" property in the nifi.properties file.
    2. Use the NiFi TLS toolkit to generate your certifcates: https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#tls_toolkit. Or you could use an external free certificate provider like Tinycert to create a certificate for each your NiFi instance(s) and a certifcate for each of your users.
  2. Authorization:
    1. Change the "single-user-authorizer" for the " nifi.security.user.authorizer" property in the nifi.properties file to "managed-authorizer".
    2. Build a new authorizers.xml that uses the "managed-authorizer" (https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#standardmanagedauthorizer), "file-access-policy-provider" (https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#fileaccesspolicyprovider), and "file-user-group-provider" (https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#fileusergroupprovider).  

Example: Authorizers.xml configuration:

<authorizers>

    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 1"><full DN from user certifcate 1></property>
        <property name="Initial User Identity 2"><full DN from user certifcate 2></property>
        <property name="Initial User Identity 3"><full DN from user certifcate 3></property>
    </userGroupProvider>

    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity"><full DN from user certificate 1></property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1"></property>
    </accessPolicyProvider>

    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

This authorizers.xml setup will add your three user identities to NiFI for purpose of authorizing them against NiFi policies only.  One of those users will be designated as the "initial admin" in the file-access-policy-provider.  This user will be assigned to the required policies needed for that user to act as admin.  That admin user can then access NiFi and setup authorization policies for the other two users.

The Certificates created for your users would be provided to each user.  The user can then load that certificate into their browser.  When the user navigates the the HTTPS NiFi URL, NiFi will request that client provide a certifcate and the loaded certificate can be used.  This handles the unique user authentication.

More details on setting up additional authorization policies for yoru users can be found here:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#config-users-access-policies

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

avatar
Explorer

Hi matt, can you kindly some detailed explanation on how do i create multiple authorizers.xml like if can change in the existing authorizers.xml or do i need to create new authorizer file and if yes how can i integrate it with the config files? that would be really helpful and kind of you

thanks and regards

 

avatar
Super Mentor

@jai1gupta 
I am not clear on your ask here and it does not seem related to the question asked and solution accepted in this thread.  Please start a new community question with details around what you are trying to accomplish/solve.  Feel free to @MattWho in that new question so that I get notified and I will try to assist you there.

Thank you,

Matt