@Breezer
NiFi was historically never built to manage local users. NiFi provides no mechanism for creating and managing multiple users locally.
That being said, the Apache NiFi community found that many new users to NiFi were simply starting up unsecure NiFi instances on publicly accessible networks and decided to make changes so that by default NiFi would start with out of the box configuration secured over https. This change was released as part of the Apache NiFi 1.14 release and involved the following changes to make this work.
1. NiFi toolkit is used automatically to generate a keystore and truststore using self signed certs to secure NiFi.
2. A secured NiFi will require users/clients to authenticate and be authorized to interact with the NiFi UI in various ways. This means that out of the box there would need to be an authorizer and a means to define some user that could then be auto authorized to the needed policies. These changes were all part of https://issues.apache.org/jira/browse/NIFI-8220
The single-user-authorizer and single-user-provider were never intended for use in production as they do not provide granular multi-user level of authentication and authorization (which is what you are looking for). The simply provide for a single user who is authorized to every NiFi policy allowing for a secured environment out of the box.
Since NiFi never has and does not have any intention of managing users locally (creating multiple local users with passwords managed through NiFi UI) in the future, you'll need to utilize one of the other available user authentication methods if you want an environment which supports multiple users with unique authorizations. Those methods are explained here:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication
I see you don't want to rely on some external authentication provider like ldap, kerbersos, knox, etc. and that is fine. User authentication can also be achieved via a mutual TLS handshake. All this requires is generating a unique user certificate for each of your 3 users.
A basic setup like this would require you to configure your NiFi to use the follwoing:
- Authentication:
- Clear the "single-user-provider" for the "nifi.security.user.login.provider" property in the nifi.properties file.
- Use the NiFi TLS toolkit to generate your certifcates: https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#tls_toolkit. Or you could use an external free certificate provider like Tinycert to create a certificate for each your NiFi instance(s) and a certifcate for each of your users.
- Authorization:
- Change the "single-user-authorizer" for the " nifi.security.user.authorizer" property in the nifi.properties file to "managed-authorizer".
- Build a new authorizers.xml that uses the "managed-authorizer" (https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#standardmanagedauthorizer), "file-access-policy-provider" (https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#fileaccesspolicyprovider), and "file-user-group-provider" (https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#fileusergroupprovider).
Example: Authorizers.xml configuration:
<authorizers>
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1"><full DN from user certifcate 1></property>
<property name="Initial User Identity 2"><full DN from user certifcate 2></property>
<property name="Initial User Identity 3"><full DN from user certifcate 3></property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity"><full DN from user certificate 1></property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
This authorizers.xml setup will add your three user identities to NiFI for purpose of authorizing them against NiFi policies only. One of those users will be designated as the "initial admin" in the file-access-policy-provider. This user will be assigned to the required policies needed for that user to act as admin. That admin user can then access NiFi and setup authorization policies for the other two users.
The Certificates created for your users would be provided to each user. The user can then load that certificate into their browser. When the user navigates the the HTTPS NiFi URL, NiFi will request that client provide a certifcate and the loaded certificate can be used. This handles the unique user authentication.
More details on setting up additional authorization policies for yoru users can be found here:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#config-users-access-policies
If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.
Thank you,
Matt
