Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Is there a way to allow both SSO and LDAP authentication in NiFi?

Labels:
avatar
author-rank Adda_Fuentes2
Expert Contributor

Created ‎01-12-2017 10:01 PM

Hello,

I currently run my cluster in NiFi using LDAP authentication however I was wondering if I could configure NiFi to allow SSO in addition to LDAP authentication or if I can only specifically use one method of authentication at a time? The reason I ask is because I am trying to grant access to additional users but these users cannot access through LDAP, so I wanted to know if it was possible to allow these additional users through SSO in some way in NiFi without having to configure Kerberos authentication instead of LDAP. I know that since NiFi 1.0.0 they added the "Identity Mapping Properties ". Would these mapping properties be able to help? Or is there any other way this could be possible?

3,797 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎01-12-2017 10:51 PM

@Adda Fuentes

NiFi Authentication always defaults to TLS certificates. If the user does not present a user certificate then NiFI will fall over to the alternate configured login identifier (either LDAP or Kerberos). NiFi does not support specifying more then one of these alternate login identity providers (ldap-provider or kerberos-provider) at a time.

Current versions of NiFi have also added Spnego support for user authentication. This authentication when configured in the nifi.properties file falls between user certificates and any login-identity-providers configured in the login-identity-providers.xml file. Setting up Spnego will require configuration changes to your browser to support logging in without needing to use username an password as you would with the kerberos-provider.

See below for more details on setting up Spnego for user authentication:

http://bryanbende.com/development/2016/08/31/apache-nifi-1.0.0-kerberos-authentication

The Identity mapping patterns allow you to take the DN returned by LDAP or the users certificate and map it to a different value. This makes it easier to setup user authorizations since you will only need to provide that mapped value as the user name for the authorization instead of the full DN. The Kerberos pattern mapping has similar intent. So you may use pattern mapping to remove the @domain portion of the principal.

Matt

View solution in original post

2,844 Views
3 REPLIES 3

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎01-12-2017 10:51 PM

@Adda Fuentes

NiFi Authentication always defaults to TLS certificates. If the user does not present a user certificate then NiFI will fall over to the alternate configured login identifier (either LDAP or Kerberos). NiFi does not support specifying more then one of these alternate login identity providers (ldap-provider or kerberos-provider) at a time.

Current versions of NiFi have also added Spnego support for user authentication. This authentication when configured in the nifi.properties file falls between user certificates and any login-identity-providers configured in the login-identity-providers.xml file. Setting up Spnego will require configuration changes to your browser to support logging in without needing to use username an password as you would with the kerberos-provider.

See below for more details on setting up Spnego for user authentication:

http://bryanbende.com/development/2016/08/31/apache-nifi-1.0.0-kerberos-authentication

The Identity mapping patterns allow you to take the DN returned by LDAP or the users certificate and map it to a different value. This makes it easier to setup user authorizations since you will only need to provide that mapped value as the user name for the authorization instead of the full DN. The Kerberos pattern mapping has similar intent. So you may use pattern mapping to remove the @domain portion of the principal.

Matt

2,845 Views

avatar
author-rank Adda_Fuentes2
Expert Contributor

Created ‎01-12-2017 11:09 PM

@Matt thanks for the clarification, it helps a lot!

2,844 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎01-12-2017 11:17 PM

@Adda Fuentes

no problem

2,844 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements