Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Is there a way to allow both SSO and LDAP authentication in NiFi?

Solved Go to solution
Highlighted

Is there a way to allow both SSO and LDAP authentication in NiFi?

Rising Star

Hello,

I currently run my cluster in NiFi using LDAP authentication however I was wondering if I could configure NiFi to allow SSO in addition to LDAP authentication or if I can only specifically use one method of authentication at a time? The reason I ask is because I am trying to grant access to additional users but these users cannot access through LDAP, so I wanted to know if it was possible to allow these additional users through SSO in some way in NiFi without having to configure Kerberos authentication instead of LDAP. I know that since NiFi 1.0.0 they added the "Identity Mapping Properties ". Would these mapping properties be able to help? Or is there any other way this could be possible?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Is there a way to allow both SSO and LDAP authentication in NiFi?

Master Guru

@Adda Fuentes

NiFi Authentication always defaults to TLS certificates. If the user does not present a user certificate then NiFI will fall over to the alternate configured login identifier (either LDAP or Kerberos). NiFi does not support specifying more then one of these alternate login identity providers (ldap-provider or kerberos-provider) at a time.

Current versions of NiFi have also added Spnego support for user authentication. This authentication when configured in the nifi.properties file falls between user certificates and any login-identity-providers configured in the login-identity-providers.xml file. Setting up Spnego will require configuration changes to your browser to support logging in without needing to use username an password as you would with the kerberos-provider.

See below for more details on setting up Spnego for user authentication:

http://bryanbende.com/development/2016/08/31/apache-nifi-1.0.0-kerberos-authentication

The Identity mapping patterns allow you to take the DN returned by LDAP or the users certificate and map it to a different value. This makes it easier to setup user authorizations since you will only need to provide that mapped value as the user name for the authorization instead of the full DN. The Kerberos pattern mapping has similar intent. So you may use pattern mapping to remove the @domain portion of the principal.

Matt

View solution in original post

3 REPLIES 3
Highlighted

Re: Is there a way to allow both SSO and LDAP authentication in NiFi?

Master Guru

@Adda Fuentes

NiFi Authentication always defaults to TLS certificates. If the user does not present a user certificate then NiFI will fall over to the alternate configured login identifier (either LDAP or Kerberos). NiFi does not support specifying more then one of these alternate login identity providers (ldap-provider or kerberos-provider) at a time.

Current versions of NiFi have also added Spnego support for user authentication. This authentication when configured in the nifi.properties file falls between user certificates and any login-identity-providers configured in the login-identity-providers.xml file. Setting up Spnego will require configuration changes to your browser to support logging in without needing to use username an password as you would with the kerberos-provider.

See below for more details on setting up Spnego for user authentication:

http://bryanbende.com/development/2016/08/31/apache-nifi-1.0.0-kerberos-authentication

The Identity mapping patterns allow you to take the DN returned by LDAP or the users certificate and map it to a different value. This makes it easier to setup user authorizations since you will only need to provide that mapped value as the user name for the authorization instead of the full DN. The Kerberos pattern mapping has similar intent. So you may use pattern mapping to remove the @domain portion of the principal.

Matt

View solution in original post

Highlighted

Re: Is there a way to allow both SSO and LDAP authentication in NiFi?

Rising Star

@Matt thanks for the clarification, it helps a lot!

Highlighted

Re: Is there a way to allow both SSO and LDAP authentication in NiFi?

Master Guru

@Adda Fuentes

no problem

Don't have an account?
Coming from Hortonworks? Activate your account here