Support Questions

Find answers, ask questions, and share your expertise

NIFI - Set up LDAP integration on a running cluster

avatar
Contributor

Hi ,

I require assistance in configuring my secure cluster to function with LDAP.

Which procedure is recommended when doing that on a running cluster?

What steps do I need to take first?

Do I need to shut down all the nodes?

 

Thanks 

Edi

1 ACCEPTED SOLUTION

avatar
Master Mentor

@edim2525 

You can't have NiFi nodes in a cluster configured for different methods of authentication and authorization.  User requests made on any node are proxied to the Cluster coordinator and then replicated to all nodes.  It is unlikely that your user identity will remain the same once you change to using ldap for user authentication.  Then you be setting up authorization based on those new user identities.

Assuming you are currently using a managed-authorizer which uses the file-user-group-provider and file-access-policy-provider in your NiFi authorizers.xml?   
The ldap-provider can be configured to use the LDAP/AD DN (USE_DN) or the username entered at the login prompt (USE_USERNAME) as the user identity (case sensitive).  
Before making any changes to authentication, you could add the the new ldap based user identity in to  your NiFi and authorize that user to all policies granted your current certificate based user already has. 
Then make a copy of the the login-identity-providers.xml file and Edit to add the the ldap-provider. Copy modified login-identity-providers.xml to all nodes.  
Then modify nifi.properties file on all nodes by changing following line:

nifi.security.user.login.identity.provider=ldap-provider

***Theoretically (never done this) with authorization setup for your new ldap user identity setup across all nodes, you could probably restart one node at a time understanding that the only node that redirect to the new ldap-provider based login window would be a node that has been restarted.  This way wok since your new ldap user identity will get proxied to the other nodes which will have authorization in place.

On restart of your NiFi cluster these modified configuration files will be read.
Keep in mind that when no other methods of authentication are enabled, NiFi will "REQUIRE" a client certificate for authentication through a mutualTLS exchange.  Once additional methods of user authentication is added, mutualTLS auth is always enabled and attempted first, but instead of "REQUIRE", NiFI will "WANT" a client certificate. Only when no client certificate is presented during the MutualTLS exchange will NiFi move on to next configured method of authentication (ldap in your case).  MutualTLS can NOT be disabled because it is only method of authentication for node to node communications.

Now a caveat to above is that I have no idea about your current configuration, current user(s), how you plan to configure your ldap-provider, if you are using LDAP or AD, etc..., so guidance is very high level here.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt



View solution in original post

4 REPLIES 4

avatar
Master Mentor

@edim2525 
If your NiFi is already secured that means you have already using authentication and authorization is some form of configuration.   So depending in your current secure setup configuration, the guidance you may need will vary. 

There are multiple NiFi configuration files that establish the configurations for authentication and authorization (While authorization is dependent on successful authentication, the processes are executed separately).  

  1. nifi.properties
  2. login-identity-providers.xml
  3. authorizers.xml

Understanding your current setup is important for giving proper guidance to change configuration.

For authenticating with LDAP/AD users, you'll want to use the ldap-provider in the login-identity-providers.xml

For authorization you can NOT use default "single-user-authorizer" in the authorizers.xml authorizers.xml.  You'll need to switch to a different provider like the Standard Managed Authorizer.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

avatar
Contributor

Given that I need to update these three files (nifi.properties,login-identity-providers.xml,authorizers.xml) , does this imply that I must stop all the nodes within the cluster, perform the file updates, and then restart the nodes? Is there a method to accomplish this without stopping all the nodes?

 

Thanks

Edi

avatar
Master Mentor

@edim2525 

You can't have NiFi nodes in a cluster configured for different methods of authentication and authorization.  User requests made on any node are proxied to the Cluster coordinator and then replicated to all nodes.  It is unlikely that your user identity will remain the same once you change to using ldap for user authentication.  Then you be setting up authorization based on those new user identities.

Assuming you are currently using a managed-authorizer which uses the file-user-group-provider and file-access-policy-provider in your NiFi authorizers.xml?   
The ldap-provider can be configured to use the LDAP/AD DN (USE_DN) or the username entered at the login prompt (USE_USERNAME) as the user identity (case sensitive).  
Before making any changes to authentication, you could add the the new ldap based user identity in to  your NiFi and authorize that user to all policies granted your current certificate based user already has. 
Then make a copy of the the login-identity-providers.xml file and Edit to add the the ldap-provider. Copy modified login-identity-providers.xml to all nodes.  
Then modify nifi.properties file on all nodes by changing following line:

nifi.security.user.login.identity.provider=ldap-provider

***Theoretically (never done this) with authorization setup for your new ldap user identity setup across all nodes, you could probably restart one node at a time understanding that the only node that redirect to the new ldap-provider based login window would be a node that has been restarted.  This way wok since your new ldap user identity will get proxied to the other nodes which will have authorization in place.

On restart of your NiFi cluster these modified configuration files will be read.
Keep in mind that when no other methods of authentication are enabled, NiFi will "REQUIRE" a client certificate for authentication through a mutualTLS exchange.  Once additional methods of user authentication is added, mutualTLS auth is always enabled and attempted first, but instead of "REQUIRE", NiFI will "WANT" a client certificate. Only when no client certificate is presented during the MutualTLS exchange will NiFi move on to next configured method of authentication (ldap in your case).  MutualTLS can NOT be disabled because it is only method of authentication for node to node communications.

Now a caveat to above is that I have no idea about your current configuration, current user(s), how you plan to configure your ldap-provider, if you are using LDAP or AD, etc..., so guidance is very high level here.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt



avatar
Contributor

@MattWho My cluster is working with a single-user-authorizer .

I tried your method and tested it on a running cluster with three nodes that configure as single-user-authorizer, I updated the three files (nifi.properties,login-identity-providers.xml,authorizers.xml) to work with LDAP configuration. When I restarted the first node (not primary or coordinator ), I got the following error messages in the log. 

2023-09-26 11:20:34,441 ERROR [main] o.s.web.context.ContextLoader Context initialization failed
2023-09-26 11:50:19,381 ERROR [main] o.a.nifi.controller.StandardFlowService Failed to load flow from cluster due to: org.apache.nifi.controller.serialization.FlowSynchronizationException: Failed to connect node to cluster because local flow controller partially updated. Administrator should disconnect node and review flow for corruption.
2023-09-26 11:50:19,595 ERROR [main] o.a.n.c.c.node.NodeClusterCoordinator Event Reported for xxx:8443 -- Node disconnected from cluster due to org.apache.nifi.controller.serialization.FlowSynchronizationException: Failed to connect node to cluster because local flow controller partially updated. Administrator should disconnect node and review flow for corruption.

The LDAP configuration takes effect only after restarting all the nodes