Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

NIFI - Set up LDAP integration on a running cluster

Labels:
avatar
author-rank edim2525
Contributor

Created ‎08-16-2023 07:29 AM

Hi ,

I require assistance in configuring my secure cluster to function with LDAP.

Which procedure is recommended when doing that on a running cluster?

What steps do I need to take first?

Do I need to shut down all the nodes?

 

Thanks 

Edi

1,521 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎09-21-2023 01:14 PM

@edim2525 

You can't have NiFi nodes in a cluster configured for different methods of authentication and authorization.  User requests made on any node are proxied to the Cluster coordinator and then replicated to all nodes.  It is unlikely that your user identity will remain the same once you change to using ldap for user authentication.  Then you be setting up authorization based on those new user identities.

Assuming you are currently using a managed-authorizer which uses the file-user-group-provider and file-access-policy-provider in your NiFi authorizers.xml?   
The ldap-provider can be configured to use the LDAP/AD DN (USE_DN) or the username entered at the login prompt (USE_USERNAME) as the user identity (case sensitive).  
Before making any changes to authentication, you could add the the new ldap based user identity in to  your NiFi and authorize that user to all policies granted your current certificate based user already has. 
Then make a copy of the the login-identity-providers.xml file and Edit to add the the ldap-provider. Copy modified login-identity-providers.xml to all nodes.  
Then modify nifi.properties file on all nodes by changing following line:

nifi.security.user.login.identity.provider=ldap-provider

***Theoretically (never done this) with authorization setup for your new ldap user identity setup across all nodes, you could probably restart one node at a time understanding that the only node that redirect to the new ldap-provider based login window would be a node that has been restarted.  This way wok since your new ldap user identity will get proxied to the other nodes which will have authorization in place.

On restart of your NiFi cluster these modified configuration files will be read.
Keep in mind that when no other methods of authentication are enabled, NiFi will "REQUIRE" a client certificate for authentication through a mutualTLS exchange.  Once additional methods of user authentication is added, mutualTLS auth is always enabled and attempted first, but instead of "REQUIRE", NiFI will "WANT" a client certificate. Only when no client certificate is presented during the MutualTLS exchange will NiFi move on to next configured method of authentication (ldap in your case).  MutualTLS can NOT be disabled because it is only method of authentication for node to node communications.

Now a caveat to above is that I have no idea about your current configuration, current user(s), how you plan to configure your ldap-provider, if you are using LDAP or AD, etc..., so guidance is very high level here.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt



View solution in original post

1,421 Views
0 Kudos
4 REPLIES 4

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎09-19-2023 07:15 AM

@edim2525 
If your NiFi is already secured that means you have already using authentication and authorization is some form of configuration.   So depending in your current secure setup configuration, the guidance you may need will vary. 

There are multiple NiFi configuration files that establish the configurations for authentication and authorization (While authorization is dependent on successful authentication, the processes are executed separately).  

  1. nifi.properties
  2. login-identity-providers.xml
  3. authorizers.xml

Understanding your current setup is important for giving proper guidance to change configuration.

For authenticating with LDAP/AD users, you'll want to use the ldap-provider in the login-identity-providers.xml

For authorization you can NOT use default "single-user-authorizer" in the authorizers.xml authorizers.xml.  You'll need to switch to a different provider like the Standard Managed Authorizer.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

1,446 Views
0 Kudos

avatar
author-rank edim2525
Contributor

Created ‎09-20-2023 11:22 PM

Given that I need to update these three files (nifi.properties,login-identity-providers.xml,authorizers.xml) , does this imply that I must stop all the nodes within the cluster, perform the file updates, and then restart the nodes? Is there a method to accomplish this without stopping all the nodes?

 

Thanks

Edi

1,431 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎09-21-2023 01:14 PM

@edim2525 

You can't have NiFi nodes in a cluster configured for different methods of authentication and authorization.  User requests made on any node are proxied to the Cluster coordinator and then replicated to all nodes.  It is unlikely that your user identity will remain the same once you change to using ldap for user authentication.  Then you be setting up authorization based on those new user identities.

Assuming you are currently using a managed-authorizer which uses the file-user-group-provider and file-access-policy-provider in your NiFi authorizers.xml?   
The ldap-provider can be configured to use the LDAP/AD DN (USE_DN) or the username entered at the login prompt (USE_USERNAME) as the user identity (case sensitive).  
Before making any changes to authentication, you could add the the new ldap based user identity in to  your NiFi and authorize that user to all policies granted your current certificate based user already has. 
Then make a copy of the the login-identity-providers.xml file and Edit to add the the ldap-provider. Copy modified login-identity-providers.xml to all nodes.  
Then modify nifi.properties file on all nodes by changing following line:

nifi.security.user.login.identity.provider=ldap-provider

***Theoretically (never done this) with authorization setup for your new ldap user identity setup across all nodes, you could probably restart one node at a time understanding that the only node that redirect to the new ldap-provider based login window would be a node that has been restarted.  This way wok since your new ldap user identity will get proxied to the other nodes which will have authorization in place.

On restart of your NiFi cluster these modified configuration files will be read.
Keep in mind that when no other methods of authentication are enabled, NiFi will "REQUIRE" a client certificate for authentication through a mutualTLS exchange.  Once additional methods of user authentication is added, mutualTLS auth is always enabled and attempted first, but instead of "REQUIRE", NiFI will "WANT" a client certificate. Only when no client certificate is presented during the MutualTLS exchange will NiFi move on to next configured method of authentication (ldap in your case).  MutualTLS can NOT be disabled because it is only method of authentication for node to node communications.

Now a caveat to above is that I have no idea about your current configuration, current user(s), how you plan to configure your ldap-provider, if you are using LDAP or AD, etc..., so guidance is very high level here.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt



1,422 Views
0 Kudos

avatar
author-rank edim2525
Contributor

Created ‎09-26-2023 07:48 AM

@MattWho My cluster is working with a single-user-authorizer .

I tried your method and tested it on a running cluster with three nodes that configure as single-user-authorizer, I updated the three files (nifi.properties,login-identity-providers.xml,authorizers.xml) to work with LDAP configuration. When I restarted the first node (not primary or coordinator ), I got the following error messages in the log. 

2023-09-26 11:20:34,441 ERROR [main] o.s.web.context.ContextLoader Context initialization failed
2023-09-26 11:50:19,381 ERROR [main] o.a.nifi.controller.StandardFlowService Failed to load flow from cluster due to: org.apache.nifi.controller.serialization.FlowSynchronizationException: Failed to connect node to cluster because local flow controller partially updated. Administrator should disconnect node and review flow for corruption.
2023-09-26 11:50:19,595 ERROR [main] o.a.n.c.c.node.NodeClusterCoordinator Event Reported for xxx:8443 -- Node disconnected from cluster due to org.apache.nifi.controller.serialization.FlowSynchronizationException: Failed to connect node to cluster because local flow controller partially updated. Administrator should disconnect node and review flow for corruption.

The LDAP configuration takes effect only after restarting all the nodes

1,375 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Streams Messaging Operator 1.1
What's New @ Cloudera
From Silos to Synergy: Unifying Data Warehousing and AI
What's New @ Cloudera
Cloudera Streaming Analytics 1.13 for Private Cloud Base
What's New @ Cloudera
Get started with Cloudera Data Engineering on AWS Graviton a...
What's New @ Cloudera
[NEW] Cloudera Data Engineering 1.22 for Public Cloud: Suppo...
View More Announcements