Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

NIFI site to site with single user authentication

avatar
New Contributor

I have a remote NIFI with single user authentication with Secured SSL certificate, I want to enable the site to site with remote NIFI from local NIFI,

I am getting error like unauthorized in the remote process group of the local NIFI 

If I remove the authentication from the  Remote NIFI, site to site is working properly and flow file is getting transferred to local NIFI

can someone help to make the site to site with user authentication

3 REPLIES 3

avatar
Community Manager

Welcome to the community @Zifo1 

To enable the community to better assist you can you provide some additional details around your situation such as which NiFi version you are using? While you do that, here is a similar thread in case it is of any assistance. 


Cy Jervis, Manager, Community Program
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Super Mentor

@Zifo1 

Welcome to the community....

The Single User Authorizer is not a full featured authorization provider. It was only added to Apache NiFi so that out-of-the-box NiFi would be able to start securely easily for evaluation purposes.  It does not provide a mechanism for creating additional authorizations for other identities such as other NiFi instances.

In order to support authorizing additional user/client identities against various NiFi policies, you'll need to switch to using a production ready authorizer like the "managed-authorizer".
A typical example configuration would look like this:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#file-based-kerberos-authentica...

This setup uses the File-user-group-provider and file-access-policy-provider with the managed -authorizer.

Now you could configure your single user provider identity as the "Initial User Identity 1" in the file-user-group-provider and as the "initial admin identity" in the file-access-policy-provider.  This would setup the needed admin policies for this user identity you need.  

Note: Keep in mind that these providers will only generate the authorizations.xml and users.xml files the first time NiFi is started with this configuration. So if you set the above initial user and initial admin identities wrong, you'll need to fix config, delete these two files and start NiFi again so they are created again.

Above does nothing with authentication since you are still using the single user authentication.  With this default authentication provider you can only authenticate with the single user identity or using a clientAuth certificates (which may also be challenging with default truststore your out-of the-box NiFi uses).   Authentication via a mutualTLS exchange is how Nifi node to node communications work and NiFi site-to-Site.  In order for mutual TLS exchange to be successful there must be mutual trust of the certificate exchanged.  So if one NiFi's certificate is not trusted by the other NiFi's truststore, authentication will not be possible.  So you may need to add additional trustedCertEntries (public certs) to both your NiFi's truststores before you'll be able to successfully negotiate the MutualTLS exchange/handshake.

All the available authentication providers offered are documented here:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication

Aside from the single-user authentication provider, all other providers rely on some external source.  Apache NiFi does not offer a multi-user local authentication provider.

I know this is a lot of info thus far, but should provide you the path to a slightly more production ready NiFi that will open up the ability to use additional features not available with the out-of-the-box setup.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

avatar
Community Manager

@Zifo1 

Have you been able to resolved your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. 

Screen Shot 2019-08-06 at 1.54.47 PM.png


Cy Jervis, Manager, Community Program
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.