Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

NiFI on Http, enable IAM via oauth2 or ldap

avatar

I have the NIFI on http server I wanted to enable IAM for the application either with oauth2 or ldaP. Please help me which files to be changed if it is oauth or ldap. Suggest the best method among these two. What properties needs to be adjusted in nifi.properties.

please help.

2 REPLIES 2

avatar

@MattWho Dear Matt

Please help me to configure NiFi Running on HTTP with ldap or oauth2

avatar
Super Mentor

@Knowledgeknow 

You can't enable authentication and authorization on an unsecured NiFi (HTTP).  To enable security in NiFi, step one is to configure HTTPS (This will require you to have certificates for all your NiFi nodes).  

The following configuration files have configurations related to securing your NiFi.

nifi.properties --> (framework configuration file has bits related to authentication and authorization).  You would enable security on your NiFi by configuring HTTPS. Once NiFi is configured with an HTTPS port authentication via TLS certificates is enabled (Can NOT be disabled and is always first method attempted to authenticate a user/client).  Teh following section of this file pertain to security:

Login-identity-providers.xml --> (authentication related) used if you want to enable user authentication support through ldap or kerberos. To enable the ldap-provider or kerberos -provider, you'll need to specify one or the other in the nifi.properties configuration property: "nifi.security.user.login.identity.provider".  Out-of the-box NiFi has this configured to use the Single-User-Provider (not intended for production use).

Once you have decided on your authentication method of choice, you'll need to setup Multi-Tenant Authorization.  Authorization is used to control what your various successfully authenticated users/client have access to within NiFi's UI.  This gets configured in the authorizers.xml (order in which you add various providers to this configuration file is very important!!!).   This file consists of only one Authorizer (out of the box it uses the single-user-authorizer.  The "authorizer" is always at the very bottom of the authorizers.xml.file.   Below is a very common example structure (top to bottom order of providers added to file:

Example configuration of above: 

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#composite-file-and-ldap-based-...

The authorizers.xml will setup the initial required properties for the user/client you define in the fileAccessPolicyProvider "Initial Admin Identity" (the user identity configured in this provider must be returned by ONLY one of the configured UserGroupProviders.  So do NOT configure the initial admin identity in the FileUserGroupProvider if that identity is going to be returned by the LDAPUserGroupProvider.  Don't worry if you mess up here initially, just delete the users.xml (FileUserGroupProvider generated) and authorizations.xml (FileAccessPolicyProvider generated) files and on next startup they will be created again.

Once you have a working authentication and authorization setup, you will be able to define authorizations, using your InItial Admin user, for your other synced directly through the NiFi UI.  You can also define additional authorization for your admin user (is not given access to everything, but is given admin authorization which means this user can set new authorizations for all user including itself. 

If you run it to authorization issue after setup, you'll want to inspect the nifi-user.log.  This log will show the exact case sensitive user/client identity. If it does not match exactly with the identity that was returned by the authorizer UserGroupProviders, you'll need to go back and make some configuration changes until they do. 

Have fun in your journey....

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt