Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

NiFi Authentication with LDAP Groups

Labels:
avatar
author-rank mslnrd
Contributor

Created ‎01-28-2025 10:13 AM

Hello,

I have setup NiFI 2.1.0, and am trying to figure out how to allow users in a NiFi Microsoft AD Group to authenticate to the GUI.  I have it setup so users can log in if I add their LDAP account.  But, I'd rather just have users in the group I created in AD be able to login instead of having to go in and add new users to NiFi each time.

Here are the configs I have setup for my authorizers.xml:

    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial User Identity 1">ldapuser</property>
    </userGroupProvider>


    <userGroupProvider>
        <identifier>ldap-user-group-provider</identifier>
        <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
        <property name="Authentication Strategy">LDAPS</property>

        <property name="Manager DN">CN=NiFiUser,OU=Accounts,DC=my,DC=network,DC=com</property>
        <property name="Manager Password">PasswordHere</property>

	<property name="TLS - Keystore">./conf/keystore.p12</property>
        <property name="TLS - Keystore Password">KSPasswordHere</property>
	<property name="TLS - Keystore Type">PKCS12</property>
	<property name="TLS - Truststore">./conf/truststore.p12</property>
        <property name="TLS - Truststore Password">TSPasswordHere</property>
        <property name="TLS - Truststore Type">PKCS12</property>
        <property name="TLS - Client Auth">REQUIRED</property>
        <property name="TLS - Protocol">TLSv1.2</property>
        <property name="TLS - Shutdown Gracefully"></property>

        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldaps://ldapserver.my.network.com:636</property>
        <property name="Page Size"></property>
        <property name="Sync Interval">30 mins</property>
        <property name="Group Membership - Enforce Case Sensitivity">false</property>

        <property name="User Search Base">DC=my,DC=network,DC=com</property>
        <property name="User Object Class">person</property>
        <property name="User Search Scope">SUBTREE</property>
        <property name="User Search Filter"></property>
        <property name="User Identity Attribute">sAMAccountName</property>
        <property name="User Group Name Attribute"></property>
        <property name="User Group Name Attribute - Referenced Group Attribute"></property>

        <property name="Group Search Base">OU=Groups,DC=my,DC=network,DC=com</property>
        <property name="Group Object Class">group</property>
        <property name="Group Search Scope">SUBTREE</property>
        <property name="Group Search Filter"></property>
        <property name="Group Name Attribute">sAMAccountName</property>
        <property name="Group Member Attribute">member</property>
        <property name="Group Member Attribute - Referenced User Attribute"></property>
    </userGroupProvider>


    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">ldapuser</property>
        <property name="Node Identity 1"></property>
        <property name="Node Group"></property>
    </accessPolicyProvider>


    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>

I've also tried it with setting the "Group Member Attribute" to 'cn' with the same result.

Here is my login-identity-providers.xml as well:

    <provider>
        <identifier>ldap-provider</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">LDAPS</property>

        <property name="Manager DN">CN=NiFiUser,OU=Accounts,DC=my,DC=network,DC=com</property>
        <property name="Manager Password">PasswordHere</property>

	<property name="TLS - Keystore">./conf/keystore.p12</property>
        <property name="TLS - Keystore Password">KSPasswordHere</property>
        <property name="TLS - Keystore Type">PKCS12</property>
	<property name="TLS - Truststore">./conf/truststore.p12</property>
        <property name="TLS - Truststore Password">TSPasswordHere</property>
        <property name="TLS - Truststore Type">PKCS12</property>
        <property name="TLS - Client Auth">REQUIRED</property>
        <property name="TLS - Protocol">TLSv1.2</property>
        <property name="TLS - Shutdown Gracefully"></property>
        
        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldaps://ldapserver.my.network.com:636</property>
        <property name="User Search Base">DC=my,DC=network,DC=com</property>
	<property name="User Search Filter">sAMAccountName={0}</property>

        <property name="Identity Strategy">USE_USERNAME</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>

After I configure these I am not really sure what else I would need to do as the documentation doesn't provide much instruction on what to expect after configuring these.  Are the AD groups supposed to be automatically added to NiFi?  Or do I need to add the group to NiFi manually?  I tried manually adding to just to see but the account I was using to test still couldn't login.

Thanks in advance for helping!

561 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎01-29-2025 06:14 AM

@mslnrd 

Authentication and authorization are two separate configurations.  A user must successfully authenticate before any authorization is checked.

So from your description, you are getting the NiFi login in window and successfully authenticating using your AD sAMAccountName and password.  This means that the case sensitive username you entered at login is being passed on for authorization handled by the configured authorizer in the authorizers.xml.  

The authorizers.xml is easiest to read from the bottom up starting with the authorizer.
Looking at what you shared, we see the "managed-authorizer" being used which has a dependency on the "file-access-policy-provider" (which persists all the configured authorizations in the authorizations.xml file).   

Now looking at the "file-access-policy-provider", we see it has a dependency on the "file-user-group-provider" for understanding what groups an authenticated user belongs to.

If we then look at the "file-user-group-provider", it simply allows you to manually define new user identities and associated them with manually defined group identities.  Which from you query sounds like what you have been doing thus far.

We can also see that you have added the "ldap-user-group-provider" to the authorizers.xml; however, from reading the file as i described above we can see no path of reference from authorizer to this ldap-user-group-provider.  That means the authorizers is not using any users and groups this provider may be returning.

Now fixing this configuration issue has two possible paths.

1. You can reconfigure the "file-access-policy-provider" to use the "ldap-user-group-provider" 
2. You can configure the "file-access-policy-provider" to use a "Composite-configurable-user-group-provider" (which can be configured to get group info form multiple user-group-providers). 

Note:
You'll need to use the "Composite-configurable-user-group-provider" if using the configurable file-user-group-provider as one of the providers.  The file-user-group-provider can NOT be configured in the "Composite-user-group-provider"


Option 2 allows more flexibility because you can authorize server client auth certificates which are not typically in AD/LDAP.  Such as authorizing NiFi nodes to talk to one another in cluster or authorizing one NiFi to connect to another NiFi via NiFi Site-To-Site capability.

With Option 2, you need to be aware that multiple user group providers can NOT return the same user or group identity string.  Since you have already added your users and groups manually via the file-user-group-provider, NiFi will error on startup complaining that multiple providers have returned the same identity.  So you will need to rename/remove the existing users.xml file and unset the "Initial User Identity 1" field in the file-user-group-provider only.

On Startup, NiFI will pull in user and groups via your ldap-user-group-provider configuration and you will still have the option to manually define additional non AD/LDAP user and group identities if needed via the NiFi UI.

An example authorizers.xml setup of what is described above is found here in the NiFi Admin Guide:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#composite-file-and-ldap-based-...

Please help our community grow and thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

536 Views
0 Kudos
0
4 REPLIES 4

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎01-29-2025 06:14 AM

@mslnrd 

Authentication and authorization are two separate configurations.  A user must successfully authenticate before any authorization is checked.

So from your description, you are getting the NiFi login in window and successfully authenticating using your AD sAMAccountName and password.  This means that the case sensitive username you entered at login is being passed on for authorization handled by the configured authorizer in the authorizers.xml.  

The authorizers.xml is easiest to read from the bottom up starting with the authorizer.
Looking at what you shared, we see the "managed-authorizer" being used which has a dependency on the "file-access-policy-provider" (which persists all the configured authorizations in the authorizations.xml file).   

Now looking at the "file-access-policy-provider", we see it has a dependency on the "file-user-group-provider" for understanding what groups an authenticated user belongs to.

If we then look at the "file-user-group-provider", it simply allows you to manually define new user identities and associated them with manually defined group identities.  Which from you query sounds like what you have been doing thus far.

We can also see that you have added the "ldap-user-group-provider" to the authorizers.xml; however, from reading the file as i described above we can see no path of reference from authorizer to this ldap-user-group-provider.  That means the authorizers is not using any users and groups this provider may be returning.

Now fixing this configuration issue has two possible paths.

1. You can reconfigure the "file-access-policy-provider" to use the "ldap-user-group-provider" 
2. You can configure the "file-access-policy-provider" to use a "Composite-configurable-user-group-provider" (which can be configured to get group info form multiple user-group-providers). 

Note:
You'll need to use the "Composite-configurable-user-group-provider" if using the configurable file-user-group-provider as one of the providers.  The file-user-group-provider can NOT be configured in the "Composite-user-group-provider"


Option 2 allows more flexibility because you can authorize server client auth certificates which are not typically in AD/LDAP.  Such as authorizing NiFi nodes to talk to one another in cluster or authorizing one NiFi to connect to another NiFi via NiFi Site-To-Site capability.

With Option 2, you need to be aware that multiple user group providers can NOT return the same user or group identity string.  Since you have already added your users and groups manually via the file-user-group-provider, NiFi will error on startup complaining that multiple providers have returned the same identity.  So you will need to rename/remove the existing users.xml file and unset the "Initial User Identity 1" field in the file-user-group-provider only.

On Startup, NiFI will pull in user and groups via your ldap-user-group-provider configuration and you will still have the option to manually define additional non AD/LDAP user and group identities if needed via the NiFi UI.

An example authorizers.xml setup of what is described above is found here in the NiFi Admin Guide:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#composite-file-and-ldap-based-...

Please help our community grow and thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

537 Views
0 Kudos
0

avatar
author-rank mslnrd
Contributor

Created ‎01-30-2025 01:45 PM

Thanks for the response! I went ahead and configured with option 2, and was able to get it working.

Thank you very much!

509 Views

avatar
author-rank mslnrd
Contributor

Created ‎01-31-2025 07:11 AM

@MattWhoWhile I am still on the topic, is there anywhere I can find what types of filters I can use in the "User Search Filter" or the Group one?  I am trying to widdle down the amount of objects that are populated from LDAP into my Users. 

In my AD Server, users are in 2 different OU's.  So, for example, I'll have users in ou=Admin Accounts,ou=Domain Admins,dc=my,dc=network,dc=com but I'll also have users in ou=Regular Users,ou=Testers,dc=my,dc=network,dc=com.  And the only way to really pull both are to have my base search set to dc=my,dc=network,dc=com.  Doing this pulls computer accounts and all users, even users that would never need access (like service type accounts).

 

I can filter out the computer accounts by using this filter:

(objectCategory=cn=Person,cn=Schema,cn=Configuration,dc=my,dc=network,dc=com)

But I'd like to also filter out the accounts, or OU's that aren't needed.  Or, if possible just use the 2 NiFi groups I have in AD (Nifi Admins/Nifi Users) without having to populate all of my AD users, if that makes sense.

491 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎01-31-2025 08:27 AM

@mslnrd 

While kind of related, to prevent confusing other community members, it would be better to start a new community question for this.  This question involves proper authorizers.xml configuration and the new question is specific to user-group-provider configuration.  Feel free to ping me in that new question so I get notified when it is created.

Thank you,
Matt

482 Views
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements