Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

NiFi OpenID Authentication - Forward All Challenges to OpenID Endpoint?

Labels:
avatar
author-rank zlessie
New Contributor

Created ‎06-24-2019 07:02 PM

I've recently setup NiFi to use Keycloak as an authentication method for users. I was wondering if my understanding of NiFi's security is correct, in that NiFi will always require a certificate challenge, and regardless if that certificate challenge passes or fails, NiFi will not use Keycloak. If the certificate challenge is declined, then, and only then, will Keycloak be called upon for authentication.


Originally, I wanted to be able to use Keycloak as the one and only authentication method when logging into NiFi. However, after setting up SSL and the OpenID endpoints for Keycloak, I've found that NiFi will not call upon Keycloak unless the certificate challenge is specifically declined on the browser (as well as if there isn't an applicable certificate for the challenge). Is there anyway to force NiFi to use Keycloak for all challenges? Or, at the very least, if the certificate challenge fails, to redirect the user to Keycloak to try and login? As, during a failure, NiFi stays on a screen with the certificate's properties, but doesn't offer any other redirection outside of going to the homepage (which just directs back to the certificate challenge).


For versions, I'm using:

NiFi: 1.9.2

Keycloak: 4.8.3

3,825 Views
0 Kudos
1 REPLY 1

avatar
author-rank zlessie
New Contributor

Created ‎06-24-2019 08:05 PM

It appears I can't edit my question because of the NiFi tag, but here's more information, if it helps.

After testing and poking around some more, I've found that the process described here is essentially what I'm after, but with certificates instead of a username/password form. If go directly to /nifi on my NiFi server, I get stuck with NiFi's certificate challenge and Keycloak is not used. I did at least find a pattern that gives me what I want, but it isn't ideal:

  1. Go to the NiFi server without any paths attached to the URL (ex: https://localhost:8080/) and get prompted for a certificate -> Decline giving a certificate
  2. Land on the page that tells you that it's going to redirect you to /nifi. After five seconds, I get redirected (to https://localhost:8080/nifi) and prompted for a certificate again -> This time I give a valid certificate
  3. Land on the Keycloak login, which confirms the certificate being used
  4. Successfully login to NiFi

I'd want to avoid this, since it isn't exactly straight forward.

3,736 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
View More Announcements