Support Questions

mbraunerde · ‎05-19-2023

Hi guys,

i'm working on a NiFi 1.21.0 and the user login is connected to AzureAd. It's working a nice way for all humans, but we want to check the nifi with our monitoring solution.

My login-identity-providers.xml contains

<loginIdentityProviders>
    <provider>
        <identifier>single-user-provider</identifier>
        <class>org.apache.nifi.authentication.single.user.SingleUserLoginIdentityProvider</class>
        <property name="Username">known-user</property>
        <property name="Password">hashed-known-password</property>
    </provider>
</loginIdentityProviders>

My authorizers.xml contains

<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 1"></property>
    </userGroupProvider>
    <userGroupProvider>
        <identifier>aad-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.azure.AzureGraphUserGroupProvider</class>
        <property name="Refresh Delay">5 mins</property>
        <property name="Authority Endpoint">https://login.microsoftonline.com</property>
        <property name="Directory ID">DirectoryID</property>
        <property name="Application ID">ApplicationID</property>
        <property name="Client Secret">ClientSecret</property>
        <property name="Group Filter Prefix">Nifi-AAD</property>
        <property name="Page Size">100</property>
    </userGroupProvider>
    <userGroupProvider>
        <identifier>composite-configurable-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
        <property name="Configurable User Group Provider">file-user-group-provider</property>
        <property name="User Group Provider 1">aad-user-group-provider</property>
    </userGroupProvider>
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">composite-configurable-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">admin@login-domain.com</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1"></property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
    <authorizer>
        <identifier>single-user-authorizer</identifier>
        <class>org.apache.nifi.authorization.single.user.SingleUserAuthorizer</class>
    </authorizer>
</authorizers>

The nifi.properties contains

nifi.authorizer.configuration.file=./conf/authorizers.xml
nifi.security.user.authorizer=single-user-authorizer
nifi.security.allow.anonymous.authentication=false
nifi.security.user.saml.authentication.expiration=12 hours

nifi.security.user.authorizer=single-user-authorizer
nifi.security.user.login.identity.provider=single-user-provider
nifi.security.user.jws.key.rotation.period=PT1H

nifi.security.user.oidc.discovery.url=https://login.microsoftonline.com/DirecotoryID/v2.0/.well-known/openid-configuration
nifi.security.user.oidc.connect.timeout=5 secs
nifi.security.user.oidc.read.timeout=5 secs
nifi.security.user.oidc.client.id=ApplicationID
nifi.security.user.oidc.client.secret=ClientSecret
nifi.security.user.oidc.preferred.jwsalgorithm=
nifi.security.user.oidc.additional.scopes=profile
nifi.security.user.oidc.claim.identifying.user=email
nifi.security.user.oidc.fallback.claims.identifying.user=upn

My Questions:

1) Is it possible to login with the "known user" of login-identity-providers.xml?

2) How can I access the api?

Thank you for your time!

mbraunerde · ‎05-23-2023

If nobody got a solution, that's okay, but does anybody got a hint for me to solve the authentication at the rest api of nifi regarding AzureAD OAuth2?

*edited - fix typo*

MattWho · ‎05-26-2023

@mbraunerde Based on what you shared , you are not configured to interact/use your AzureAD at all.

Your nifi.properties is configured to use the out-of-the-box "single-user-provider":

nifi.security.user.login.identity.provider=single-user-provider

This login provider generates a single local user with the specific username and password configured in the provider's configuration within the login-identity-providers.xml

The only authorizer that supports the single-user-provider is the single-user-authorizer which simply gives your single configured user complete access to everything in your NiFi. The other authorizer in your authorizers.xml is not being used at all. These single user authentication and authorization providers also are not support in a NiFi cluster setup. Their intent when created was simply to make it real easy for user just starting to experiment with NiFi to have a secured setup, so that their NiFi UI was not exposed to the world over http.

The first thing i'd recommend is setting up your NiFi in a more production ready configuration using certificate you generate or generate through a certificate authority. Then switch to a different authentication and authorization providers. For example the ldap- provider for login which can be configured to authenticate users via LDAP/AD. Then pair that with a managed authorizer.

This production ready authentication and authorization setup will then give you the ability to support authentication for multiple users and give you ability to set user specific authorizations that control what each user is allowed to access and interact with.

As far as interfacing with your NiFi via the NiFi-API, the recommend method would be to create a clientAuth certificate for the interaction. A secured NiFi (HTTPS) will support authentication via a mutualTLS handshake (only if not using single user) always. Meaning it will WANT a client certificate when interacting with the URL or via the rest-api. If the a client certificate is not presented, NiFi will attempt next configured authentication method. While you can use other authentication methods to interact with the rest-api (like ldap-provider), it is more difficult to manage since you would first need to interact with the login rest-api endpoint to get a client token and store that token so it can be passed in every additional rest-api call you make. That token does expire which means you would need to fetch a new token periodically. With a clientTLS certificate through a mutualTLS based authentication, you simply include that client certificate in every rest-api call (no need to get a token). Client certificate can have a configurable expiration (typically 1 or 2 years by default).

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

mbraunerde · ‎05-27-2023

Hi,

thx for your hints. AzureAD Login is already working, but I will check why after my vacations and keep this topic updated.

MattWho · ‎05-30-2023

@mbraunerde

I guarantee your NiFi is not authenticating via your AzureAD as long as your NiFi is still configured as your configuration is shared above.

These two nifi.properties properties are configured to which login provider and authorization provider are actively being used:

Authentication:
nifi.security.user.login.identity.provider=single-user-provider

Authorization:
nifi.security.user.authorizer=single-user-authorizer

While your authorizers.xml has additional providers:

file-user-group-provider
aad-user-group-provider
composite-configurable-user-group-provider
file-access-policy-provider

and an additional authorizer that utilizes the above providers:

managed-authorizer

These are not being used by the NiFi application core because the nifi.properties is still pointing at the "single-user-authorizer" rather then the "managed-authorizer"

Also the "Single-user-provider" can only be used with the "Single-user-authorizer", so you'll need to configure a different login identity provider like the "ldap-provider".

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

mbraunerde · ‎07-11-2023

Hi guys,

i've got time to check this behaviour! 🤗

Here my changes, which i only made and the AzureAD was requested.

nifi@ad62a85cc576:/opt/nifi/nifi-current/conf$ diff nifi.properties nifi.properties.fresh
199c199
< nifi.security.user.oidc.discovery.url=https://login.microsoftonline.com/DirecotoryID/v2.0/.well-known/openid-configuration
---
> nifi.security.user.oidc.discovery.url=
202,203c202,203
< nifi.security.user.oidc.client.id=ApplicationID
< nifi.security.user.oidc.client.secret=ClientSecret
---
> nifi.security.user.oidc.client.id=
> nifi.security.user.oidc.client.secret=
205,207c205,207
< nifi.security.user.oidc.additional.scopes=profile
< nifi.security.user.oidc.claim.identifying.user=email
< nifi.security.user.oidc.fallback.claims.identifying.user=upn
---
> nifi.security.user.oidc.additional.scopes=offline_access
> nifi.security.user.oidc.claim.identifying.user=
> nifi.security.user.oidc.fallback.claims.identifying.user=

That was only my first try. I will keep everyone up to date, if i got more infos

MattWho · ‎07-11-2023

@mbraunerde

When you authenticate to NiFi, a client token is issued for your user. That token is then presented by your browser with all subsequent requests since every action performed in NiFi must be both authenticated and authorized. When the token expires, a new one must be obtained.

While you have configured the OIDC properties to support authentication via an external AD, you are still using the Single-user-authorizer which allows full access to only the user created by the Single-user-provider.

I suggest you modify your nifi.properties file to use:

nifi.security.user.authorizer=managed-authorizer

This provider will utilize the the file-access-policy-provider (authorizations.xml file) for user authorizations.
With your configuration above it will set admin level authorizations for user:

admin@login-domain.com

This user would be then allowed to access the NiFi and manage additional user authorizations via the UI.

As far as access to the NiFi rest-api, I'd recommend using a certificate instead of your AD.
1. No need to obtain a user token - Include the clientAuth certificate in all your rest-api calls.
2. Will work for as long as the client certificate is valid. Certificate can be configured with long validity dates (often 2 years or more)
3. Token are only valid for the NiFi node on which they were issued. meaning if you accessed a different NiFi node in a NiFi cluster or a different instance of NiFi, you would need to get a new token each time.
4. Using a token requires you then to store that token somewhere for reuse by your individual rest-api calls.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

Cloudera Community

Support Questions

NiFi RestApi and AzureAD Login