Support Questions
Find answers, ask questions, and share your expertise

NiFi user authentication without Ranger or Kerberos

NiFi user authentication without Ranger or Kerberos

Rising Star

I have set up my NiFi instance (NiFi 1.0) to communicate over SSL and authenticate the admin user with a certificate, based on this article. This has worked correctly. Now I would like to add new users to NiFi, and have those users authenticate using username/password. I know this is possible with LDAP, as well as with Ranger and Kerberos, however I would prefer to manage my users directly through NiFi. Adding new users is straightforward, but there is no way I can see to set a password for a user.

Is there any way to achieve this? I know it is possible to create my own LoginIdentityProvider. Does anybody have an example of code that could do what I want?


Re: NiFi user authentication without Ranger or Kerberos

Hi @Mark Heydenrych,

This is not something you can do at the moment. To have login/password authentication you must configure a LDAP as login identity provider. Otherwise you could define users in NiFi and issue individual certificates (to be added in the browser) for each user you need.

Another option would be to develop a custom login identity provider to achieve what you are looking for.

Side note - setting a LDAP server can be easily achieved. You can find an example here:

Hope this helps.

Re: NiFi user authentication without Ranger or Kerberos

Master Guru

@Mark Heydenrych

Just to add some clarity to what you are trying to do.

There are two steps that must be successful before any user can access any of a secured NiFi's resources:

1. Authentication - NiFi supports user authentication via user certs (default), kerberos, or LDAP. This authentication layer has nothing to do with users that have been added to either NiFi's internal user authorizer or Ranger.

2. Authorization - After and only after user authentication is successful will user authorization take place. This is where the now authenticated user is checked against an authorizer (default is NiFi's file based authorizer, but Ranger is also supported for this) to see which NiFi resources that user has been granted access to.

There is no single endpoint that can be used to do facilitate both authentication and authorization at this time.