Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Nifi-Registry OIDC

Labels:
avatar
author-rank RRosa
Explorer

Created ‎03-09-2023 11:46 AM

How to configure OIDC authentication in nifi-registry 1.19.1?
When configuring secure access ssl + oidc does not display the UI when trying to access. In the log I don't see errors just warnings, one of them is this:
o.s.l.core.support.AbstractContextSource Property 'userDn' not set - anonymous context will be used for read-write operations

Is it possible to access this version through OIDC?

2,555 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎03-09-2023 12:54 PM

@RRosa 

That particular exceptions seems to point an issue with the ldap-provider configuration in your nifi-registry possible related to the manager DN property not being set.
Would need to see your nifi-registry.properties and authorizers.xml to provide more context around the above exception.

Yes, OIDC is supported in NiFi-Registry 1.19.1.  When access in a secured (TLS/SSL Enabled) NiFi-Registry, the UI is displayed as the "anonymous" user.  Only "public" buckets will be visible.  In order to login via OIDC, you would need to click on the login via OIDC link in the UI.

OIDC properties:
nifi.registry.security.user.oidc.discovery.url=
nifi.registry.security.user.oidc.connect.timeout=5 secs
nifi.registry.security.user.oidc.read.timeout=5 secs
nifi.registry.security.user.oidc.client.id=
nifi.registry.security.user.oidc.client.secret=
nifi.registry.security.user.oidc.preferred.jwsalgorithm=
nifi.registry.security.user.oidc.additional.scopes=
nifi.registry.security.user.oidc.claim.identifying.user=

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt



View solution in original post

2,528 Views
0 Kudos
4 REPLIES 4

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎03-09-2023 12:54 PM

@RRosa 

That particular exceptions seems to point an issue with the ldap-provider configuration in your nifi-registry possible related to the manager DN property not being set.
Would need to see your nifi-registry.properties and authorizers.xml to provide more context around the above exception.

Yes, OIDC is supported in NiFi-Registry 1.19.1.  When access in a secured (TLS/SSL Enabled) NiFi-Registry, the UI is displayed as the "anonymous" user.  Only "public" buckets will be visible.  In order to login via OIDC, you would need to click on the login via OIDC link in the UI.

OIDC properties:
nifi.registry.security.user.oidc.discovery.url=
nifi.registry.security.user.oidc.connect.timeout=5 secs
nifi.registry.security.user.oidc.read.timeout=5 secs
nifi.registry.security.user.oidc.client.id=
nifi.registry.security.user.oidc.client.secret=
nifi.registry.security.user.oidc.preferred.jwsalgorithm=
nifi.registry.security.user.oidc.additional.scopes=
nifi.registry.security.user.oidc.claim.identifying.user=

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt



2,529 Views
0 Kudos

avatar
author-rank teriyatha
New Contributor

Created ‎12-12-2023 06:56 PM

@MattWho 
I managed to enable OIDC based authentication for Nifi - registry. However there are tow challenges post login.

1.  After login via OIDC the user does have the necessary permissions. Getting the following message in the logs.
"Property 'userDn' not set - anonymous context will be used for read-write operations"

2. While trying to logout getting the following message in the browser:
"The 'post_logout_redirect_uri' parameter must be a Logout redirect URI in the client app settings:..."

Could you please let me know if there additional setting to address the above issues

1,720 Views
0 Kudos

avatar
author-rank archie
New Contributor

Created ‎10-03-2024 02:30 AM

Set the nifi-registry security INITIAL_ADMIN_IDENTITY value to your admin email address.
From the nifi-registry using oidc, login using the admin email address. And you will see all permissions in the nifi-registry page...


 

477 Views

avatar
author-rank marcelo225
New Contributor

Created on ‎12-03-2024 02:39 AM - edited ‎12-03-2024 01:33 PM

It works fine @archie !
Thanks!

This is my following snipped docker-compose code:

nifi-registry:
image: apache/nifi-registry:1.23.2
container_name: nifi-registry
hostname: nifi-registry
restart: "no"
ports:
- 18443:18443
volumes:
- ./nifi/certs/localhost:/opt/certs
environment:
TZ: America/Sao_Paulo
NIFI_REGISTRY_WEB_HTTPS_PORT: 18443
AUTH: oidc
KEYSTORE_PATH: /opt/certs/keystore.jks
KEYSTORE_TYPE: JKS
KEYSTORE_PASSWORD: changeit
TRUSTSTORE_PATH: /opt/certs/truststore.jks
TRUSTSTORE_PASSWORD: changeit
TRUSTSTORE_TYPE: JKS
INITIAL_ADMIN_IDENTITY: test@test.com
NIFI_REGISTRY_SECURITY_USER_OIDC_DISCOVERY_URL: http://<LOCAL_KEYCLOAK_IP>:8080/realms/TEST/.well-known/openid-configuration
NIFI_REGISTRY_SECURITY_USER_OIDC_CONNECT_TIMEOUT: 10000
NIFI_REGISTRY_SECURITY_USER_OIDC_READ_TIMEOUT: 10000
NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_ID: nifi
NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_SECRET: <CLIENT_SECRET>
NIFI_REGISTRY_SECURITY_USER_OIDC_PREFERRED_JWSALGORITHM: RS256
NIFI_REGISTRY_SECURITY_USER_OIDC_ADDITIONAL_SCOPES: openid,email,profile
NIFI_REGISTRY_SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER: preferred_username
networks:
- test-net

 

 

110 Views
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements