Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Nifi Registry + openid ?

avatar
Contributor

Hi, is there a way to login to NiFi registry via openid (ej google)?

I'm thinking of how I can secure the instance without a domain like in NiFi

Thanks!

1 ACCEPTED SOLUTION

avatar
Super Mentor

@Alexandros 

Securing NiFi and NiFi-registry will always require TLS certificates.  There are then numerous options for authentication in to those secured sevices.

Both NiFi and NiFi Registry both offer:

1. User based certificate authentication.  You would need to create a user certificate for each user who will access NiFi or NiFi-registry
2. Spnego - This requires that you have a KDC and your users have Spnego enabled in their browser
3. LDAP/AD user authentication.  You would need to have your own LDAP/AD setup which you can use to authenticate your users.
4. kerberos login provider.  This would require you to setup your own KDC as well.

NiFi also supports OpenID connect compatible service based authentication; however, the same is not offered in NiFi-Registry.  The jira for adding OpenID connect capability to NiFi-Registry is still open here:
https://issues.apache.org/jira/browse/NIFIREG-313

So based on options above and depending on the number of users you want to give access to, your best options are either by issuing each of your users a user/client certificate or setting up a simple LDAP server or KDC server.

 

Hope this helps,

Matt

View solution in original post

2 REPLIES 2

avatar
Super Mentor

@Alexandros 

Securing NiFi and NiFi-registry will always require TLS certificates.  There are then numerous options for authentication in to those secured sevices.

Both NiFi and NiFi Registry both offer:

1. User based certificate authentication.  You would need to create a user certificate for each user who will access NiFi or NiFi-registry
2. Spnego - This requires that you have a KDC and your users have Spnego enabled in their browser
3. LDAP/AD user authentication.  You would need to have your own LDAP/AD setup which you can use to authenticate your users.
4. kerberos login provider.  This would require you to setup your own KDC as well.

NiFi also supports OpenID connect compatible service based authentication; however, the same is not offered in NiFi-Registry.  The jira for adding OpenID connect capability to NiFi-Registry is still open here:
https://issues.apache.org/jira/browse/NIFIREG-313

So based on options above and depending on the number of users you want to give access to, your best options are either by issuing each of your users a user/client certificate or setting up a simple LDAP server or KDC server.

 

Hope this helps,

Matt

avatar
Contributor

By checking the status of https://issues.apache.org/jira/browse/NIFIREG-313, it seems that the feature of authenticating using OIDC for nifi registry is already resolved as of 9/14/2020.

But In nifi registry admin guide at https://nifi.apache.org/docs/nifi-registry-docs/index.html, it still mentions that only LDAP and Kerberos are supported. Is the document up-to-date?