Support Questions

Find answers, ask questions, and share your expertise

Nifi Security harden: Missing access policies features to achieve Multi-Tenant Authorization.

avatar
Contributor

Hi, I would like to enquire about the missing access policies features as I run my nifi instance. 

Step that I did:

1) Generate the certificate and key (keystore.jks, truststore.jks, nifi.properties) 

Command: .\bin\tls-toolkit.sh standalone -n "localhost" 

2) Copy the above 3 cert to ".\nifi-1.23.2\conf"

3) Generate the user's client certificate to authenticate to NiFi

Command: .\bin\tls-toolkit.sh standalone -C "CN=sys_admin, OU=NIFI"

4) Load the client certificate into web browser (EDGE)

5) Populate the Initial Admin Identity 

Open authorizers.xml in ".\nifi-1.23.2\conf"

In UserGroupProvider section, replace <property name = "Initial User Identity 1"><property> to <property name = "Initial User Identity 1">CN=sys_admin, OU=NIFI<property>

In accessPolicyProvider section, replace <property name = "Initial Admin Identity"><property> to <property name = "Initial Admin Identity">CN=sys_admin, OU=NIFI<property>

6) Start NiFi 

Command: ,\bin\run-nifi.bat

7) Open Web browser to https://localhost:9443/nifi

Screenshot 2023-09-27 140942.pngScreenshot 2023-09-27 140927.pngScreenshot 2023-09-27 141050.png

1 ACCEPTED SOLUTION

avatar
Master Mentor

@techNerd 

I don't see a question in your post.  I can only assume you are talking about missing "key" policy icon on your NiFi Flow root process group?  This indicates your authenticated user is not authorized to view or modify all policies.  What is also  interesting from your  screenshot is that the user identity displayed in upper right corner is a UUID and not "CN=sys_admin, OU=NIFI" from your user certificate.  So I think you have multiple issues here with your configuration.  Inspect your nifi.properties, login-identity-providers.xml, and authorizations.xml files for configuration issues.  Also take note that the file-user-group-provider ONLY creates the users.xml file if it does not already exist during startup. It does not modify an already existing file.   The file-access-policy-provider generates the authorizations.xml (different file from authorizers.xml) ONLY if it does not already exist at startup.  It will not modify an already existing file.

What version of Apache NiFi is being used?
Did you maybe leave remnants of the single-user-provider or single-user-authorizer configured?  If so remove these two providers from your configuration.

Below is more info about the "initial admin":

The intent of the "Initial Admin" is to give that user just enough authority to function as a NiFi Admin (access the UI, access to view and modify tenants/user, create new users and groups identities (assumes file based authorization configured), access to assign or remove access policies to users/groups, access the NiFi controller settings and give view modify to root process group (if first start up with no pre-existing flow.xml.gz/flow.json.gz in place.).  It is not meant to grant the admin to all policies, but admin has ability to add themselves to all policies.   

There are often clear devisions of responsibility between admins and dataflow designers/engineers.  An admin not involved with creating flows would have no need to be able to build flow, access component configurations, view content, view data provenance, etc.  So policies of this nature are not assigned as part of initial admin setup.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

1 REPLY 1

avatar
Master Mentor

@techNerd 

I don't see a question in your post.  I can only assume you are talking about missing "key" policy icon on your NiFi Flow root process group?  This indicates your authenticated user is not authorized to view or modify all policies.  What is also  interesting from your  screenshot is that the user identity displayed in upper right corner is a UUID and not "CN=sys_admin, OU=NIFI" from your user certificate.  So I think you have multiple issues here with your configuration.  Inspect your nifi.properties, login-identity-providers.xml, and authorizations.xml files for configuration issues.  Also take note that the file-user-group-provider ONLY creates the users.xml file if it does not already exist during startup. It does not modify an already existing file.   The file-access-policy-provider generates the authorizations.xml (different file from authorizers.xml) ONLY if it does not already exist at startup.  It will not modify an already existing file.

What version of Apache NiFi is being used?
Did you maybe leave remnants of the single-user-provider or single-user-authorizer configured?  If so remove these two providers from your configuration.

Below is more info about the "initial admin":

The intent of the "Initial Admin" is to give that user just enough authority to function as a NiFi Admin (access the UI, access to view and modify tenants/user, create new users and groups identities (assumes file based authorization configured), access to assign or remove access policies to users/groups, access the NiFi controller settings and give view modify to root process group (if first start up with no pre-existing flow.xml.gz/flow.json.gz in place.).  It is not meant to grant the admin to all policies, but admin has ability to add themselves to all policies.   

There are often clear devisions of responsibility between admins and dataflow designers/engineers.  An admin not involved with creating flows would have no need to be able to build flow, access component configurations, view content, view data provenance, etc.  So policies of this nature are not assigned as part of initial admin setup.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt