@darkcoffeelake
NiFi out-of-the-box setup generates simply keystore and truststore automatically and set the login provider to single-user-provider and authorizer to single-user-authorizer. This out-of-the-box setup is simplifies secured access for evaluation of NiFi. It is not a production ready setup in that it does not support multi-user authentication, granular access controls, or NiFi cluster setups.
There are bunch of steps that go into securing Apache NiFi for production ready environments. Securing NiFi not only sets up NiFi over an HTTPS connection, but also requires that user authentication and authorization is setup.
NiFi will require a keystore and truststore which youcan create yourself or use publicly available service to create them for you (example would be tinycert). The keystore created for you NiFi must meet the following requirements for NiFi:
- Contains only 1 PrivateKey entry.
- Does not use wildcards in the DN of PrivateKey certificate.
- Has both clientAuth and serverAuth Extended key Usage (EKU)
- Has SubjectAlternativeNames (SAN) entry(s) matching NiFi hostname and any other name that may be used to access the NiFi.
The truststore needs to contain the complete trust chain for your NiFi keystore certficate. A certifcate might be self signed (meaning both issuer and signer are same DN), it may be signed by an intermediate CA, or rootCA. If signed by an intermeidiate CA, your truststore would need to have the trustedCertEntry (public key) for the intermediate CA (intermediate CA is any CA where signer and issuer are different DNs) and the trusted certEntry for that signer and so until you reach the root CA in the chain (root CA will have same signer and issuer DN).
Once you have your certificates, you'll need to decide how your users are going to authenticate with NiFi. NiFi does not have a embedded provider that supports multi-user authentication. Here is what is available to choose from:
User Authentication
LDAP and Kerberos are probably the most commonly used.
Once you have decided how you are going to authenticate your users, you'll need to setup authorization for those users. here are your options here:
Multi-Tenant Authorization
The simplest authorizers.xml setup would utilize the StandardManagedAuthorizer, FileAccessPolicyProvider, and FileUserGroupProvider.
a sample configuration can be seen here:
https://nifi.apache.org/documentation/nifi-2.0.0-M1/html/administration-guide.html#file-based-ldap-a...
If setup correctly, on first startup, the above authorizers.xml will generate and seed the users.xml and authorizations.xml file so that your initial admin user (a ldap user or kerberos user for example) with the necessary authorization policies to access the NiFi UI. From the NiFi UI, that initial admin user can setup additional user identity authorizations.
If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
