Support Questions

Find answers, ask questions, and share your expertise

Want to Use SSL i.e., Organization Provided Certs for New NiFi Cluster Users

avatar
Contributor

Hello, I have a 3 node NiFi Cluster up and running.  The Initial Admin User is able now to successfully log into the NiFi cluster.  

 

I would now like to add new users to the NiFi cluster and SSL i.e., signed PKI certs for each user as the basis for these users to gain access to NiFi.

 

I do not want to use LDAP, I am in an environment that will require use of PKI certs for access to NiFi.

 

Can someone provide a prescriptive set of steps I can follow to successfully use PKI certs/SSL as a means of providing access to new NiFi cluster users and specifically, how do I add new users?

 

I would think the process of creating new users and using SSL would be explained explicitly.  

 

Can someone help me with this?

 

VR,

 

Dave

3 ACCEPTED SOLUTIONS

avatar
Master Mentor

@davehkd 

Your corporate PKI certs are just certs signed by your corporate signing authority.  So really nothing needs to change in the configuration of your NiFi.  However, you will need to add your corporate signing authorities public certificate to the truststore.jks used by your NiFi.

When you access the NiFi UI a mutual TLS exchange occurs.  You client (browser) initiates the connection with a client Hello to which the server will respond with a server Hello.  In that server hello a list of certificate authorities (comes from CAs in the NiFi truststore) will be provided to back to the client.   This tells the client that it will only accept a client certificate signed by one of those authorities.  If the client (your browser) has a pki certificate loaded that was signed by one of those trusted authorities, that client certificate can be used to complete the mutual TLS exchange.  Much more happens in the Mutual TLS client server handshake, but i'll just stick to the certificate specifics here.

NiFi does nothing out of spec when it comes to certificates and NiFi has nothing to do with creating users.  You can create your own self signed certificates created via command line tools, use a public signing authority to create signed certificates, or in your case use your corporate signing authority to create certificates.  A java keystore is nothing more than a container that can hold 1 too many certificates.

Only requirement NiFi has with regards to the keystore it that it contains only 1 PrivateKeyEntry (private cert).  The truststore (just another keystore) can contain 1 too many trustedCertEntries (public certs) and often contains many public intermediate and root CAs.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

View solution in original post

avatar
Master Mentor

@davehkd  It is difficult for me t say where your configuration has gone wrong with what has been shared
I would need to see your authorizers.xml.  

I see in your output mention of the SingleUserAuthorizer.  This authorizer does not support defining additional user for assigning policies.

What do you have configured in your nifi.properties for these configuration lines:

nifi.security.user.authorizer
nifi.security.user.login.identity.provider

If either of these is using the "single-user-provider/authorizer", it is expected that you will not see users in the UI.

You'll need to use an authorizer that supports multi user setup like the https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#standardmanagedauthorizer.


since you are using user certificates for handling your user authentication. the nifi.security.user.login.identity.provider configuration property should be blank.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

View solution in original post

avatar
Master Mentor

@davehkd 

1. You can't have multiple providers in the authorizers.xml.  You'll ned to comment out the "singleUserAuthorizer".
2. Your "managed authorizer is not correct, you are missing the class:

 

<authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>

 

3. Your file-access-policy-providers configuration looks good here.
4. Your file-user-group-provider configuration is not correct, you are missing the line that defines where the users.xml file is to be created:

 

<userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial User Identity 1">CN=ec2-user</property>
        <property name="Initial User Identity 2">CN=nifi1, OU=NIFI</property>
        <property name="Initial User Identity 3">CN=nifi2, OU=NIFI</property>
        <property name="Initial User Identity 4">CN=nifi3, OU=NIFI</property>
</userGroupProvider>

 

 

Make sure that in your nifi.properties file, you have configured NiFi to use the managed authorizer:

nifi.security.user.authorizer=managed-authorizer


Make sure that in your nifi.properties, you do NOT have the following property configured to use the single-user-provider:

nifi.security.user.login.identity.provider=

 

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

 



 

View solution in original post

20 REPLIES 20

avatar
Contributor

will do