Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Whether SSO can be used without enabling HTTPS on NIFI

Labels:
avatar
author-rank Meepoljd
Rising Star

Created ‎07-06-2022 03:12 AM

Is there a way to use SSO without enabling HTTPS on NIFI?

1,768 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎07-07-2022 08:17 AM

@Meepoljd 
You'll want to have https enabled to prevent access to NiFi's endpoints directly.  When NiFi is not secured (HTTPS), it does not require user authentication or authorization.  Thus access is treated as anonymous.

When using Apache Knox, NIFi can not be configured with other login based authentication like a login-provider in the login-identity-providers.xml or OpenID or SAML via associated properties in the nifi.properties file.

So make sure these properties are not configured in the nifi.properties file when you have also configured the knox properties:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#saml
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#openid_connect
and following login provider property:

nifi.security.user.login.identity.provider=

 

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt



View solution in original post

1,718 Views
0 Kudos
4 REPLIES 4

avatar
author-rank Meepoljd
Rising Star

Created ‎07-06-2022 10:58 PM

When I tried to turn on KnoxSSO for NIFI without https,I can access NIFI's Web UI through Knox,but I can also access the NIFI directly through port 10111 which no jump to Knox.

So I tried to enable HTTPS while using Knox, and I got this error "Apache Knox SSO support cannot be enabled if the Login Identity Provider or OpenId Connect or SAML is configured."

 

 

1,738 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎07-07-2022 08:17 AM

@Meepoljd 
You'll want to have https enabled to prevent access to NiFi's endpoints directly.  When NiFi is not secured (HTTPS), it does not require user authentication or authorization.  Thus access is treated as anonymous.

When using Apache Knox, NIFi can not be configured with other login based authentication like a login-provider in the login-identity-providers.xml or OpenID or SAML via associated properties in the nifi.properties file.

So make sure these properties are not configured in the nifi.properties file when you have also configured the knox properties:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#saml
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#openid_connect
and following login provider property:

nifi.security.user.login.identity.provider=

 

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt



1,719 Views
0 Kudos

avatar
author-rank Meepoljd
Rising Star

Created ‎07-08-2022 09:37 PM

Thanks.I open the https for nifi.And it works when Knox and Nifi on same server.But when I deploy NIFI and KNOX separately, I am redirected infinitely when SSO logs in to NIFI and I find Cookies have problems. Is this because of cross-domain? Knox gateway.log has "JWT cookie successfully added." but nifi-user.log have " [<anonymous>] GET https://XXX:9443/nifi-api/flow/current-user"

Meepoljd_0-1657341179686.png

 

1,693 Views
0 Kudos

avatar
author-rank Meepoljd
Rising Star

Created ‎07-08-2022 11:22 PM

I know.Need FQDN likes testhost.magg.com,Thanks

Meepoljd_0-1657347712004.png

 

1,682 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements