Support Questions

Meepoljd · ‎07-06-2022

Is there a way to use SSO without enabling HTTPS on NIFI?

MattWho · ‎07-07-2022

@Meepoljd
You'll want to have https enabled to prevent access to NiFi's endpoints directly. When NiFi is not secured (HTTPS), it does not require user authentication or authorization. Thus access is treated as anonymous.

When using Apache Knox, NIFi can not be configured with other login based authentication like a login-provider in the login-identity-providers.xml or OpenID or SAML via associated properties in the nifi.properties file.

So make sure these properties are not configured in the nifi.properties file when you have also configured the knox properties:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#saml
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#openid_connect
and following login provider property:

nifi.security.user.login.identity.provider=

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt

View solution in original post

Meepoljd · ‎07-06-2022

When I tried to turn on KnoxSSO for NIFI without https,I can access NIFI's Web UI through Knox,but I can also access the NIFI directly through port 10111 which no jump to Knox.

So I tried to enable HTTPS while using Knox, and I got this error "Apache Knox SSO support cannot be enabled if the Login Identity Provider or OpenId Connect or SAML is configured."

MattWho · ‎07-07-2022

@Meepoljd
You'll want to have https enabled to prevent access to NiFi's endpoints directly. When NiFi is not secured (HTTPS), it does not require user authentication or authorization. Thus access is treated as anonymous.

When using Apache Knox, NIFi can not be configured with other login based authentication like a login-provider in the login-identity-providers.xml or OpenID or SAML via associated properties in the nifi.properties file.

So make sure these properties are not configured in the nifi.properties file when you have also configured the knox properties:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#saml
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#openid_connect
and following login provider property:

nifi.security.user.login.identity.provider=

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt

Meepoljd · ‎07-08-2022

Thanks.I open the https for nifi.And it works when Knox and Nifi on same server.But when I deploy NIFI and KNOX separately, I am redirected infinitely when SSO logs in to NIFI and I find Cookies have problems. Is this because of cross-domain? Knox gateway.log has "JWT cookie successfully added." but nifi-user.log have " [<anonymous>] GET https://XXX:9443/nifi-api/flow/current-user"

Meepoljd · ‎07-08-2022

I know.Need FQDN likes testhost.magg.com,Thanks

Cloudera Community

Support Questions

Whether SSO can be used without enabling HTTPS on NIFI

Enable HTTPS for Ambari using JKS

Enable HTTPS/SSL for HBASE Master UI

HTTPS Endpoint in NiFi Flow

Enabling Https for AmbariServer and troubleshootin...

Nifi registry issue with https

Schedule Invoking HTTP dynamically - Nifi

Configure Knox SSO and Knox Proxy for NiFi UI Acce...

NiFi SiteToSite HTTPS Provenance Reporting Task Is...

Using PutHiveStreaming processor in NiFi

Configuring NiFi to use LDAPS