I am following this post : https://community.hortonworks.com/content/kbentry/34147/nifi-security-user-authentication-with-kerbe... to secure my standalone nifi-1.1.1 instance using Kerberos authentication.
I am confused why do we need to provide SSL/certificates for client and server when we are already using Kerberos? Is is required to provide ssl in Nifi-1.1.1?
Also when we provide client and server certificates, do we need to upload certificate to every machine's browser i would use to connect to nifi?
Please suggest!! Thanks in Advance!!
Hi @sri chaturvedi,
Only server-side certificates are required so that one-way TLS (https) can be used. One-way TLS is required to protect the access token (a JWT) in transport when it is issued from the NiFi server to the browser. This is done after the initial authentication using Kerberos, to reduce the overhead of Kerberos ticket validation on every call to the NiFi server when using the web UI.
To your point, client/browser certificates are not required as the client identity will be established by the Kerberos credentials. (If the browser prompts a user for an optional certificate, the user can choose “Cancel” without selecting a certificate.
In order to configure you NiFi instance(s) for one-way TLS, first configure the server keystore and truststore settings in nifi.properties as you normally would. To specify that the server should not require client certificates, set:
in you nifi.properties file.
I hope this helps! Let me know if you have any other questions.
Hi @kdoran Thanks a lot for your valuable response. you cleared my doubts, could you also help me with the next steps to be carried out. Actually referring a lot of blogs/materials (given below links) i am a bit confused about the further steps:
I am using Nifi-1.1.1 and would be using following process, correct me if i am wrong:
1. setting up server certificates using nifi-tls toolkit
2. make changes to nifi.properties like seting truststore,keystore details, login identity provider as kerberos and nifi.security.needClientAuth=false
3. make changes to login-identity-providers.xml (uncomment kerberos provider)
4. do i need to edit authorizers.xml, users.xml and authorizations.xml for nifi-1.1.1?
i am not sure how to configure these. also i cant find authorised-users
Please help!! Thanks in advance!!
Hi @sri chaturvedi.
The steps you outline for 1 to 3 are correct.
You should never need to manually edit users.xml or authorizations.xml. Those files are managed by the Authorizers at runtime.
The only change you should need to make to authorizers.xml is to set the Initial Admin Identity to the Kerberos principal of the admin user. That user can then add users and grant them policies through the UI, without having to make any other manual edits to the XML file(s).
Hope this helps. Let me know if you have any other questions!