Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Why two way SSL is required when securing Nifi Using kerberos?

Why two way SSL is required when securing Nifi Using kerberos?

New Contributor

Hi All,

I am following this post : https://community.hortonworks.com/content/kbentry/34147/nifi-security-user-authentication-with-kerbe... to secure my standalone nifi-1.1.1 instance using Kerberos authentication.

I am confused why do we need to provide SSL/certificates for client and server when we are already using Kerberos? Is is required to provide ssl in Nifi-1.1.1?

Also when we provide client and server certificates, do we need to upload certificate to every machine's browser i would use to connect to nifi?

Please suggest!! Thanks in Advance!!

3 REPLIES 3

Re: Why two way SSL is required when securing Nifi Using kerberos?

New Contributor

Hi @sri chaturvedi,

Only server-side certificates are required so that one-way TLS (https) can be used. One-way TLS is required to protect the access token (a JWT) in transport when it is issued from the NiFi server to the browser. This is done after the initial authentication using Kerberos, to reduce the overhead of Kerberos ticket validation on every call to the NiFi server when using the web UI.

To your point, client/browser certificates are not required as the client identity will be established by the Kerberos credentials. (If the browser prompts a user for an optional certificate, the user can choose “Cancel” without selecting a certificate.

In order to configure you NiFi instance(s) for one-way TLS, first configure the server keystore and truststore settings in nifi.properties as you normally would. To specify that the server should not require client certificates, set:

nifi.security.needClientAuth=false

in you nifi.properties file.

I hope this helps! Let me know if you have any other questions.

Re: Why two way SSL is required when securing Nifi Using kerberos?

New Contributor

Hi @kdoran Thanks a lot for your valuable response. you cleared my doubts, could you also help me with the next steps to be carried out. Actually referring a lot of blogs/materials (given below links) i am a bit confused about the further steps:

I am using Nifi-1.1.1 and would be using following process, correct me if i am wrong:

1. setting up server certificates using nifi-tls toolkit

2. make changes to nifi.properties like seting truststore,keystore details, login identity provider as kerberos and nifi.security.needClientAuth=false

3. make changes to login-identity-providers.xml (uncomment kerberos provider)

4. do i need to edit authorizers.xml, users.xml and authorizations.xml for nifi-1.1.1?

i am not sure how to configure these. also i cant find authorised-users

Please help!! Thanks in advance!!

References:

[1] https://community.hortonworks.com/content/kbentry/34147/nifi-security-user-authentication-with-kerbe...

[2] https://www.batchiq.com/nifi-configuring-ssl-auth.html

Regards,

Srijita

Re: Why two way SSL is required when securing Nifi Using kerberos?

New Contributor

Hi @sri chaturvedi.

The steps you outline for 1 to 3 are correct.

You should never need to manually edit users.xml or authorizations.xml. Those files are managed by the Authorizers at runtime.

The only change you should need to make to authorizers.xml is to set the Initial Admin Identity to the Kerberos principal of the admin user. That user can then add users and grant them policies through the UI, without having to make any other manual edits to the XML file(s).

Hope this helps. Let me know if you have any other questions!

Regards,

Kevin

Don't have an account?
Coming from Hortonworks? Activate your account here