Member since
10-18-2023
9
Posts
0
Kudos Received
0
Solutions
05-06-2024
06:09 AM
Hello @Knowledgeknow Thanks for using Cloudera Community. This is an Old Post, yet Wish to convey that Cloudera shall assist with Airflow Issues (Install, Upgrade, Maintenance) dealing with Airflow shipped by Cloudera. Currently, CDE (Cloudera Data Engineering) allows Airflow to be deployed on Public Cloud & Private Cloud with End-To-End Support offered by Cloudera. You haven't shared whether your Q deals with CDE Airflow or Standalone Airflow. If your Post deals with reviewing an Issue with Installing Standalone Airflow which isn't Supported per-se. Henceforth, our engagement would be Limited. For CDE Airflow, the AuthN for Airflow UI is managed implicitly via Single-SignOn (Once your Team is Authenticated to Cloudera Management Console) & doesn't require any manual intervention. For CLI, CDE offers Token Based & Key Based AuthN. If your Team is interested in CDE Airflow, Let us know & we can get in touch with your Team. - Smarak
... View more
02-05-2024
04:18 AM
1 Kudo
thanks, I have created a new post: https://community.cloudera.com/t5/Support-Questions/NiFi-SAN-IP-using-toolkit-NiFI-Registry/td-p/383130
... View more
12-11-2023
08:35 AM
though i gave the permission to view user interface, i am still facing this issue.
... View more
12-11-2023
07:22 AM
@Knowledgeknow You can't enable authentication and authorization on an unsecured NiFi (HTTP). To enable security in NiFi, step one is to configure HTTPS (This will require you to have certificates for all your NiFi nodes). The following configuration files have configurations related to securing your NiFi. nifi.properties --> (framework configuration file has bits related to authentication and authorization). You would enable security on your NiFi by configuring HTTPS. Once NiFi is configured with an HTTPS port authentication via TLS certificates is enabled (Can NOT be disabled and is always first method attempted to authenticate a user/client). Teh following section of this file pertain to security: Security Properties Identity Mapping Properties OpenID Connect - Since you mention Oauth2 and others... Login-identity-providers.xml --> (authentication related) used if you want to enable user authentication support through ldap or kerberos. To enable the ldap-provider or kerberos -provider, you'll need to specify one or the other in the nifi.properties configuration property: "nifi.security.user.login.identity.provider". Out-of the-box NiFi has this configured to use the Single-User-Provider (not intended for production use). Lightweight Directory Access Protocol (LDAP) - Since you mention LDAP base authentication. Once you have decided on your authentication method of choice, you'll need to setup Multi-Tenant Authorization. Authorization is used to control what your various successfully authenticated users/client have access to within NiFi's UI. This gets configured in the authorizers.xml (order in which you add various providers to this configuration file is very important!!!). This file consists of only one Authorizer (out of the box it uses the single-user-authorizer. The "authorizer" is always at the very bottom of the authorizers.xml.file. Below is a very common example structure (top to bottom order of providers added to file: FileUserGroupProvider LdapUserGroupProvider Composite Implementations - You'll want use "CompositeConfigurableUserGroupProvider". This is then configured to use both above UserGroupProviders. FileAccessPolicyProvider - configured to use above "composite-user-group-provider". StandardManagedAuthorizer - configured to use above "file-access-policy-provider" Example configuration of above: https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#composite-file-and-ldap-based-usersgroups The authorizers.xml will setup the initial required properties for the user/client you define in the fileAccessPolicyProvider "Initial Admin Identity" (the user identity configured in this provider must be returned by ONLY one of the configured UserGroupProviders. So do NOT configure the initial admin identity in the FileUserGroupProvider if that identity is going to be returned by the LDAPUserGroupProvider. Don't worry if you mess up here initially, just delete the users.xml (FileUserGroupProvider generated) and authorizations.xml (FileAccessPolicyProvider generated) files and on next startup they will be created again. Once you have a working authentication and authorization setup, you will be able to define authorizations, using your InItial Admin user, for your other synced directly through the NiFi UI. You can also define additional authorization for your admin user (is not given access to everything, but is given admin authorization which means this user can set new authorizations for all user including itself. If you run it to authorization issue after setup, you'll want to inspect the nifi-user.log. This log will show the exact case sensitive user/client identity. If it does not match exactly with the identity that was returned by the authorizer UserGroupProviders, you'll need to go back and make some configuration changes until they do. Have fun in your journey.... If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
12-11-2023
07:22 AM
@Knowledgeknow You can't enable authentication and authorization on an unsecured NiFi (HTTP). To enable security in NiFi, step one is to configure HTTPS (This will require you to have certificates for all your NiFi nodes). The following configuration files have configurations related to securing your NiFi. nifi.properties --> (framework configuration file has bits related to authentication and authorization). You would enable security on your NiFi by configuring HTTPS. Once NiFi is configured with an HTTPS port authentication via TLS certificates is enabled (Can NOT be disabled and is always first method attempted to authenticate a user/client). Teh following section of this file pertain to security: Security Properties Identity Mapping Properties OpenID Connect - Since you mention Oauth2 and others... Login-identity-providers.xml --> (authentication related) used if you want to enable user authentication support through ldap or kerberos. To enable the ldap-provider or kerberos -provider, you'll need to specify one or the other in the nifi.properties configuration property: "nifi.security.user.login.identity.provider". Out-of the-box NiFi has this configured to use the Single-User-Provider (not intended for production use). Lightweight Directory Access Protocol (LDAP) - Since you mention LDAP base authentication. Once you have decided on your authentication method of choice, you'll need to setup Multi-Tenant Authorization. Authorization is used to control what your various successfully authenticated users/client have access to within NiFi's UI. This gets configured in the authorizers.xml (order in which you add various providers to this configuration file is very important!!!). This file consists of only one Authorizer (out of the box it uses the single-user-authorizer. The "authorizer" is always at the very bottom of the authorizers.xml.file. Below is a very common example structure (top to bottom order of providers added to file: FileUserGroupProvider LdapUserGroupProvider Composite Implementations - You'll want use "CompositeConfigurableUserGroupProvider". This is then configured to use both above UserGroupProviders. FileAccessPolicyProvider - configured to use above "composite-user-group-provider". StandardManagedAuthorizer - configured to use above "file-access-policy-provider" Example configuration of above: https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#composite-file-and-ldap-based-usersgroups The authorizers.xml will setup the initial required properties for the user/client you define in the fileAccessPolicyProvider "Initial Admin Identity" (the user identity configured in this provider must be returned by ONLY one of the configured UserGroupProviders. So do NOT configure the initial admin identity in the FileUserGroupProvider if that identity is going to be returned by the LDAPUserGroupProvider. Don't worry if you mess up here initially, just delete the users.xml (FileUserGroupProvider generated) and authorizations.xml (FileAccessPolicyProvider generated) files and on next startup they will be created again. Once you have a working authentication and authorization setup, you will be able to define authorizations, using your InItial Admin user, for your other synced directly through the NiFi UI. You can also define additional authorization for your admin user (is not given access to everything, but is given admin authorization which means this user can set new authorizations for all user including itself. If you run it to authorization issue after setup, you'll want to inspect the nifi-user.log. This log will show the exact case sensitive user/client identity. If it does not match exactly with the identity that was returned by the authorizer UserGroupProviders, you'll need to go back and make some configuration changes until they do. Have fun in your journey.... If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more