Member since
04-24-2024
2
Posts
1
Kudos Received
0
Solutions
04-26-2024
06:28 AM
@AlexisRub Not sure how to answer that for you. Typically production users who have access to a corporately managed LDAP/AD would use that with their NiFi. This provide better security as corporate can mange that adding of new users or removal of users no longer with the organization. If you also setup the ldap-user-group-provider in NiFi authorizers.xml along with setting of the ldap-provider in the login-identity-providers.xml you'll have a proper production setup. Let's say a new person joins the company and is added to the AD. the ldap-user-group-provider (depending on filters) could automatically pull in that new user identity to NiFi allowing your NiFi admin to setup access policies for them easily. And with the ldap-provider that user could then authenticate to your NiFi (successful authentication does not mean they would have authorized access). Even better is this opens the ability to use ldap/AD managed groups for authorization. Let's say you have AD group named nifiadmins. You could sync this group and its members to NiFi via the ldap-user-group-provider and set up local authorization policies using that group identity. So later some user is added or removed from the AD "nifiadmins" group. When NiFi syncs with ldap/AD via ldap -user-group-provider (default is every 30 mins), that user would be added or removed as a known member of that group and would gain or lose authorizations without needing any manual action within NiFi to make that happen. This is most common setup fro production end users with established ldap/AD groups for different teams that will access NiFi. Different teams can then be authorized access to only specific process groups and actions. I setup a local ldap which creates a bunch of fake users and groups that i can manage for testing purposes., but not something I would do in a production setup. I would leave the corporate management of user to those responsible for that access control. Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more