nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Edgardo Vega <edgardo.v...@gmail.com>
Subject Re: nifi behind a proxy
Date Fri, 11 Sep 2015 13:42:09 GMT
Matt,

Yes communication between the proxy and nifi is http. What I was hoping for
was behind able to pass headers such as the following the request and have
the user be authenticated using that information.

 X-SSL-client-serial
 X-SSL-client-s-dn
 X-SSL-client-i-dn
 X-SSL-client-session-id
 X-SSL-client-verify


There seems to other schemes that are used but they have a similar concept.

Also have you guys looked at Apache Shiro[1] for pluggable authentication?

Cheers,

Edgardo

[1]
http://shiro.apache.org/



On Fri, Sep 11, 2015 at 8:54 AM, Matt Gilman <matt.c.gilman@gmail.com>
wrote:

> Awesome. If I understand your set up correctly, you are sending a HTTP
> request from the proxy to the NiFi instance. NiFi does support reading user
> details from an HTTP header but only when authenticating a user (or your
> proxy in this case). Additionally, the admin must grant the proxy has
> having ROLE_PROXY in order to authorize it to proxy user requests. NiFi
> currently only supports user authentication with two way SSL using
> certificates. There is discussion ongoing about adding support for other
> authentication models [1].
>
> If a HTTP request is received, it will treat the user as anonymous.
>
> Matt
>
> [1]
> https://cwiki.apache.org/confluence/display/NIFI/Pluggable+Authentication
>
>
> On Fri, Sep 11, 2015 at 8:39 AM, Edgardo Vega <edgardo.vega@gmail.com>
> wrote:
>
> > Matt,
> >
> > It worked great. I just added those headers and it all worked. Follow on
> > question is about ssl user authentication through a proxy. Can you add
> > headers that nifi will use to authenticate a user so you can do terminate
> > the ssl connection at the proxy?
> >
> > Cheers,
> >
> > Edgardo
> >
> > On Thu, Sep 10, 2015 at 6:46 PM, Matt Gilman <matt.c.gilman@gmail.com>
> > wrote:
> >
> > > Edgardo,
> > >
> > > There are a couple of key items to know when standing up NiFi behind a
> > > proxy.
> > >
> > > 1) NiFi is comprised of a number of web applications (web ui, web api,
> > > documentation, custom ui's, etc). So you'll need to set up your mapping
> > to
> > > the root path. That way all context paths are pass through accordingly.
> > For
> > > instance, if you only mapped the /nifi context path, the custom ui for
> > > Update Attributes will not work since it's available at
> > > /update-attribute-ui-<version>.
> > >
> > > 2) NiFi's rest api will generate uri's for each component on the graph.
> > > Since your coming through a proxy, you'll need to override certain
> > elements
> > > of the uri's being generated. This is why your able to view the graph,
> > but
> > > you cannot modify anything. It attempting to call back directly to your
> > > NiFi, not through your proxy. You can override the elements of the uri
> by
> > > adding the following HTTP headers when your proxy generates the HTTP
> > > request to the NiFi instance:
> > >
> > > X-ProxyScheme - the scheme to use to connect to your proxy (https in
> this
> > > case)
> > > X-ProxyHost - the host of your proxy
> > > X-ProxyPort - the port your proxy is listening on
> > > X-ProxyContextPath - the path you've configured to map to the NiFi
> > instance
> > >
> > > I've never done the proxying through nginx so please let me know if
> this
> > > helps.
> > >
> > > Matt
> > >
> > > On Thu, Sep 10, 2015 at 6:04 PM, Edgardo Vega <edgardo.vega@gmail.com>
> > > wrote:
> > >
> > > > I am trying to setup Nifi unsung nginx as a reverse proxy. I would
> like
> > > > nginx to terminate the ssl connection and then run nifi on http. I
> have
> > > > tried to set it up but ran into an issue were any viewing operation
> > works
> > > > but cannot make any changes (move, start, stop, etc). The browser
> > > complains
> > > > about mixed content.
> > > >
> > > > So how do you configure nifi to work correctly in this scenario?
> > > >
> > > >
> > > > --
> > > > Cheers,
> > > >
> > > > Edgardo
> > > >
> > > > Sent from Gmail Mobile
> > > >
> > >
> >
> >
> >
> > --
> > Cheers,
> >
> > Edgardo
> >
>



-- 
Cheers,

Edgardo

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message