nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Necci, Fabian" <Fabian.Ne...@thinkbiganalytics.com>
Subject Re: Configuration for a Web Load Balancer for a secured NiFi cluster and client certificate authentication
Date Wed, 22 Nov 2017 15:24:56 GMT
Fredrik,
in our installation we have a component (Kylo: https://kylo.io) which can only authenticate
to NiFi using client certificates and end users that are authenticated with an AD domain.
This is why I was trying to find a solution that would allow both Client Certificates and
LDAP authentications.

At this point we deployed a Load Balancer with PassThrough configuration, and the authentication
through Client Certificates is working properly. If a node goes down the client (Kylo in our
case) requests are transparently redirected to another node in the cluster.

As expected the authentication with LDAP is not working correctly when accessing NiFi through
the load balancer, we mitigated this saying to the users to connect directly to a node of
the cluster to operate on the NiFi UI.

What in my opinion could be improved is what Matt was saying: “The signing key is persisted
on a given node and is currently not shared across the cluster.”
As I understand there is no session on the server for a user (correct me if I’m wrong),
but only this information is persisted on the server side. How hard could it be to share this
information across the cluster? The site-to-site protocol can be used to share this information,
or it could be persisted in ZooKeeper.

Anyway, thanks for your reply.

Best,
Fabian



From: Fredrik Skolmli <fredrik@skolmli.no>
Reply-To: "users@nifi.apache.org" <users@nifi.apache.org>
Date: Friday, October 27, 2017 at 2:17 PM
To: "users@nifi.apache.org" <users@nifi.apache.org>
Subject: Re: Configuration for a Web Load Balancer for a secured NiFi cluster and client certificate
authentication

Fabian,

I'd go with LDAP authentication in your situation. That would let the load balancer see the
traffic and handle it the way it does best. While enabling sticky sessions using cookies would
tie your users to one node at a time, it will give your users a better experience if one or
more of the nodes go down for maintenance[0].

That being said working with client certificates should work as well, as it does not rely
on any session cookies or any other state.

[0]: With one minor exception - if your session starts communicating with another node, your
authentication token cookie becomes invalid and the user will have to log out and back in
again. There may be workarounds for this in the configuration I have yet to find the time
or need to look for.

BR,
Fredrik

On Fri, Oct 27, 2017 at 9:55 AM, Necci, Fabian <Fabian.Necci@thinkbiganalytics.com<mailto:Fabian.Necci@thinkbiganalytics.com>>
wrote:
Hi Matt,
I was thinking that for LDAP authentication it will not work properly.
Instead, with client certificate authentication in my opinion it should not be a problem if
there is no stickiness on load balancer side. What do you think about this point?
Many thanks,
Fabian


From: Matt Gilman <matt.c.gilman@gmail.com<mailto:matt.c.gilman@gmail.com>>
Reply-To: "users@nifi.apache.org<mailto:users@nifi.apache.org>" <users@nifi.apache.org<mailto:users@nifi.apache.org>>
Date: Thursday, October 26, 2017 at 7:45 PM
To: "users@nifi.apache.org<mailto:users@nifi.apache.org>" <users@nifi.apache.org<mailto:users@nifi.apache.org>>
Subject: Re: Configuration for a Web Load Balancer for a secured NiFi cluster and client certificate
authentication

Fabian,

I have not personally set up a load balancer. However, I can offer that the LDAP authentication
utilizes signed JWT bearer tokens. The key used to sign each token is unique to a given user.
The signing key is persisted on a given node and is currently not shared across the cluster.
Because of this, the load balancer would need to be able to associate a given client with
a specific node.

Thanks

Matt

On Thu, Oct 26, 2017 at 11:00 AM, Necci, Fabian <Fabian.Necci@thinkbiganalytics.com<mailto:Fabian.Necci@thinkbiganalytics.com>>
wrote:
Hi all,
I have a secured NiFi cluster which supports Client Certificate Authentication and LDAP Authentication.

We want to put a web load balancer to access the UI and the Rest API in front of the cluster.
I have concerns about how this web load balancer should be configured to still support client
certificate authentication when NiFi is accessed through the load balancer. In the researches
I did, one possible configuration is to have a PassThrough web load balancer which basically
sends the encrypted data to the backend servers without knowing anything about the data.

Anybody has done this before?

Also, my concern is about session stickiness, as with this type of configuration the load
balancer is not able to perform any type of stickiness as it cannot read the network that
is passing through.

Is the lack of stickiness in the load balancer a problem?

Thanks for any hints you can give me,
Fabian Necci



Mime
View raw message