nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Doran <kdo...@apache.org>
Subject Re: OIDC Secured NiFi with Secure NiFi Registry (certs?)
Date Thu, 24 Oct 2019 12:33:20 GMT
This is a very good question, and Pierre gives a good summary of how
to go about solving for it.

Essentially, you need to configure NiFi Registry for how to know about
the users and groups that will be passed to it. That is the
authorizers.xml file Pierre mentioned. There are two options for a
UserGroupProvider: File based and LDAP based. If your NiFi OIDC
provider is backed by an LDAP directory you can hook up to directly,
that would be an option, even if you are not using LDAP for
authentication in Registry. If that's not the case, then configuring
the FileUserGroupProvider and an initial admin (for example, a client
cert authenticated admin), will let you manually define users through
the Registry UI that match the identities of the OIDC users that will
be passed by NiFi.

Best,
Kevin

On Thu, Oct 24, 2019 at 5:54 AM Pierre Villard
<pierre.villard.fr@gmail.com> wrote:
>
> Hi Ryan,
>
> NiFi nodes will use their own certificates as identities to authenticate against the
NiFi Registry and the NiFi nodes will then proxy the users connected to the NiFi instances
for the interactions with the registry. You have to configure the NiFi node identities as
well as where to get the users/groups informations using the authorizers.xml file [1]. Once
the users/groups are known in the NiFi Registry you can define the authorizations as you described
for the users and groups and it will reflected for the users/groups when they connect to NiFi.
If, however, you want to allow users to authenticate on the NiFi Registry UI (to create buckets
for instance), then you'd have to also configure the authentication parts on the Registry
[2] (note that OIDC is not supported yet [3]).
>
> Hope this helps a bit.
>
> [1] https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#authorizers-setup
> [2] https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#user_authentication
> [3] https://issues.apache.org/jira/browse/NIFIREG-313
>
> Le jeu. 24 oct. 2019 à 03:54, Ryan H <ryan.howell.development@gmail.com> a écrit
:
>>
>> Hi All,
>>
>> We currently have a multi-node NiFi cluster (1.8.0) that is secured using the OIDC
provider for authentication. We are setting up a secure NiFi Registry (0.5.0) which our secure
NiFi cluster will connect to.
>>
>> What is the recommended way to connect the OIDC secured NiFi instance to the secure
NiFi Registry (only option looks to be using certs since we are not using LDAP or Kerb)? I
am assuming the only way is to do a cert import to NiFi which will then open up all buckets
to the entire cluster (based on the permissions of the user tied to the certificate).
>>
>> We are operating in a multi-tenant environment and would like to achieve bucket level
permissions for the various users of the system. Accessing the UI of the NiFi Registry instance
isn't super important, except for maybe a couple users for which generating a couple certs
isn't a big deal. However, allowing users to only access certain buckets may be important.
>>
>> For now just being able to get this hooked up is ideal. Thoughts?
>>
>>
>> Thanks in Advance,
>>
>> Ryan H.
>>

Mime
View raw message