nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Bende <bbe...@gmail.com>
Subject Re: OIDC Secured NiFi with Secure NiFi Registry (certs?)
Date Thu, 24 Oct 2019 13:13:10 GMT
Drew put together some good videos that are linked to from the
registry page on the website:

https://www.youtube.com/watch?v=qD03ao3R-a4&feature=youtu.be

https://www.youtube.com/watch?v=DSO12fhnZ90&feature=youtu.be

On Thu, Oct 24, 2019 at 8:56 AM Ryan H
<ryan.howell.development@gmail.com> wrote:
>
> Pierre/Kevin,
>
> Thanks for the additional info on this. Yes, this makes sense to me. I wasn't sure if
what I was wanting to do worked or was supported at this time, but now I see how it will.
To summarize, I just need to spin up the registry with an initial admin user which will have
a cert created to access the registry UI. From the UI, the initial admin can add in users
for the NiFi Nodes and any users that should have access to Registry (with whatever bucket
permissions desired). When connecting NiFi to Registry, the nodes will identify themselves
via their node certs which will succeed as long as corresponding node users have been created
on Registry. When users place something under version control, they will only be able to access
Buckets that they have been granted permissions for via their corresponding/matching user
identities as created on Registry via the initial admin user. I hope I summarized this correctly.
>
> As always, thanks for the quick responses and help.
>
>
> Cheers,
>
> Ryan H
>
> On Thu, Oct 24, 2019 at 8:33 AM Kevin Doran <kdoran@apache.org> wrote:
>>
>> This is a very good question, and Pierre gives a good summary of how
>> to go about solving for it.
>>
>> Essentially, you need to configure NiFi Registry for how to know about
>> the users and groups that will be passed to it. That is the
>> authorizers.xml file Pierre mentioned. There are two options for a
>> UserGroupProvider: File based and LDAP based. If your NiFi OIDC
>> provider is backed by an LDAP directory you can hook up to directly,
>> that would be an option, even if you are not using LDAP for
>> authentication in Registry. If that's not the case, then configuring
>> the FileUserGroupProvider and an initial admin (for example, a client
>> cert authenticated admin), will let you manually define users through
>> the Registry UI that match the identities of the OIDC users that will
>> be passed by NiFi.
>>
>> Best,
>> Kevin
>>
>> On Thu, Oct 24, 2019 at 5:54 AM Pierre Villard
>> <pierre.villard.fr@gmail.com> wrote:
>> >
>> > Hi Ryan,
>> >
>> > NiFi nodes will use their own certificates as identities to authenticate against
the NiFi Registry and the NiFi nodes will then proxy the users connected to the NiFi instances
for the interactions with the registry. You have to configure the NiFi node identities as
well as where to get the users/groups informations using the authorizers.xml file [1]. Once
the users/groups are known in the NiFi Registry you can define the authorizations as you described
for the users and groups and it will reflected for the users/groups when they connect to NiFi.
If, however, you want to allow users to authenticate on the NiFi Registry UI (to create buckets
for instance), then you'd have to also configure the authentication parts on the Registry
[2] (note that OIDC is not supported yet [3]).
>> >
>> > Hope this helps a bit.
>> >
>> > [1] https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#authorizers-setup
>> > [2] https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#user_authentication
>> > [3] https://issues.apache.org/jira/browse/NIFIREG-313
>> >
>> > Le jeu. 24 oct. 2019 à 03:54, Ryan H <ryan.howell.development@gmail.com>
a écrit :
>> >>
>> >> Hi All,
>> >>
>> >> We currently have a multi-node NiFi cluster (1.8.0) that is secured using
the OIDC provider for authentication. We are setting up a secure NiFi Registry (0.5.0) which
our secure NiFi cluster will connect to.
>> >>
>> >> What is the recommended way to connect the OIDC secured NiFi instance to
the secure NiFi Registry (only option looks to be using certs since we are not using LDAP
or Kerb)? I am assuming the only way is to do a cert import to NiFi which will then open up
all buckets to the entire cluster (based on the permissions of the user tied to the certificate).
>> >>
>> >> We are operating in a multi-tenant environment and would like to achieve
bucket level permissions for the various users of the system. Accessing the UI of the NiFi
Registry instance isn't super important, except for maybe a couple users for which generating
a couple certs isn't a big deal. However, allowing users to only access certain buckets may
be important.
>> >>
>> >> For now just being able to get this hooked up is ideal. Thoughts?
>> >>
>> >>
>> >> Thanks in Advance,
>> >>
>> >> Ryan H.
>> >>

Mime
View raw message