NiFi LDAP Authentication

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

NiFi LDAP Authentication

Kalisz, John T.
Is it possible to authenticate NiFI users against LDAP or AD.  Where can I find instructions to do so.  The instructions for setting up rules allude to the idea of using LDAP but I have found no properties related to LDAP ports or servers. If LDAP is not supported, is there a way to add users locally?

<users>
    <user dn="[cn=John Smith,ou=people,dc=example,dc=com]">
        <role name="ROLE_ADMIN"/>
    </user>
</users>

John T. Kalisz
General Dynamics Mission Systems

Office  413-494-3376  |  Cell  413-822-1883 |  [hidden email]<mailto:[hidden email]>

This message and/or attachments may include information subject to GD Corporate Policies 07-103 and 07-105 and is intended to be accessed only by authorized recipients.  Use, storage and transmission are governed by General Dynamics and its policies. Contractual restrictions apply to third parties.  Recipients should refer to the policies or contract to determine proper handling.  Unauthorized review, use, disclosure or distribution is prohibited.  If you are not an intended recipient, please contact the sender and destroy all copies of the original message.

Reply | Threaded
Open this post in threaded view
|

Re: NiFi LDAP Authentication

Matt Gilman
John,

NiFi supports an AuthorityProvider extension point. Currently, we do not
provide one that interacts with LDAP (though we would welcome any
contributions). Users are typically added by having them request accounts.
This is done by having them visit the NiFi instance in question. The
application will not recognize them and will provide an opportunity for
them to request an account. A little star icon will show up over the User
Management icon in the upper right whenever there are any pending account
requests. The Admin will be able to assign roles there (as well as revoked
and remove accounts). This will add (or remove) the entries to the local
authorized users file. This account request model was designed to allow the
Admins to not have to manually enter or edit DNs.

Alternatively, the Admin could manually add the entries to the local
authorized users file prior to starting the application.

Thanks.

Matt Gilman

On Thu, Mar 19, 2015 at 7:09 AM, Kalisz, John T. <[hidden email]>
wrote:

> Is it possible to authenticate NiFI users against LDAP or AD.  Where can I
> find instructions to do so.  The instructions for setting up rules allude
> to the idea of using LDAP but I have found no properties related to LDAP
> ports or servers. If LDAP is not supported, is there a way to add users
> locally?
>
> <users>
>     <user dn="[cn=John Smith,ou=people,dc=example,dc=com]">
>         <role name="ROLE_ADMIN"/>
>     </user>
> </users>
>
> John T. Kalisz
> General Dynamics Mission Systems
>
> Office  413-494-3376  |  Cell  413-822-1883 |  [hidden email]
> <mailto:[hidden email]>
>
> This message and/or attachments may include information subject to GD
> Corporate Policies 07-103 and 07-105 and is intended to be accessed only by
> authorized recipients.  Use, storage and transmission are governed by
> General Dynamics and its policies. Contractual restrictions apply to third
> parties.  Recipients should refer to the policies or contract to determine
> proper handling.  Unauthorized review, use, disclosure or distribution is
> prohibited.  If you are not an intended recipient, please contact the
> sender and destroy all copies of the original message.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: NiFi LDAP Authentication

Oscar de la Pena
When I first read in the admin guide that NiFi comes with authentication feature I was expecting a HTTPS form based login page. After trying it for myself, I found that it uses a mutual certificate authentication which I read is more secured than the form-based scheme.

If I want a form based login page, I guess I would have to implement it as an extension. Unless there's already an available implementation for such requirement and there's only lacking in the documentation. Please advice. Thanks

Owie
Reply | Threaded
Open this post in threaded view
|

Re: NiFi LDAP Authentication

Matt Gilman
Owie,

The authentication model is not extension point at the moment. You are
correct that the only means of authentication is certificate based. The
authorization model is what is extensible. Basically the application will
tell the AuthorityProvider who the user is and it provides what it is that
they are allowed to do.

I am not sure how a pluggable authentication model would work within the
context of NiFi but it's something that could certainly be considered.
Adding direct support for another type of authentication like basic when a
certificate is not present may also be a possibility.

Matt

On Fri, Mar 20, 2015 at 4:07 AM, owieboy <[hidden email]> wrote:

> When I first read in the admin guide that NiFi comes with authentication
> feature I was expecting a HTTPS form based login page. After trying it for
> myself, I found that it uses a mutual certificate authentication which I
> read is more secured than the form-based scheme.
>
> If I want a form based login page, I guess I would have to implement it as
> an extension. Unless there's already an available implementation for such
> requirement and there's only lacking in the documentation. Please advice.
> Thanks
>
> Owie
>
>
>
> --
> View this message in context:
> http://apache-nifi-incubating-developer-list.39713.n7.nabble.com/NiFi-LDAP-Authentication-tp1007p1017.html
> Sent from the Apache NiFi (incubating) Developer List mailing list archive
> at Nabble.com.
>