Re: why cant nifi perform user authentication over http

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: why cant nifi perform user authentication over http

Kevin Doran
Hi YuNing,

In your original post, you mentioned a need for multi-tenant authorization. For that use case, I would not recommend transmitting passwords, even encrypted/hashed passwords, over unencrypted HTTP, as the authorized operations would be still be vulnerable to man-in-the-middle (MITM) attacks and replay attacks.

As you mentioned, modifying the NiFi source code to allow authorization over HTTP instead of HTTPS would be a significant task, and at the end of the day would have the vulnerabilities I described. My advice is that it would be a better use of time and effort to configure your NiFi server(s) to use HTTPS. The NiFi Toolkit [1] [2] includes TLS utilities to make this easier, and there are plenty of folks on this list who can assist you if you have questions while setting up HTTPS.

If you truly do not need to worry about security for your use case and do not want to use HTTPS, then using HTTP without authorization is an option.

Regards,
Kevin

[1] https://nifi.apache.org/download.html 
[2] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit 

On 7/24/17, 23:00, "Sam Feng" <[hidden email]> wrote:

    Hello Kevin,
   
       Your answers helps me a lot.  Now i am trying to modify nifi`s sourcecode to enable http authentication, because the platform where i am using nifi is not that sensitive about security, and we use ldap as login-identity-providers whitch password is already encrypted by an unique key.
        But i find it difficult to modify it`s sourceCode. there so many places that limit login and authentication from http, and i have to edit all of it, which will certainly take a lot of time to find them.  
        Do you have any idea on how to modify nifi`s code more efficiently, or if there are  some other way to get what i want.
       
        As you can see my English is poor, thanks for you patience.
   
    Thanks for your reply.
    Best Regards
    YuNing
   
   
    On 2017-07-21 19:07 (+0800), Kevin Doran <[hidden email]> wrote:
    > Hi,
    >
    > You are correct, NiFi requires an encrypted connection for user authentication. This is because client identity is established in one of two ways:
    >
    > - user name & password, which should not be sent over a non-encrypted connection
    > - client certificate in a two-way TLS (HTTPS) connection
    >
    > I hope this answers your question. If HTTPS is suitable for your needs, here are some resources to help you get started:
    >
    > - NiFi System Administration Guide, specifically sections on User Authentication [1] and Multi-Tenant Authorization [2]
    > - Bryan Bende's blog post on NiFi Authorization and Multi-Tenancy [3]
    >
    > I hope this helps! If you have any questions you can post back to this thread.
    >
    > Regards,
    > Kevin
    >
    > [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication 
    > [2] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization 
    > [3] http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy 
    >
    >
    > On 7/21/17, 02:02, "[hidden email]" <[hidden email]> wrote:
    >
    >    
    >         Hello, I am a developer from china, i recently want to apply multi-tenant authorization on nifi, but find that nifi doesn't support authorization over http. can you tell me the reason, and can i enable authentication over http by modify it's source code.
    >        
    >     Thanks for your early reply.
    >     Best Regards
    >        
    >    
    >    
    >
    >
    >
   


Reply | Threaded
Open this post in threaded view
|

Re: why cant nifi perform user authentication over http

Andy LoPresto-2
Modifying NiFi’s source code to provide user authentication and authorization over HTTP is highly discouraged. Along with the possibility for credential leak that Kevin mentioned, any plaintext HTTP request can be intercepted, monitored, and modified before being relayed to the NiFi application. This means that any and all actions are susceptible to malicious changes, and any entity monitoring the network can perform actions under the assumed identity of another user. This would be an incredible amount of effort and almost definitely pointless. 


Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Jul 25, 2017, at 7:09 AM, Kevin Doran <[hidden email]> wrote:

Hi YuNing,

In your original post, you mentioned a need for multi-tenant authorization. For that use case, I would not recommend transmitting passwords, even encrypted/hashed passwords, over unencrypted HTTP, as the authorized operations would be still be vulnerable to man-in-the-middle (MITM) attacks and replay attacks.

As you mentioned, modifying the NiFi source code to allow authorization over HTTP instead of HTTPS would be a significant task, and at the end of the day would have the vulnerabilities I described. My advice is that it would be a better use of time and effort to configure your NiFi server(s) to use HTTPS. The NiFi Toolkit [1] [2] includes TLS utilities to make this easier, and there are plenty of folks on this list who can assist you if you have questions while setting up HTTPS.

If you truly do not need to worry about security for your use case and do not want to use HTTPS, then using HTTP without authorization is an option.

Regards,
Kevin

[1] https://nifi.apache.org/download.html
[2] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit

On 7/24/17, 23:00, "Sam Feng" <[hidden email]> wrote:

   Hello Kevin,

      Your answers helps me a lot.  Now i am trying to modify nifi`s sourcecode to enable http authentication, because the platform where i am using nifi is not that sensitive about security, and we use ldap as login-identity-providers whitch password is already encrypted by an unique key.
       But i find it difficult to modify it`s sourceCode. there so many places that limit login and authentication from http, and i have to edit all of it, which will certainly take a lot of time to find them.  
       Do you have any idea on how to modify nifi`s code more efficiently, or if there are  some other way to get what i want.

       As you can see my English is poor, thanks for you patience.

   Thanks for your reply.
   Best Regards
   YuNing


   On 2017-07-21 19:07 (+0800), Kevin Doran <[hidden email]> wrote:
Hi,

You are correct, NiFi requires an encrypted connection for user authentication. This is because client identity is established in one of two ways:

- user name & password, which should not be sent over a non-encrypted connection
- client certificate in a two-way TLS (HTTPS) connection

I hope this answers your question. If HTTPS is suitable for your needs, here are some resources to help you get started:

- NiFi System Administration Guide, specifically sections on User Authentication [1] and Multi-Tenant Authorization [2]
- Bryan Bende's blog post on NiFi Authorization and Multi-Tenancy [3]

I hope this helps! If you have any questions you can post back to this thread.

Regards,
Kevin

[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication
[2] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization
[3] http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy


On 7/21/17, 02:02, "[hidden email]" <[hidden email]> wrote:


       Hello, I am a developer from china, i recently want to apply multi-tenant authorization on nifi, but find that nifi doesn't support authorization over http. can you tell me the reason, and can i enable authentication over http by modify it's source code.

   Thanks for your early reply.
   Best Regards











signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: why cant nifi perform user authentication over http

Joe Witt
YuNing

What can we do to help you setup an HTTPS based environment?  We can
support LDAP-based username and password authentication in that
environment.  We've basically taken a "what is the point" approach to
trying to add authentication/authorization in the HTTP only context so
all is based around HTTPS as the entry point.  From there we've put in
a lot of effort to help you choose the most effective
authentication/authorization model for your case.  There are also some
nice toolkit capabilities that come with the release now too to help
with cert creation.

Thanks
Joe

On Tue, Jul 25, 2017 at 12:54 PM, Andy LoPresto <[hidden email]> wrote:

> Modifying NiFi’s source code to provide user authentication and
> authorization over HTTP is highly discouraged. Along with the possibility
> for credential leak that Kevin mentioned, any plaintext HTTP request can be
> intercepted, monitored, and modified before being relayed to the NiFi
> application. This means that any and all actions are susceptible to
> malicious changes, and any entity monitoring the network can perform actions
> under the assumed identity of another user. This would be an incredible
> amount of effort and almost definitely pointless.
>
>
> Andy LoPresto
> [hidden email]
> [hidden email]
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> On Jul 25, 2017, at 7:09 AM, Kevin Doran <[hidden email]> wrote:
>
> Hi YuNing,
>
> In your original post, you mentioned a need for multi-tenant authorization.
> For that use case, I would not recommend transmitting passwords, even
> encrypted/hashed passwords, over unencrypted HTTP, as the authorized
> operations would be still be vulnerable to man-in-the-middle (MITM) attacks
> and replay attacks.
>
> As you mentioned, modifying the NiFi source code to allow authorization over
> HTTP instead of HTTPS would be a significant task, and at the end of the day
> would have the vulnerabilities I described. My advice is that it would be a
> better use of time and effort to configure your NiFi server(s) to use HTTPS.
> The NiFi Toolkit [1] [2] includes TLS utilities to make this easier, and
> there are plenty of folks on this list who can assist you if you have
> questions while setting up HTTPS.
>
> If you truly do not need to worry about security for your use case and do
> not want to use HTTPS, then using HTTP without authorization is an option.
>
> Regards,
> Kevin
>
> [1] https://nifi.apache.org/download.html
> [2]
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit
>
> On 7/24/17, 23:00, "Sam Feng" <[hidden email]> wrote:
>
>    Hello Kevin,
>
>       Your answers helps me a lot.  Now i am trying to modify nifi`s
> sourcecode to enable http authentication, because the platform where i am
> using nifi is not that sensitive about security, and we use ldap as
> login-identity-providers whitch password is already encrypted by an unique
> key.
>        But i find it difficult to modify it`s sourceCode. there so many
> places that limit login and authentication from http, and i have to edit all
> of it, which will certainly take a lot of time to find them.
>        Do you have any idea on how to modify nifi`s code more efficiently,
> or if there are  some other way to get what i want.
>
>        As you can see my English is poor, thanks for you patience.
>
>    Thanks for your reply.
>    Best Regards
>    YuNing
>
>
>    On 2017-07-21 19:07 (+0800), Kevin Doran <[hidden email]> wrote:
>
> Hi,
>
> You are correct, NiFi requires an encrypted connection for user
> authentication. This is because client identity is established in one of two
> ways:
>
> - user name & password, which should not be sent over a non-encrypted
> connection
> - client certificate in a two-way TLS (HTTPS) connection
>
> I hope this answers your question. If HTTPS is suitable for your needs, here
> are some resources to help you get started:
>
> - NiFi System Administration Guide, specifically sections on User
> Authentication [1] and Multi-Tenant Authorization [2]
> - Bryan Bende's blog post on NiFi Authorization and Multi-Tenancy [3]
>
> I hope this helps! If you have any questions you can post back to this
> thread.
>
> Regards,
> Kevin
>
> [1]
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication
> [2]
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization
> [3]
> http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy
>
>
> On 7/21/17, 02:02, "[hidden email]" <[hidden email]> wrote:
>
>
>        Hello, I am a developer from china, i recently want to apply
> multi-tenant authorization on nifi, but find that nifi doesn't support
> authorization over http. can you tell me the reason, and can i enable
> authentication over http by modify it's source code.
>
>    Thanks for your early reply.
>    Best Regards
>
>
>
>
>
>
>
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: why cant nifi perform user authentication over http

Sam Feng
Hello Joe
   The scene is that we want to put nifi into an iframe page in our platform. because of nifi dosen't support multi-cavas for multi-tenants, we may use multi-nifi-instance in our platform to suport multi-tenants. That is to say  one group of users use one instance of nifi while another group use another instance.
   The problem is that using https in an iframe is not as friendly as http. because a SSL connection needs cert for authentication , and when using LDAP with https the connection will be considered not secure by browser(our cert is generate by nifi-toolkit). For a good User Experience we need to use http rather than https.

Thank you anyway.
YuNing


On 2017-07-26 01:04 (+0800), Joe Witt <[hidden email]> wrote:

> YuNing
>
> What can we do to help you setup an HTTPS based environment?  We can
> support LDAP-based username and password authentication in that
> environment.  We've basically taken a "what is the point" approach to
> trying to add authentication/authorization in the HTTP only context so
> all is based around HTTPS as the entry point.  From there we've put in
> a lot of effort to help you choose the most effective
> authentication/authorization model for your case.  There are also some
> nice toolkit capabilities that come with the release now too to help
> with cert creation.
>
> Thanks
> Joe
>
> On Tue, Jul 25, 2017 at 12:54 PM, Andy LoPresto <[hidden email]> wrote:
> > Modifying NiFi’s source code to provide user authentication and
> > authorization over HTTP is highly discouraged. Along with the possibility
> > for credential leak that Kevin mentioned, any plaintext HTTP request can be
> > intercepted, monitored, and modified before being relayed to the NiFi
> > application. This means that any and all actions are susceptible to
> > malicious changes, and any entity monitoring the network can perform actions
> > under the assumed identity of another user. This would be an incredible
> > amount of effort and almost definitely pointless.
> >
> >
> > Andy LoPresto
> > [hidden email]
> > [hidden email]
> > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> >
> > On Jul 25, 2017, at 7:09 AM, Kevin Doran <[hidden email]> wrote:
> >
> > Hi YuNing,
> >
> > In your original post, you mentioned a need for multi-tenant authorization.
> > For that use case, I would not recommend transmitting passwords, even
> > encrypted/hashed passwords, over unencrypted HTTP, as the authorized
> > operations would be still be vulnerable to man-in-the-middle (MITM) attacks
> > and replay attacks.
> >
> > As you mentioned, modifying the NiFi source code to allow authorization over
> > HTTP instead of HTTPS would be a significant task, and at the end of the day
> > would have the vulnerabilities I described. My advice is that it would be a
> > better use of time and effort to configure your NiFi server(s) to use HTTPS.
> > The NiFi Toolkit [1] [2] includes TLS utilities to make this easier, and
> > there are plenty of folks on this list who can assist you if you have
> > questions while setting up HTTPS.
> >
> > If you truly do not need to worry about security for your use case and do
> > not want to use HTTPS, then using HTTP without authorization is an option.
> >
> > Regards,
> > Kevin
> >
> > [1] https://nifi.apache.org/download.html
> > [2]
> > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit
> >
> > On 7/24/17, 23:00, "Sam Feng" <[hidden email]> wrote:
> >
> >    Hello Kevin,
> >
> >       Your answers helps me a lot.  Now i am trying to modify nifi`s
> > sourcecode to enable http authentication, because the platform where i am
> > using nifi is not that sensitive about security, and we use ldap as
> > login-identity-providers whitch password is already encrypted by an unique
> > key.
> >        But i find it difficult to modify it`s sourceCode. there so many
> > places that limit login and authentication from http, and i have to edit all
> > of it, which will certainly take a lot of time to find them.
> >        Do you have any idea on how to modify nifi`s code more efficiently,
> > or if there are  some other way to get what i want.
> >
> >        As you can see my English is poor, thanks for you patience.
> >
> >    Thanks for your reply.
> >    Best Regards
> >    YuNing
> >
> >
> >    On 2017-07-21 19:07 (+0800), Kevin Doran <[hidden email]> wrote:
> >
> > Hi,
> >
> > You are correct, NiFi requires an encrypted connection for user
> > authentication. This is because client identity is established in one of two
> > ways:
> >
> > - user name & password, which should not be sent over a non-encrypted
> > connection
> > - client certificate in a two-way TLS (HTTPS) connection
> >
> > I hope this answers your question. If HTTPS is suitable for your needs, here
> > are some resources to help you get started:
> >
> > - NiFi System Administration Guide, specifically sections on User
> > Authentication [1] and Multi-Tenant Authorization [2]
> > - Bryan Bende's blog post on NiFi Authorization and Multi-Tenancy [3]
> >
> > I hope this helps! If you have any questions you can post back to this
> > thread.
> >
> > Regards,
> > Kevin
> >
> > [1]
> > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication
> > [2]
> > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization
> > [3]
> > http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy
> >
> >
> > On 7/21/17, 02:02, "[hidden email]" <[hidden email]> wrote:
> >
> >
> >        Hello, I am a developer from china, i recently want to apply
> > multi-tenant authorization on nifi, but find that nifi doesn't support
> > authorization over http. can you tell me the reason, and can i enable
> > authentication over http by modify it's source code.
> >
> >    Thanks for your early reply.
> >    Best Regards
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
>