simple username+password authentication

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

simple username+password authentication

Luke
Hi guys,

After spending half a day configuring NiFi to be secure enough to even
contemplate reading the next section on user authentication, it seems
like there is no simple username+password authentication available.

Is this correct and am I mistaken??

I have NiFi running behind Nginx so I might just use BASIC auth, which
means 'unsecuring' NiFi so authentication can be skipped.

It's just exasperating that NiFi's tight security has actually caused me
to give up on securing it.

Regards,

- Luke
Reply | Threaded
Open this post in threaded view
|

Re: simple username+password authentication

Pierre Villard
Hi Luke,

Login/password authentication is possible (and the most frequently used
option in enterprises) as long as you have a LDAP/AD backend. However you
can't have NiFi allowing you to create users with a password.

Let us know if something is not clear.

Thanks,
Pierre

Le ven. 21 sept. 2018 à 13:05, Luke <[hidden email]> a
écrit :

> Hi guys,
>
> After spending half a day configuring NiFi to be secure enough to even
> contemplate reading the next section on user authentication, it seems
> like there is no simple username+password authentication available.
>
> Is this correct and am I mistaken??
>
> I have NiFi running behind Nginx so I might just use BASIC auth, which
> means 'unsecuring' NiFi so authentication can be skipped.
>
> It's just exasperating that NiFi's tight security has actually caused me
> to give up on securing it.
>
> Regards,
>
> - Luke
>
Reply | Threaded
Open this post in threaded view
|

Re: simple username+password authentication

Bryan Bende
Hi Luke,

Just to elaborate a little bit more, the options for authenticating users are...

- Client certificates
- LDAP username/password
- Kerberos username/password
- Kerberos SPNEGO
- Knox SSO
- Open ID Connect
- Custom login identity provider

As Pierre mentioned, the management of the users and passwords would
be done external to NiFi in whichever of these approaches is being
used.

-Bryan

On Fri, Sep 21, 2018 at 7:53 AM Pierre Villard
<[hidden email]> wrote:

>
> Hi Luke,
>
> Login/password authentication is possible (and the most frequently used
> option in enterprises) as long as you have a LDAP/AD backend. However you
> can't have NiFi allowing you to create users with a password.
>
> Let us know if something is not clear.
>
> Thanks,
> Pierre
>
> Le ven. 21 sept. 2018 à 13:05, Luke <[hidden email]> a
> écrit :
>
> > Hi guys,
> >
> > After spending half a day configuring NiFi to be secure enough to even
> > contemplate reading the next section on user authentication, it seems
> > like there is no simple username+password authentication available.
> >
> > Is this correct and am I mistaken??
> >
> > I have NiFi running behind Nginx so I might just use BASIC auth, which
> > means 'unsecuring' NiFi so authentication can be skipped.
> >
> > It's just exasperating that NiFi's tight security has actually caused me
> > to give up on securing it.
> >
> > Regards,
> >
> > - Luke
> >
Reply | Threaded
Open this post in threaded view
|

Re: simple username+password authentication

Andy LoPresto-2
Luke,

To follow up on your original point, we’re sorry that securing NiFi has proven challenging for you. If you have specific suggestions of what steps could be called out and made easier, tooling to avoid manual operations, or places where you started down the wrong path and had to back out, we would love to make improvements there. 

As to why NiFi doesn’t provide a “sign up” page or allow you to define users and passwords directly, securing that storage is a difficult problem, and one that very few people deploying a system like NiFi will take seriously. Through many discussions, we have determined that a better solution is to offload the security of those credentials to a robust external system like LDAP or OpenID Connect, which are widely used and have the support of a large community behind them. 

I understand the desire for a “simple” setup, especially when trying NiFi out for the first time to evaluate it. However, we strongly feel that providing an option that isn’t as secure as possible by default is irresponsible to our users, and would be abused in production environments, leading to an overall weakening of the project. 

I know there was previous work to develop a local username/password storage option that was objected to in the past. Perhaps there are new developments on that front and it makes sense to revisit and evaluate again. 

Please let me know if you have additional questions or suggestions here. Thanks. 

Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Sep 21, 2018, at 7:20 AM, Bryan Bende <[hidden email]> wrote:

Hi Luke,

Just to elaborate a little bit more, the options for authenticating users are...

- Client certificates
- LDAP username/password
- Kerberos username/password
- Kerberos SPNEGO
- Knox SSO
- Open ID Connect
- Custom login identity provider

As Pierre mentioned, the management of the users and passwords would
be done external to NiFi in whichever of these approaches is being
used.

-Bryan

On Fri, Sep 21, 2018 at 7:53 AM Pierre Villard
<[hidden email]> wrote:

Hi Luke,

Login/password authentication is possible (and the most frequently used
option in enterprises) as long as you have a LDAP/AD backend. However you
can't have NiFi allowing you to create users with a password.

Let us know if something is not clear.

Thanks,
Pierre

Le ven. 21 sept. 2018 à 13:05, Luke <[hidden email]> a
écrit :

Hi guys,

After spending half a day configuring NiFi to be secure enough to even
contemplate reading the next section on user authentication, it seems
like there is no simple username+password authentication available.

Is this correct and am I mistaken??

I have NiFi running behind Nginx so I might just use BASIC auth, which
means 'unsecuring' NiFi so authentication can be skipped.

It's just exasperating that NiFi's tight security has actually caused me
to give up on securing it.

Regards,

- Luke



signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: simple username+password authentication

Mohammed Nadeem
In reply to this post by Luke
Hi Luke,

To elaborate on Bryan's point about custom login identity provider. There is
a nice example which you can mimic out for implementing simple file-based
authentication which internal stores all of your credentials in
login-credentials.xml file with password encrypted with Brcypt-hashed ( You
can provide more secure way if you would ).

Further link to the file identity provider bundle
https://github.com/BatchIQ/nifi-file-identity-provider-bundle

Regards,
Nadeem



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/