NiFi service authentication

Olga Semme

Simple authentication in NiFi service is carried out using a user who has an account in Active Directory.

NOTE
Enabling authentication is done using enable SSL channel security after installing the configuration options of the NiFi service, including LDAP settings.

The required configuration parameters to enable authentication are given in below.

Basic LDAP concepts used in NiFi service configuration parameters:

  • Active Directory — a database and a set of services that connect users to the necessary network resources.

  • LDAP server — a hierarchical database, a directory service based on Active Directory, used for centralized storage of accounts.

  • LDAP — an application layer protocol for accessing the Active Directory directory service.

  • DN (Distinguished Name) — an account in Active Directory. The DN must be unique within the tree. The DN describes the content of the attributes in the tree (navigation path) for accessing a particular entry.

    A DN consists of a series of RDN (Relative Distinguished Names) determined by moving up the tree in the direction of its root entry. RDNs are written from left to right.

    Example DN for user used in this article:

    CN=admin, DC=ad, DC=ranger-test.

    Example host DN used in this article:

    CN=ads-host-1.example.com, OU=AD, O=AD, L=MSK, ST=MO, C=RU.

    These entries are assigned the following RDNs:

    • CN — a common name of the user or host.

    • OU — an organizational unit, a container in an Active Directory domain that can contain users, groups, and computers. An organizational unit can have multiple ou within it.

    • DC — a domain component parts, represent the top of the LDAP tree, which uses DNS to determine its namespace.

    • O — an organization name.

    • L — a locality name.

    • ST — a state or province name.

    • С — a country.

Prerequisites for enabling authentication

CAUTION

Enabling SSL and LDAP Auth for the NiFi service is available starting with version 1.7.0.b1 of the ADS cluster.

  1. Verify that the prerequisites for running the Enable SSL action on an ADS cluster are met in the article SSL channel security.

  2. Verify that you know the necessary data to set up authentication in the NiFi service using the LDAP protocol:

    • LDAP server address LDAP/AD URL — URL to the LDAP/AD synchronization source in the format ldaps://{host}:{port}.

    • DN of a user that has an entry in the Active Directory directory with the rights to search users and groups and his password.

    • Base DN to search for users in AD (and filter if necessary).

    • Base DN to search for groups in AD (and filter if necessary).

Set configuration options

The parameters that need to be set for the NiFi service are described below.

NOTE

This article only lists the settings you need to set to successfully enable authentication. Detailed information on all configuration parameters can be found in the article ADS configuration parameters.

Required parameters for configuring SSL

To configure SSL, you must fill in the authorizers.xml configuration parameters.

nifi config 1
Configuration parameters of the authorizers.xml file

The required parameters are described below.

authorizers.xml

 

Parameter Description Example

DN NiFi’s nodes list

List of user and system identifications to seed the User File. These are required fields to enable SSL for the first time. Must include not only the DName of the NiFi Server component, but also the DName of the NiFi Registry, as well as the DName for the MiNiFi service components. For example, for an SSL-enabled cluster consisting of only NiFi Server, when adding a MiNiFi service or Schema Registry extension, you need to supplement this list with new DNames

CN=sov-ads-test-1.ru-central1.internal, OU=AD, O=AD, L=MSK, S=MO, C=RU

CN=sov-ads-test-2.ru-central1.internal, OU=AD, O=AD, L=MSK, S=MO, C=RU

CN=sov-ads-test-3.ru-central1.internal, OU=AD, O=AD, L=MSK, S=MO, C=RU

NiFi Initial Admin

ID of the primary administrator user who will be granted access to the user interface and the ability to create additional users, groups, and policies. The value of this property can be:

  • full user DN when setting Identity Strategy value of LDAP Login Identity Provider group to USE_DN;

  • only the login (name) of the user when setting the Identity Strategy value of the LDAP Login Identity Provider group to USE_USERNAME.

ppetrov

NiFi Initial Admin password

Initial Admin password — password of the user designated by NiFi Initial Admin

The password with which this user is registered in Active Directory is used

Required parameters for setting up LDAP

To enter LDAP parameters, you must enable the LDAP Login Identity Provider and LDAP UserGroupProvider switches.

nifi config 4
Including sections to populate LDAP configuration parameters
nifi config 2
Configuration parameters of the LDAP Login Identity Provider section

The required parameters are described below.

LDAP Login Identitity Provider

 

Parameter Description Example

Authentication Strategy

How the connection to the LDAP server is authenticated

SIMPLE

Manager DN

DN of a user that has an entry in the Active Directory with right to search users and groups. Will be used to bind to an LDAP server to search for users

cn=admin,dc=ad,dc=ranger-test

Manager Password

The password of the manager that is used to bind to the LDAP server to search for users

The password with which this user is registered in Active Directory is used

Referral Strategy

Strategy for handling referrals

FOLLOW

Connect Timeout

Duration of connect timeout

10 secs

Read Timeout

Duration of read timeout

10 secs

LDAP URL

Space-separated list of URLs of the LDAP servers (e.g. ldap://<hostname>:<port>)

ldap://ad01.adsw.io:389

User Search Base

Base DN for searching for users (e.g. ou=users,o=nifi). Required to search users

ou=Peoples,dc=ad,dc=ranger-test

User Search Filter

Filter for searching for users against the User Search Base (e.g. sAMAccountName={0}). The user specified name is inserted into {0}

(sAMAccountName={0})

Identity Strategy

Strategy to identify users. Possible values are USE_DN and USE_USERNAME

USE_USERNAME

Authentication Expiration

The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration

12 hours
nifi config 3
Configuration parameters of the LDAP UserGroupProvider Provider section

The required parameters are described below.

LDAP UserGroupProvider

 

Parameter Description Example

Authentication Strategy

How the connection to the LDAP server is authenticated

SIMPLE

Manager DN

DN of a user that has an entry in the Active Directory with right to search users and groups. Will be used to bind to an LDAP server to search for users

cn=admin,dc=ad,dc=ranger-test

Manager Password

The password of the manager that is used to bind to the LDAP server to search for users

The password with which this user is registered in Active Directory is used

Referral Strategy

Strategy for handling referrals

FOLLOW

Connect Timeout

Duration of connect timeout

10 secs

Read Timeout

Duration of read timeout

10 secs

LDAP URL

Space-separated list of URLs of the LDAP servers (e.g. ldap://<hostname>:<port>)

ldap://ad01.adsw.io:389

Sync Interval

Duration of time between syncing users and groups. Minimum allowable value is 10 secs

30 mins

User Search Base

Base DN for searching for users (e.g. ou=users,o=nifi). Required to search users

ou=Peoples,dc=ad,dc=ranger-test

User Object Class

Object class for identifying users (e.g. person). Required if searching users

person

User Search Scope

Search scope for searching users

ONE_LEVEL

User Identity Attribute

Attribute to use to extract user identity (e.g. cn). Optional. If not set, the entire DN is used

sAMAccountName

Group Search Base

Base DN for searching for groups (e.g. ou=groups,o=nifi). Required to search groups

ou=Groups,dc=ad,dc=ranger-test

Group Object Class

Object class for identifying groups (e.g. groupOfNames). Required if searching groups

group

Group Search Scope

Search scope for user group

ONE_LEVEL

Group Member Attribute

Attribute to use to define group membership (e.g. member). Optional

member

After changing the parameters, click Save.

Verify that NiFi Server authentication is enabled

After successfully enabling SSL, login to NiFi Server UI is done through the authorization window.

nifi auth 01 dark
Login window
nifi auth 01 light
Login window

For initial authentication, you must log in as a NiFi administrator (enter the username and password specified for NiFi Initial Admin).

After successful authentication, the logged in user will be displayed in the upper right corner of the interface.

nifi auth 02 dark
User after authentication
nifi auth 02 light
User after authentication

The global menu displays new sections Users and Policies.

nifi auth 03 dark
Global menu
nifi auth 03 light
Global menu

The Users page of the global NiFi menu displays a list of cluster hosts, users, and LDAP/Active Directory groups that are in the specified User Search Base and Group Search Base.

nifi auth 04 dark
Page Users in the NiFi global menu
nifi auth 04 light
Page Users in the NiFi global menu

The Policies page of the global NiFi menu displays automatically generated policies for the user specified in NiFi Initial Admin. Also here it is possible to assign an access policy for a user or group from a given search base.

nifi auth 05 dark
Page Policies of NiFi global menu
nifi auth 05 light
Page Policies of NiFi global menu

Verify that NiFi Registry authentication is enabled

After you successfully enable SSL, it becomes possible to authenticate in NiFi Registry UI. To do this, click the Login button, which appears under the username.

nifi reg auth 01 dark
Go to login window
nifi reg auth 01 light
Go to login window

In the authorization window for primary authentication, you must log in as a NiFi administrator (enter the username and password specified for NiFi Initial Admin).

nifi reg auth 04 dark
Login window
nifi reg auth 04 light
Login window

After successful authentication, the logged in user is displayed in the upper right corner of the interface.

nifi reg auth 05 dark
User after authentication
nifi reg auth 05 light
User after authentication

After clicking on nifi reg ui 03 2 dark nifi reg ui 03 2 light and clicking the Users tab in the settings menu, you can see a list of cluster hosts, users and LDAP/Active Directory groups located in the specified User Search Base and Group Search Base. It is also possible to assign an access policy for a user or group from a given search base.

nifi reg auth 02 dark
Page Users in the NiFi Registry setup menu
nifi reg auth 02 light
Page Users in the NiFi Registry setup menu

Disable authentication

To disable authentication in the NiFi service, do the following:

  1. Set the configuration parameters of the LDAP Login Identity Provider and LDAP UserGroupProvider sections to their default values.

    nifi ssl 3
    Setting default values
    CAUTION

    The option to reset the NiFi service configuration parameters LDAP Login Identity Provider and LDAP UserGroupProvider is available starting from version 1.7.2.b2 of the ADS cluster. For earlier versions of ADS to update the settings, you need to delete the /etc/nifi/conf/users.xml and /etc/nifi/conf/authorizations.xml files from each host where NiFi service is installed.

  2. Restart the NiFi service using service action Restart in Actions green arrow of NiFi service.

  3. Disable SSL using cluster action Disable SSL in Actions green arrow of ADS cluster.

Found a mistake? Seleсt text and press Ctrl+Enter to report it