Home
Arenadata Streaming
How to
NiFi
Access management
Authentication

NiFi service authentication

Olga Semme

Contents

Prerequisites for enabling authentication
Set configuration options
- Required parameters for configuring SSL
- Required parameters for setting up LDAP
Verify that NiFi Server authentication is enabled
Verify that NiFi Registry authentication is enabled
Disable authentication
Change NiFi Initial Admin data

NOTE

Enabling authentication is done using enable SSL channel security after installing the configuration options of the NiFi service, including LDAP settings.
All sensitive values for the NiFi Server and NiFi Registry components are replaced with encrypted values in the configuration files. For more information about data encryption, see the article Encryption of NiFi configuration parameters.

The required configuration parameters to enable authentication are given in below.

Basic LDAP concepts used in NiFi service configuration parameters:

Active Directory — a database and a set of services that connect users to the necessary network resources.
LDAP server — a hierarchical database, a directory service based on Active Directory, used for centralized storage of accounts.
LDAP — an application layer protocol for accessing the Active Directory directory service.
DN (Distinguished Name) — an account in Active Directory. The DN must be unique within the tree. The DN describes the content of the attributes in the tree (navigation path) for accessing a particular entry.

A DN consists of a series of RDN (Relative Distinguished Names) determined by moving up the tree in the direction of its root entry. RDNs are written from left to right.
Example DN for user used in this article:

CN=admin, DC=ad, DC=ranger-test.

Example host DN used in this article:

CN=ads-host-1.example.com, OU=AD, O=AD, L=MSK, ST=MO, C=RU.

These entries are assigned the following RDNs:
- CN — a common name of the user or host.
- OU — an organizational unit, a container in an Active Directory domain that can contain users, groups, and computers. An organizational unit can have multiple ou within it.
- DC — a domain component parts, represent the top of the LDAP tree, which uses DNS to determine its namespace.
- O — an organization name.
- L — a locality name.
- ST — a state or province name.
- С — a country.

Prerequisites for enabling authentication

CAUTION

Enabling SSL and LDAP Auth for the NiFi service is available starting with version 1.7.0.b1 of the ADS cluster.

Verify that the prerequisites for running the Enable SSL action on an ADS cluster are met in the article SSL channel security.
Verify that you know the necessary data to set up authentication in the NiFi service using the LDAP protocol:
- LDAP server address LDAP/AD URL — URL to the LDAP/AD synchronization source in the format ldaps://{host}:{port}.
- DN of a user that has an entry in the Active Directory directory with the rights to search users and groups and his password.
- Base DN to search for users in AD (and filter if necessary).
- Base DN to search for groups in AD (and filter if necessary).

Set configuration options

The following describes the parameters that need to be set in the tree on the configuration page of the NiFi service.

NOTE

This article only lists the settings you need to set to successfully enable authentication. Detailed information on all configuration parameters can be found in the article ADS configuration parameters.

Required parameters for configuring SSL

To configure SSL, fill in the authorizers.xml configuration parameters.

Configuration parameters of the authorizers.xml file

The required parameters are described below.

authorizers.xml

Parameter Description Example

DN NiFi’s nodes list

List of user and system identifications to seed the User File. These are required fields to enable SSL for the first time. Must include not only the DName of the NiFi Server component, but also the DName of the NiFi Registry, as well as the DName for the MiNiFi service components. For example, for an SSL-enabled cluster consisting of only NiFi Server, when adding a MiNiFi service or Schema Registry extension, you need to supplement this list with new DNames

CN=sov-ads-test-1.ru-central1.internal, OU=AD, O=AD, L=MSK, S=MO, C=RU

CN=sov-ads-test-2.ru-central1.internal, OU=AD, O=AD, L=MSK, S=MO, C=RU

CN=sov-ads-test-3.ru-central1.internal, OU=AD, O=AD, L=MSK, S=MO, C=RU

NiFi Initial Admin

ID of the primary administrator user who will be granted access to the user interface and the ability to create additional users, groups, and policies. The value of this property can be:

full user DN when setting Identity Strategy value of LDAP Login Identity Provider group to USE_DN;
only the login (name) of the user when setting the Identity Strategy value of the LDAP Login Identity Provider group to USE_USERNAME.

ppetrov

NiFi Initial Admin password

Initial Admin password — password of the user designated by NiFi Initial Admin

The password with which this user is registered in Active Directory is used

Required parameters for setting up LDAP

To enter LDAP parameters, you must enable the LDAP Login Identity Provider and LDAP UserGroupProvider switches.

Configuration parameters of the LDAP Login Identity Provider section

The required parameters are described below.

LDAP Login Identitity Provider

Parameter Description Example

Authentication Strategy

How the connection to the LDAP server is authenticated

SIMPLE

Manager DN

DN of a user that has an entry in the Active Directory with right to search users and groups. Will be used to bind to an LDAP server to search for users

cn=admin,dc=ad,dc=ranger-test

Manager Password

The password of the manager that is used to bind to the LDAP server to search for users

The password with which this user is registered in Active Directory is used

Referral Strategy

Strategy for handling referrals

Connect Timeout

Duration of connect timeout

10 secs

Read Timeout

Duration of read timeout

10 secs

LDAP URL

Space-separated list of URLs of the LDAP servers (e.g. ldap://<hostname>:<port>)

ldap://ad01.adsw.io:389

User Search Base

Base DN for searching for users (e.g. ou=users,o=nifi). Required to search users

ou=Peoples,dc=ad,dc=ranger-test

User Search Filter

Filter for searching for users against the User Search Base (e.g. sAMAccountName={0}). The user specified name is inserted into {0}

(sAMAccountName={0})

Identity Strategy

Strategy to identify users. Possible values are USE_DN and USE_USERNAME

USE_USERNAME

Authentication Expiration

The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration

12 hours

Configuration parameters of the LDAP UserGroupProvider Provider section

The required parameters are described below.

LDAP UserGroupProvider

Parameter Description Example

Authentication Strategy

How the connection to the LDAP server is authenticated

SIMPLE

Manager DN

DN of a user that has an entry in the Active Directory with right to search users and groups. Will be used to bind to an LDAP server to search for users

cn=admin,dc=ad,dc=ranger-test

Manager Password

The password of the manager that is used to bind to the LDAP server to search for users

The password with which this user is registered in Active Directory is used

Referral Strategy

Strategy for handling referrals

Connect Timeout

Duration of connect timeout

10 secs

Read Timeout

Duration of read timeout

10 secs

LDAP URL

Space-separated list of URLs of the LDAP servers (e.g. ldap://<hostname>:<port>)

ldap://ad01.adsw.io:389

Sync Interval

Duration of time between syncing users and groups. Minimum allowable value is 10 secs

30 mins

User Search Base

Base DN for searching for users (e.g. ou=users,o=nifi). Required to search users

ou=Peoples,dc=ad,dc=ranger-test

User Object Class

Object class for identifying users (e.g. person). Required if searching users

person

User Search Scope

Search scope for searching users

ONE_LEVEL

User Identity Attribute

Attribute to use to extract user identity (e.g. cn). Optional. If not set, the entire DN is used

sAMAccountName

Group Search Base

Base DN for searching for groups (e.g. ou=groups,o=nifi). Required to search groups

ou=Groups,dc=ad,dc=ranger-test

Group Object Class

Object class for identifying groups (e.g. groupOfNames). Required if searching groups

group

Group Search Scope

Search scope for user group

ONE_LEVEL

Group Member Attribute

Attribute to use to define group membership (e.g. member). Optional

member

After changing the parameters, click Save.

Verify that NiFi Server authentication is enabled

After successfully enabling SSL, login to NiFi Server UI is done through the authorization window.

For initial authentication, you must log in as a NiFi administrator (enter the username and password specified for NiFi Initial Admin).

After successful authentication, the logged in user will be displayed in the upper right corner of the interface.

User after authentication

The global menu displays new sections Users and Policies.

Global menu

The Users page of the global NiFi menu displays a list of cluster hosts, users, and LDAP/Active Directory groups that are in the specified User Search Base and Group Search Base.

Page Users in the NiFi global menu

The Policies page of the global NiFi menu displays automatically generated policies for the user specified in NiFi Initial Admin. Also here it is possible to assign an access policy for a user or group from a given search base.

Page Policies of the NiFi global menu

Verify that NiFi Registry authentication is enabled

After you successfully enable SSL, it becomes possible to authenticate in NiFi Registry UI. To do this, click the Login button, which appears under the username.

Go to login window

In the authorization window for primary authentication, you must log in as a NiFi administrator (enter the username and password specified for NiFi Initial Admin).

After successful authentication, the logged in user is displayed in the upper right corner of the interface.

User after authentication

After clicking on nifi reg ui 03 2 dark nifi reg ui 03 2 light and clicking the Users tab in the settings menu, you can see a list of cluster hosts, users and LDAP/Active Directory groups located in the specified User Search Base and Group Search Base. It is also possible to assign an access policy for a user or group from a given search base.

Page Users in the NiFi Registry setup menu

Disable authentication

To disable authentication in the NiFi service, do the following:

Set the configuration parameters of the LDAP Login Identity Provider and LDAP UserGroupProvider sections to their default values.

Setting default values

CAUTION

The option to reset the NiFi service configuration parameters LDAP Login Identity Provider and LDAP UserGroupProvider is available starting from version 1.7.2.b2 of the ADS cluster. For earlier versions of ADS to update the settings, you need to delete the /etc/nifi/conf/users.xml and /etc/nifi/conf/authorizations.xml files from each host where NiFi service is installed.

Disable SSL. To do this, apply the action Disable SSL in the cluster by clicking on the in the Actions column.

Change NiFi Initial Admin data

To change data about NiFi Initial Admin, use the Manage Initial Admin action in the NiFi service by clicking on the actions default dark actions default light icon in the Actions column for the NiFi service.

After selecting the action in the Run an action window that opens, enter the new user DN and password and click Run.

Change NiFi Initial Admin

Found a mistake? Seleсt text and press Ctrl+Enter to report it