Home
Arenadata Streaming
How to
NiFi
Access management
Authentication

NiFi service authentication

Olga Semme

Contents

Prerequisites for enabling authentication
Set configuration options
- Required parameters for configuring SSL

NOTE

Enabling authentication is done using enable SSL channel security after installing the configuration options of the NiFi service, including LDAP settings.
All sensitive values for the NiFi Server and NiFi Registry components are replaced with encrypted values in the configuration files. For more information about data encryption, see the article Encryption of NiFi configuration parameters.

The required configuration parameters to enable authentication are given in below.

Basic LDAP concepts used in NiFi service configuration parameters:

Active Directory — a database and a set of services that connect users to the necessary network resources.
LDAP server — a hierarchical database, a directory service based on Active Directory, used for centralized storage of accounts.
Lightweight directory access protocol (LDAP) — an application layer protocol for accessing the Active Directory directory service.
Distinguished name (DN) — an account in Active Directory. The DN must be unique within the tree. The DN describes the content of the attributes in the tree (navigation path) for accessing a particular entry.

A DN consists of a series of relative distinguished names (RDN) determined by moving up the tree in the direction of its root entry. RDNs are written from left to right.
Example DN for user used in this article:

CN=admin, DC=ad, DC=ranger-test.

Example host DN used in this article:

CN=ads-host-1.example.com, OU=AD, O=AD, L=MSK, ST=MO, C=RU.

These entries are assigned the following RDNs:
- CN — a common name of the user or host.
- OU — an organizational unit, a container in an Active Directory domain that can contain users, groups, and computers. An organizational unit can have multiple ou within it.
- DC — a domain component parts, represent the top of the LDAP tree, which uses DNS to determine its namespace.
- O — an organization name.
- L — a locality name.
- ST — a state or province name.
- С — a country.

Prerequisites for enabling authentication

CAUTION

Enabling SSL and LDAP Auth for the NiFi service is available starting with ADS 1.7.0.b1.

Verify that the prerequisites for running the Manage SSL action on an ADS cluster are met in the article SSL channel security.
Verify that you know the necessary data to set up authentication in the NiFi service using the LDAP protocol:
- LDAP server address LDAP/AD URL — URL to the LDAP/AD synchronization source in the format ldaps://{host}:{port}.
- DN of a user that has an entry in the Active Directory directory with the rights to search users and groups and his password.
- Base DN to search for users in AD (and filter if necessary).
- Base DN to search for groups in AD (and filter if necessary).

Set configuration options

The following describes the parameters that need to be set in the tree on the configuration page of the NiFi service.

NOTE

This article only lists the settings you need to set to successfully enable authentication. Detailed information on all configuration parameters can be found in the article ADS configuration parameters.

Required parameters for configuring SSL

To configure SSL, fill in the authorizers.xml configuration parameters.

Configuration parameters of the authorizers.xml file

The required parameters are described below.

|Example |CN=sov-ads-test-1.ru-central1.internal, OU=AD, O=AD, L=MSK, S=MO, C=RU

CN=sov-ads-test-2.ru-central1.internal, OU=AD, O=AD, L=MSK, S=MO, C=RU

CN=sov-ads-test-3.ru-central1.internal, OU=AD, O=AD, L=MSK, S=MO, C=RU |ppetrov |The password with which this user is registered in Active Directory is used

====

=== Required parameters for setting up LDAP

To enter LDAP parameters, you must enable the LDAP Login Identity Provider and LDAP UserGroupProvider switches.

.Configuration parameters of the LDAP Login Identity Provider section image::nifi/auth/nifi_config_2.png[width=362,alt="Configuration parameters of the LDAP Login Identity Provider section"]

The required parameters are described below.

Example

SIMPLE

cn=admin,dc=ad,dc=ranger-test

The password with which this user is registered in Active Directory is used

ldap://ad01.adsw.io:389

ou=Peoples,dc=ad,dc=ranger-test

(sAMAccountName={0})

USE_USERNAME

.Configuration parameters of the LDAP UserGroupProvider Provider section image::nifi/auth/nifi_config_3.png[width=362,alt="Configuration parameters of the LDAP UserGroupProvider Provider section"]

The required parameters are described below.

Example

SIMPLE

cn=admin,dc=ad,dc=ranger-test

The password with which this user is registered in Active Directory is used

ldap://ad01.adsw.io:389

ou=Peoples,dc=ad,dc=ranger-test

person

sAMAccountName

ou=Groups,dc=ad,dc=ranger-test

group

member

After changing the parameters, click Save.

== Verify that NiFi Server authentication is enabled

After successfully enabling SSL, login to NiFi Server UI is done through the authorization window.

For initial authentication, you must log in as a NiFi administrator (enter the username and password specified for NiFi Initial Admin).

After successful authentication, the logged in user will be displayed in the upper right corner of the interface.

User after authentication

The global menu displays new sections Users and Policies.

Global menu

The Users page of the global NiFi menu displays a list of cluster hosts, users, and LDAP/Active Directory groups that are in the specified User Search Base and Group Search Base.

Page Users in the NiFi global menu

The Policies page of the global NiFi menu displays automatically generated policies for the user specified in NiFi Initial Admin. Also here it is possible to assign an access policy for a user or group from a given search base.

Page Policies of the NiFi global menu

== Verify that NiFi Registry authentication is enabled

After you successfully enable SSL, it becomes possible to authenticate in NiFi Registry UI. To do this, click the Login button, which appears under the username.

Go to login window

In the authorization window for primary authentication, you must log in as a NiFi administrator (enter the username and password specified for NiFi Initial Admin).

After successful authentication, the logged in user is displayed in the upper right corner of the interface.

User after authentication

After clicking on nifi reg ui 03 2 dark nifi reg ui 03 2 light and clicking the Users tab in the settings menu, you can see a list of cluster hosts, users and LDAP/Active Directory groups located in the specified User Search Base and Group Search Base. It is also possible to assign an access policy for a user or group from a given search base.

Page Users in the NiFi Registry setup menu

== Disable authentication

To disable authentication in the NiFi service, do the following:

Set the configuration parameters of the LDAP Login Identity Provider and LDAP UserGroupProvider sections to their default values.

Setting default values

The option to reset the NiFi service configuration parameters LDAP Login Identity Provider and LDAP UserGroupProvider is available starting from version 1.7.2.b2 of the ADS cluster. For earlier versions of ADS to update the settings, you need to delete the /etc/nifi/conf/users.xml and /etc/nifi/conf/authorizations.xml files from each host where NiFi service is installed.

+ . Disable SSL. To do this, apply the action Disable SSL in the cluster by clicking on the actions default dark actions default light in the Actions column.

== Change NiFi Initial Admin data

To change data about NiFi Initial Admin, use the Manage Initial Admin action in the NiFi service by clicking on the actions default dark actions default light icon in the Actions column for the NiFi service.

After selecting the action in the Run an action window that opens, enter the new user DN and password and click Run.

Change NiFi Initial Admin

Found a mistake? Seleсt text and press Ctrl+Enter to report it