nifi-api with a server secured with Microsoft AD

[David Early via users <us...@nifi.apache.org>]

Hi all,

We have a 3 node cluster secured with Microsort AD for the first time.

I need access to the REST api.  The nifi-api/access/token does not work in
this case.

We did use a local CA for certificate generation on the servers.

I am reading that it is possible to do certificate based auth to the
api....we need this in a script (python) to run on a remote server which is
checking for old flowfiles that can get stuck in a few places.

Can I use cert based API connection when using AD as the main
authentication/authorization for the ui?

Anything special that needs to be done?  I've just not used certs with the
api before, but we have used cert based site to site on other systems and
it works fine.  Just not sure how to do it with nipyapi or just from curl
on the cli.

David

Re: nifi-api with a server secured with Microsoft AD

["Jens M. Kofoed" <jm...@gmail.com>]

Hi David

It's also possible to configure authorizers.xml to both handle LDAP and
local users (file-access) so you can have both. It's using
composite-configurable-user-group-provider. Just remember that nifi is case
sentitive, so the what you specify as the user, should match exactly what
nifi sees in the certificate. Some certificates are created with a space
after commas like ", ou=", and others don'ts ",ou=".
I'm using this where all the regular users are from AD, but you can still
create local users which is using a certificate.
from authorizers.xml:
<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/localAuth/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 1">cn=name, ou=users, dc=foo,
dc=bar</property>
    </userGroupProvider>
    <userGroupProvider>
        <identifier>ldap-user-group-provider</identifier>
        <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
        ...
    </userGroupProvider>
    <userGroupProvider>
        <identifier>composite-configurable-user-group-provider</identifier>

<class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
        <property name="Configurable User Group
Provider">file-user-group-provider</property>
        <property name="User Group Provider
1">ldap-user-group-provider</property>
    </userGroupProvider>
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>

<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group
Provider">composite-configurable-user-group-provider</property>
        <property name="Authorizations
File">./conf/localAuth/authorizations.xml</property>
        <property name="Initial Admin Identity">cn=name, ou=users, dc=foo,
dc=bar</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1"></property>
        <property name="Node Group">NIFI-CLUSTER01-NODES</property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>

<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy
Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

From nifi.properties:
nifi.security.user.authorizer=managed-authorizer


In this way, you can create certificates your self, from the CA you used to
create the certificates for nifi. and create these as internal local users
and still use AD.

Kind regards
Jens M. Kofoed


Den tir. 1. nov. 2022 kl. 16.47 skrev David Early via users <
users@nifi.apache.org>:

> Mike and Shawn,  thanks for the feedback, have not had a chance to try
> either, but appreciate your help.  Will be trying the cert this week, will
> reach out to the AD managers about a more direct AD solution.
>
> Dave
>
> On Sat, Oct 29, 2022 at 7:10 PM Mike Thomsen <mi...@gmail.com>
> wrote:
>
>> David,
>>
>> Another option you might want to explore is having AD generate client
>> certificates for your users.
>>
>> On Sat, Oct 29, 2022 at 12:01 PM Shawn Weeks <sw...@weeksconsulting.us>
>> wrote:
>> >
>> > NiFi should always accept a cert at the rest api if you provide one. If
>> your using curl just add the “--key” and “--cert” and call whatever api url
>> your trying directly. You’ll need to make sure that the cert your using is
>> signed by the same local CA that NiFi is set to trust and that you’ve added
>> a user in NiFi that matches the common name on the cert or whatever regex
>> you set for “nifi.security.identity.mapping.value.pattern”
>> >
>> > Thanks
>> > Shawn
>> >
>> > > On Oct 28, 2022, at 3:55 PM, David Early via users <
>> users@nifi.apache.org> wrote:
>> > >
>> > > Hi all,
>> > >
>> > > We have a 3 node cluster secured with Microsort AD for the first time.
>> > >
>> > > I need access to the REST api.  The nifi-api/access/token does not
>> work in this case.
>> > >
>> > > We did use a local CA for certificate generation on the servers.
>> > >
>> > > I am reading that it is possible to do certificate based auth to the
>> api....we need this in a script (python) to run on a remote server which is
>> checking for old flowfiles that can get stuck in a few places.
>> > >
>> > > Can I use cert based API connection when using AD as the main
>> authentication/authorization for the ui?
>> > >
>> > > Anything special that needs to be done?  I've just not used certs
>> with the api before, but we have used cert based site to site on other
>> systems and it works fine.  Just not sure how to do it with nipyapi or just
>> from curl on the cli.
>> > >
>> > > David
>> >
>>
>
>
> --
> David Early, Ph.D.
> david.early@grokstream.com
> 720-470-7460 Cell
>
>

Re: nifi-api with a server secured with Microsoft AD

[David Early via users <us...@nifi.apache.org>]

Mike and Shawn,  thanks for the feedback, have not had a chance to try
either, but appreciate your help.  Will be trying the cert this week, will
reach out to the AD managers about a more direct AD solution.

Dave

On Sat, Oct 29, 2022 at 7:10 PM Mike Thomsen <mi...@gmail.com> wrote:

> David,
>
> Another option you might want to explore is having AD generate client
> certificates for your users.
>
> On Sat, Oct 29, 2022 at 12:01 PM Shawn Weeks <sw...@weeksconsulting.us>
> wrote:
> >
> > NiFi should always accept a cert at the rest api if you provide one. If
> your using curl just add the “--key” and “--cert” and call whatever api url
> your trying directly. You’ll need to make sure that the cert your using is
> signed by the same local CA that NiFi is set to trust and that you’ve added
> a user in NiFi that matches the common name on the cert or whatever regex
> you set for “nifi.security.identity.mapping.value.pattern”
> >
> > Thanks
> > Shawn
> >
> > > On Oct 28, 2022, at 3:55 PM, David Early via users <
> users@nifi.apache.org> wrote:
> > >
> > > Hi all,
> > >
> > > We have a 3 node cluster secured with Microsort AD for the first time.
> > >
> > > I need access to the REST api.  The nifi-api/access/token does not
> work in this case.
> > >
> > > We did use a local CA for certificate generation on the servers.
> > >
> > > I am reading that it is possible to do certificate based auth to the
> api....we need this in a script (python) to run on a remote server which is
> checking for old flowfiles that can get stuck in a few places.
> > >
> > > Can I use cert based API connection when using AD as the main
> authentication/authorization for the ui?
> > >
> > > Anything special that needs to be done?  I've just not used certs with
> the api before, but we have used cert based site to site on other systems
> and it works fine.  Just not sure how to do it with nipyapi or just from
> curl on the cli.
> > >
> > > David
> >
>


-- 
David Early, Ph.D.
david.early@grokstream.com
720-470-7460 Cell

Re: nifi-api with a server secured with Microsoft AD

[Mike Thomsen <mi...@gmail.com>]

David,

Another option you might want to explore is having AD generate client
certificates for your users.

On Sat, Oct 29, 2022 at 12:01 PM Shawn Weeks <sw...@weeksconsulting.us> wrote:
>
> NiFi should always accept a cert at the rest api if you provide one. If your using curl just add the “--key” and “--cert” and call whatever api url your trying directly. You’ll need to make sure that the cert your using is signed by the same local CA that NiFi is set to trust and that you’ve added a user in NiFi that matches the common name on the cert or whatever regex you set for “nifi.security.identity.mapping.value.pattern”
>
> Thanks
> Shawn
>
> > On Oct 28, 2022, at 3:55 PM, David Early via users <us...@nifi.apache.org> wrote:
> >
> > Hi all,
> >
> > We have a 3 node cluster secured with Microsort AD for the first time.
> >
> > I need access to the REST api.  The nifi-api/access/token does not work in this case.
> >
> > We did use a local CA for certificate generation on the servers.
> >
> > I am reading that it is possible to do certificate based auth to the api....we need this in a script (python) to run on a remote server which is checking for old flowfiles that can get stuck in a few places.
> >
> > Can I use cert based API connection when using AD as the main authentication/authorization for the ui?
> >
> > Anything special that needs to be done?  I've just not used certs with the api before, but we have used cert based site to site on other systems and it works fine.  Just not sure how to do it with nipyapi or just from curl on the cli.
> >
> > David
>

Re: nifi-api with a server secured with Microsoft AD

[Shawn Weeks <sw...@weeksconsulting.us>]

NiFi should always accept a cert at the rest api if you provide one. If your using curl just add the “--key” and “--cert” and call whatever api url your trying directly. You’ll need to make sure that the cert your using is signed by the same local CA that NiFi is set to trust and that you’ve added a user in NiFi that matches the common name on the cert or whatever regex you set for “nifi.security.identity.mapping.value.pattern”

Thanks
Shawn

> On Oct 28, 2022, at 3:55 PM, David Early via users <us...@nifi.apache.org> wrote:
> 
> Hi all,
> 
> We have a 3 node cluster secured with Microsort AD for the first time.  
> 
> I need access to the REST api.  The nifi-api/access/token does not work in this case.
> 
> We did use a local CA for certificate generation on the servers.
> 
> I am reading that it is possible to do certificate based auth to the api....we need this in a script (python) to run on a remote server which is checking for old flowfiles that can get stuck in a few places.
> 
> Can I use cert based API connection when using AD as the main authentication/authorization for the ui?
> 
> Anything special that needs to be done?  I've just not used certs with the api before, but we have used cert based site to site on other systems and it works fine.  Just not sure how to do it with nipyapi or just from curl on the cli.
> 
> David