You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by sc...@apache.org on 2017/05/01 17:15:15 UTC

nifi git commit: NIFI-3684 Make docs more explicit about anonymous access to a secured instance

Repository: nifi
Updated Branches:
  refs/heads/master da6ad4f3b -> 0a7b9467e


NIFI-3684 Make docs more explicit about anonymous access to a secured instance

This closes #1722

Signed-off-by: Scott Aslan <sc...@gmail.com>


Project: http://git-wip-us.apache.org/repos/asf/nifi/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/0a7b9467
Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/0a7b9467
Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/0a7b9467

Branch: refs/heads/master
Commit: 0a7b9467e9f102caf8a12b36a3f92ff43918ad9d
Parents: da6ad4f
Author: Andrew Lim <an...@gmail.com>
Authored: Mon May 1 12:44:32 2017 -0400
Committer: Scott Aslan <sc...@gmail.com>
Committed: Mon May 1 13:13:54 2017 -0400

----------------------------------------------------------------------
 nifi-docs/src/main/asciidoc/administration-guide.adoc | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/nifi/blob/0a7b9467/nifi-docs/src/main/asciidoc/administration-guide.adoc
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index dddc5f3..a07bc25 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -155,10 +155,10 @@ properties can be specified.
 NOTE: It is important when enabling HTTPS that the `nifi.web.http.port` property be unset.
 
 Similar to `nifi.security.needClientAuth`, the web server can be configured to require certificate based client authentication for users accessing
-the User Interface. In order to do this it must be configured to not support username/password authentication (see below). Either of these options
+the User Interface. In order to do this it must be configured to not support username/password authentication using  <<ldap_login_identity_provider>> or <<kerberos_login_identity_provider>>. Either of these options
 will configure the web server to WANT certificate based client authentication. This will allow it to support users with certificates and those without
 that may be logging in with their credentials or those accessing anonymously. If username/password authentication and anonymous access are not configured,
-the web server will REQUIRE certificate based client authentication.
+the web server will REQUIRE certificate based client authentication. See <<user_authentication>> for more details.
 
 Now that the User Interface has been secured, we can easily secure Site-to-Site connections and inner-cluster communications, as well. This is
 accomplished by setting the `nifi.remote.input.secure` and `nifi.cluster.protocol.is.secure` properties, respectively, to `true`.
@@ -242,7 +242,7 @@ After running the client you will have the CA\u2019s certificate, a keystore, a tru
 
 For a client certificate that can be easily imported into the browser, specify: `-T PKCS12`
 
-
+[[user_authentication]]
 User Authentication
 -------------------
 
@@ -253,11 +253,13 @@ to use is configured in two properties in the _nifi.properties_ file.
 The `nifi.login.identity.provider.configuration.file` property specifies the configuration file for Login Identity Providers.
 The `nifi.security.user.login.identity.provider` property indicates which of the configured Login Identity Provider should be
 used. If this property is not configured, NiFi will not support username/password authentication and will require client
-certificates for authenticating users over HTTPS. By default, this property is not configured meaning that username/password must be
-explicitly enabled.
+certificates for authenticating users over HTTPS. By default, this property is not configured meaning that username/password must be explicitly enabled.
+
+A secured instance of NiFi cannot be accessed anonymously unless configured to use an LDAP or Kerberos Login Identity Provider, which in turn must be configured to explicitly allow anonymous access. Anonymous access is not currently possible by the default FileAuthorizer (see <<authorizer-configuration>>), but is a future effort (https://issues.apache.org/jira/browse/NIFI-2730[NIFI-2730]).
 
-NiFi does not perform user authentication over HTTP. Using HTTP all users will be granted all roles.
+NOTE: NiFi does not perform user authentication over HTTP. Using HTTP, all users will be granted all roles.
 
+[[ldap_login_identity_provider]]
 Lightweight Directory Access Protocol (LDAP)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~