You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@nifi.apache.org by James McMahon <js...@gmail.com> on 2023/03/17 14:51:09 UTC

IAM for authentication and authorization to NiFi?

Hello. We run nifi on an AWS EC2 instance. I currently employ certs for
nifi user authentication. The CA is in our nifi truststore. Users install
certs issued by the CA in their browsers. I've set up a parsing pattern in
nifi.properties to extract user identities from the CN of the cert, and I
employ those user identities to compare against entries in nifi policies
and nifi groups to authorize what each user is entitled to do within nifi.

My team lead has asked whether we can replace the CA and certificates
dependency with AWS IAM, and it is not clear to me that such a change would
be possible. Can anyone refer me to a guide that shows whether IAM can
supplant authentication to NiFi by cert and authorization by IAM identity
against nifi user and group policies?

It seems to me that IAM is ideal for identity and access management to *AWS*
resources. For example, we can set up roles to permit and control access to
S3 buckets, or to control access to services like AWS Lambda. But IAM is
not intended to be used as a CA or as an authorization mechanism to/within
nifi. Am I mistaken?

Thank you in advance.

Re: IAM for authentication and authorization to NiFi?

Posted by Shawn Weeks <sw...@weeksconsulting.us>.

 NiFi supports SAML and OIDC for SSO so you could use AWS Cognito or another identity management solution like Keycloak but NiFi itself doesn’t support IAM authentication like AWS RDS and OpenSearch do.

Thanks
Shawn

On Mar 17, 2023, at 9:51 AM, James McMahon <js...@gmail.com> wrote:

Hello. We run nifi on an AWS EC2 instance. I currently employ certs for nifi user authentication. The CA is in our nifi truststore. Users install certs issued by the CA in their browsers. I've set up a parsing pattern in nifi.properties to extract user identities from the CN of the cert, and I employ those user identities to compare against entries in nifi policies and nifi groups to authorize what each user is entitled to do within nifi.

My team lead has asked whether we can replace the CA and certificates dependency with AWS IAM, and it is not clear to me that such a change would be possible. Can anyone refer me to a guide that shows whether IAM can supplant authentication to NiFi by cert and authorization by IAM identity against nifi user and group policies?

It seems to me that IAM is ideal for identity and access management to AWS resources. For example, we can set up roles to permit and control access to S3 buckets, or to control access to services like AWS Lambda. But IAM is not intended to be used as a CA or as an authorization mechanism to/within nifi. Am I mistaken?

Thank you in advance.