NiFi 1.5 with Knox 1.0.0

[Ryan H <ry...@gmail.com>]

Hi All,

I am trying to set up a secure NiFi cluster (or just a single node to start
with rather) that uses Knox for AuthN. I want to configure Knox with an
OpenID provider. From what I can tell I have two options:
1. Access NiFi directly which would then kick back to Knox for Auth (which
is then configured with the OpenID provider)
2. Access NiFi thru Knox (would not directly access NiFi but rather proxy
thru Knox always).

I understand that I can just configure NiFi to use the OpenID provider and
not use Knox. However, there are some issues with this (for my use case),
specifically if I want to automate scaling up/down cluster nodes (redirect
url for OpenID has to be explicitly granted with the provider for each
callback url which is troublesome if dynamically scaling, and the way I am
exposing the service and the limitation with the NiFi Host Header with
1.5).

Based on the 2 assumed options listed above, is there a preference over one
or the other? I've found a couple blogs on configuring NiFi with Knox, but
it mostly leaves me with more questions (may just be my lack of experience
with Knox). Can anyone provide clear and concise direction on what is
exactly required for NiFi to work with Knox? Any sample Knox configs? Is
anything else req'd for NiFi config other than the Knox props in the
nifi.properties file?

Any help is appreciated!

Cheers,

Ryan

Re: NiFi 1.5 with Knox 1.0.0

[Jeff <jt...@gmail.com>]

I can confirm what Larry said.  A header, X-ProxiedEntitiesChain, is
required when proxying to NiFi secured with two-way SSL, requiring the DNs
of all the identities (parties/participants) involved in the proxying of a
request.

The initial admin would be the DN (which NiFi uses as the identity) that
can be authenticated by Knox that you would like to have the initial admin
privileges.  It's representative of the end user.

On Wed, Mar 7, 2018 at 4:35 PM larry mccay <lm...@apache.org> wrote:

> The effective user will be the enduser authenticated by Knox not the knox
> user.
> I actually believe that you have the whole chain of users when proxying -
> so you won't lose either.
>
> On Wed, Mar 7, 2018 at 4:14 PM, Ryan H <ry...@gmail.com>
> wrote:
>
>> Hi,
>>
>> Yes, some additional documentation would be great for Knox integration.
>> Another question I have based on the two options above:
>>
>> If users will access NiFi via Knox (rather than accessing NiFi directly
>> and then auth to Knox), once a user authenticates to Knox (and subsequently
>> to whatever provider is configured for KnoxSSO), will NiFi only see the
>> user as the Knox identity or will NiFi see the user as the user that
>> authenticated to Knox? In this setup would Knox be the initial admin
>> identity or would it be the user I have set up in my IDP (
>> someuser@somemail.com)? I’m just wondering if accessing NiFi thru Knox
>> will result in losing the concept of users. Hopefully this makes sense!
>>
>> Cheers,
>>
>> Ryan
>>
>> On Sun, Mar 4, 2018 at 1:33 PM Jeff <jt...@gmail.com> wrote:
>>
>>> Hello Ryan,
>>>
>>> I am not on my development laptop right now, but I can send you an
>>> example Knox topology that uses Knox, SSO, and NiFi.
>>>
>>> Regarding the two options you listed above, both can be used
>>> simultaneously.  If you only want to use option 1, you can set the Knox
>>> properties in nifi.properties and NiFi will be able to redirect users to
>>> log in through Knox.  For option 2, you do not have to set those
>>> properties, but you will have to generate a cert for Knox to identify
>>> itself to NiFi, and add the DN from that cert as a node identity in NiFi
>>> (grant that identity proxy privileges).
>>>
>>> The main concern between option 1 and 2 is if you'd like users to be
>>> able to access NiFi directly, or you'd like to force them to go through a
>>> security gateway (Knox) first.
>>>
>>> Looking at the Knox documentation in the NiFi Admin Guide, we do need to
>>> add a section for configuring Knox to proxy to NiFI with Knox doing the
>>> authentication.  I've created a JIRA [1] and will work on adding the
>>> documentation.
>>>
>>> [1] https://issues.apache.org/jira/browse/NIFI-4931
>>>
>>> On Sat, Mar 3, 2018 at 4:14 PM Ryan H <ry...@gmail.com>
>>> wrote:
>>>
>>>> Hi All,
>>>>
>>>> I am trying to set up a secure NiFi cluster (or just a single node to
>>>> start with rather) that uses Knox for AuthN. I want to configure Knox with
>>>> an OpenID provider. From what I can tell I have two options:
>>>> 1. Access NiFi directly which would then kick back to Knox for Auth
>>>> (which is then configured with the OpenID provider)
>>>> 2. Access NiFi thru Knox (would not directly access NiFi but rather
>>>> proxy thru Knox always).
>>>>
>>>> I understand that I can just configure NiFi to use the OpenID provider
>>>> and not use Knox. However, there are some issues with this (for my use
>>>> case), specifically if I want to automate scaling up/down cluster nodes
>>>> (redirect url for OpenID has to be explicitly granted with the provider for
>>>> each callback url which is troublesome if dynamically scaling, and the way
>>>> I am exposing the service and the limitation with the NiFi Host Header with
>>>> 1.5).
>>>>
>>>> Based on the 2 assumed options listed above, is there a preference over
>>>> one or the other? I've found a couple blogs on configuring NiFi with Knox,
>>>> but it mostly leaves me with more questions (may just be my lack of
>>>> experience with Knox). Can anyone provide clear and concise direction on
>>>> what is exactly required for NiFi to work with Knox? Any sample Knox
>>>> configs? Is anything else req'd for NiFi config other than the Knox props
>>>> in the nifi.properties file?
>>>>
>>>> Any help is appreciated!
>>>>
>>>> Cheers,
>>>>
>>>> Ryan
>>>>
>>>
>

Re: NiFi 1.5 with Knox 1.0.0

[larry mccay <lm...@apache.org>]

The effective user will be the enduser authenticated by Knox not the knox
user.
I actually believe that you have the whole chain of users when proxying -
so you won't lose either.

On Wed, Mar 7, 2018 at 4:14 PM, Ryan H <ry...@gmail.com>
wrote:

> Hi,
>
> Yes, some additional documentation would be great for Knox integration.
> Another question I have based on the two options above:
>
> If users will access NiFi via Knox (rather than accessing NiFi directly
> and then auth to Knox), once a user authenticates to Knox (and subsequently
> to whatever provider is configured for KnoxSSO), will NiFi only see the
> user as the Knox identity or will NiFi see the user as the user that
> authenticated to Knox? In this setup would Knox be the initial admin
> identity or would it be the user I have set up in my IDP (
> someuser@somemail.com)? I’m just wondering if accessing NiFi thru Knox
> will result in losing the concept of users. Hopefully this makes sense!
>
> Cheers,
>
> Ryan
>
> On Sun, Mar 4, 2018 at 1:33 PM Jeff <jt...@gmail.com> wrote:
>
>> Hello Ryan,
>>
>> I am not on my development laptop right now, but I can send you an
>> example Knox topology that uses Knox, SSO, and NiFi.
>>
>> Regarding the two options you listed above, both can be used
>> simultaneously.  If you only want to use option 1, you can set the Knox
>> properties in nifi.properties and NiFi will be able to redirect users to
>> log in through Knox.  For option 2, you do not have to set those
>> properties, but you will have to generate a cert for Knox to identify
>> itself to NiFi, and add the DN from that cert as a node identity in NiFi
>> (grant that identity proxy privileges).
>>
>> The main concern between option 1 and 2 is if you'd like users to be able
>> to access NiFi directly, or you'd like to force them to go through a
>> security gateway (Knox) first.
>>
>> Looking at the Knox documentation in the NiFi Admin Guide, we do need to
>> add a section for configuring Knox to proxy to NiFI with Knox doing the
>> authentication.  I've created a JIRA [1] and will work on adding the
>> documentation.
>>
>> [1] https://issues.apache.org/jira/browse/NIFI-4931
>>
>> On Sat, Mar 3, 2018 at 4:14 PM Ryan H <ry...@gmail.com>
>> wrote:
>>
>>> Hi All,
>>>
>>> I am trying to set up a secure NiFi cluster (or just a single node to
>>> start with rather) that uses Knox for AuthN. I want to configure Knox with
>>> an OpenID provider. From what I can tell I have two options:
>>> 1. Access NiFi directly which would then kick back to Knox for Auth
>>> (which is then configured with the OpenID provider)
>>> 2. Access NiFi thru Knox (would not directly access NiFi but rather
>>> proxy thru Knox always).
>>>
>>> I understand that I can just configure NiFi to use the OpenID provider
>>> and not use Knox. However, there are some issues with this (for my use
>>> case), specifically if I want to automate scaling up/down cluster nodes
>>> (redirect url for OpenID has to be explicitly granted with the provider for
>>> each callback url which is troublesome if dynamically scaling, and the way
>>> I am exposing the service and the limitation with the NiFi Host Header with
>>> 1.5).
>>>
>>> Based on the 2 assumed options listed above, is there a preference over
>>> one or the other? I've found a couple blogs on configuring NiFi with Knox,
>>> but it mostly leaves me with more questions (may just be my lack of
>>> experience with Knox). Can anyone provide clear and concise direction on
>>> what is exactly required for NiFi to work with Knox? Any sample Knox
>>> configs? Is anything else req'd for NiFi config other than the Knox props
>>> in the nifi.properties file?
>>>
>>> Any help is appreciated!
>>>
>>> Cheers,
>>>
>>> Ryan
>>>
>>

Re: NiFi 1.5 with Knox 1.0.0

[Ryan H <ry...@gmail.com>]

Hi,

Yes, some additional documentation would be great for Knox integration.
Another question I have based on the two options above:

If users will access NiFi via Knox (rather than accessing NiFi directly and
then auth to Knox), once a user authenticates to Knox (and subsequently to
whatever provider is configured for KnoxSSO), will NiFi only see the user
as the Knox identity or will NiFi see the user as the user that
authenticated to Knox? In this setup would Knox be the initial admin
identity or would it be the user I have set up in my IDP (
someuser@somemail.com)? I’m just wondering if accessing NiFi thru Knox will
result in losing the concept of users. Hopefully this makes sense!

Cheers,

Ryan

On Sun, Mar 4, 2018 at 1:33 PM Jeff <jt...@gmail.com> wrote:

> Hello Ryan,
>
> I am not on my development laptop right now, but I can send you an example
> Knox topology that uses Knox, SSO, and NiFi.
>
> Regarding the two options you listed above, both can be used
> simultaneously.  If you only want to use option 1, you can set the Knox
> properties in nifi.properties and NiFi will be able to redirect users to
> log in through Knox.  For option 2, you do not have to set those
> properties, but you will have to generate a cert for Knox to identify
> itself to NiFi, and add the DN from that cert as a node identity in NiFi
> (grant that identity proxy privileges).
>
> The main concern between option 1 and 2 is if you'd like users to be able
> to access NiFi directly, or you'd like to force them to go through a
> security gateway (Knox) first.
>
> Looking at the Knox documentation in the NiFi Admin Guide, we do need to
> add a section for configuring Knox to proxy to NiFI with Knox doing the
> authentication.  I've created a JIRA [1] and will work on adding the
> documentation.
>
> [1] https://issues.apache.org/jira/browse/NIFI-4931
>
> On Sat, Mar 3, 2018 at 4:14 PM Ryan H <ry...@gmail.com>
> wrote:
>
>> Hi All,
>>
>> I am trying to set up a secure NiFi cluster (or just a single node to
>> start with rather) that uses Knox for AuthN. I want to configure Knox with
>> an OpenID provider. From what I can tell I have two options:
>> 1. Access NiFi directly which would then kick back to Knox for Auth
>> (which is then configured with the OpenID provider)
>> 2. Access NiFi thru Knox (would not directly access NiFi but rather proxy
>> thru Knox always).
>>
>> I understand that I can just configure NiFi to use the OpenID provider
>> and not use Knox. However, there are some issues with this (for my use
>> case), specifically if I want to automate scaling up/down cluster nodes
>> (redirect url for OpenID has to be explicitly granted with the provider for
>> each callback url which is troublesome if dynamically scaling, and the way
>> I am exposing the service and the limitation with the NiFi Host Header with
>> 1.5).
>>
>> Based on the 2 assumed options listed above, is there a preference over
>> one or the other? I've found a couple blogs on configuring NiFi with Knox,
>> but it mostly leaves me with more questions (may just be my lack of
>> experience with Knox). Can anyone provide clear and concise direction on
>> what is exactly required for NiFi to work with Knox? Any sample Knox
>> configs? Is anything else req'd for NiFi config other than the Knox props
>> in the nifi.properties file?
>>
>> Any help is appreciated!
>>
>> Cheers,
>>
>> Ryan
>>
>

Re: NiFi 1.5 with Knox 1.0.0

[Jeff <jt...@gmail.com>]

Hello Ryan,

I am not on my development laptop right now, but I can send you an example
Knox topology that uses Knox, SSO, and NiFi.

Regarding the two options you listed above, both can be used
simultaneously.  If you only want to use option 1, you can set the Knox
properties in nifi.properties and NiFi will be able to redirect users to
log in through Knox.  For option 2, you do not have to set those
properties, but you will have to generate a cert for Knox to identify
itself to NiFi, and add the DN from that cert as a node identity in NiFi
(grant that identity proxy privileges).

The main concern between option 1 and 2 is if you'd like users to be able
to access NiFi directly, or you'd like to force them to go through a
security gateway (Knox) first.

Looking at the Knox documentation in the NiFi Admin Guide, we do need to
add a section for configuring Knox to proxy to NiFI with Knox doing the
authentication.  I've created a JIRA [1] and will work on adding the
documentation.

[1] https://issues.apache.org/jira/browse/NIFI-4931

On Sat, Mar 3, 2018 at 4:14 PM Ryan H <ry...@gmail.com>
wrote:

> Hi All,
>
> I am trying to set up a secure NiFi cluster (or just a single node to
> start with rather) that uses Knox for AuthN. I want to configure Knox with
> an OpenID provider. From what I can tell I have two options:
> 1. Access NiFi directly which would then kick back to Knox for Auth (which
> is then configured with the OpenID provider)
> 2. Access NiFi thru Knox (would not directly access NiFi but rather proxy
> thru Knox always).
>
> I understand that I can just configure NiFi to use the OpenID provider and
> not use Knox. However, there are some issues with this (for my use case),
> specifically if I want to automate scaling up/down cluster nodes (redirect
> url for OpenID has to be explicitly granted with the provider for each
> callback url which is troublesome if dynamically scaling, and the way I am
> exposing the service and the limitation with the NiFi Host Header with
> 1.5).
>
> Based on the 2 assumed options listed above, is there a preference over
> one or the other? I've found a couple blogs on configuring NiFi with Knox,
> but it mostly leaves me with more questions (may just be my lack of
> experience with Knox). Can anyone provide clear and concise direction on
> what is exactly required for NiFi to work with Knox? Any sample Knox
> configs? Is anything else req'd for NiFi config other than the Knox props
> in the nifi.properties file?
>
> Any help is appreciated!
>
> Cheers,
>
> Ryan
>