"Insecure" NiFi 1.0.0 UI w/ SSL

[Nicholas Hughes <ni...@gmail.com>]

In previous versions, it was possible to run the UI over HTTPS without
configuring users. In the most recent 0.x versions, I believe this was
accomplished through setting a "default" role for the Anonymous user in the
properties file.

How is this done in 1.x? I've been reading through the Admin Guide and
playing with different settings, but I still can't seem to access the UI
anonymously over HTTPS. The most promising mention in the guide points
toward emptying the truststore properties:

"nifi.security.truststore - Filename of the Truststore that will be used to
authorize those connecting to NiFi. If not set, all who attempt to connect
will be provided access as the *Anonymous* user."

Given the past versions' expectation that the Anonymous user be defined a
role, I'm guessing that's the part that I'm missing. The properties file no
longer has a placeholder for setting the default role, so I assume that
function has moved into the new "authorizations" and/or "users" XML
files... but I'm not certain how to "hand jam" the proper information into
those files (or if that's even possible).

Any assistance in setting up anonymous UI access over SSL is appreciated.

-Nick

Re: "Insecure" NiFi 1.0.0 UI w/ SSL

[Matt Gilman <ma...@gmail.com>]

For authorization it is not possible. If you implemented a custom authorizer that supported anonymous access that portion would be possible. No authorizer in 1.0.0 supported this.

For authentication it is possible but it's not as clear as it should be. Enabling username/password or kerb SPNEGO would support want client auth. However, these shouldn't need to be enable to achieve what your looking for. That's why I added the comment to the JIRA.

Can you please add some commentary to the JIRA to describe you use case a bit further? With component based authorization, what sort of access are you interested in providing to anonymous users?

Thanks

Matt

Sent from my iPhone

> On Sep 4, 2016, at 7:48 AM, Nicholas Hughes <ni...@gmail.com> wrote:
> 
> Thanks Matt,
> 
> Reading your last sentence and the JIRA ticket, I gather this is not possible in 1.0.0 and the update to accommodate this configuration is forthcoming in a future release.
> 
> -Nick
> 
> 
>> On Sun, Sep 4, 2016 at 12:18 AM, Matt Gilman <ma...@gmail.com> wrote:
>> Nick,
>> 
>> In 1.0.0 we've moved away from role based authorities in favor of fine grain access controls with a delegated authorizer. Whether an anonymous user is authorized would be a function of the configured authorizer. The authorizer is given details about the users request and it will make an access decision accordingly. I've created a JIRA [1] to update the bundled file based authorizer to optionally allow anonymous access.
>> 
>> Thanks.
>> 
>> Matt
>> 
>> [1] https://issues.apache.org/jira/browse/NIFI-2730 
>> 
>>> On Sat, Sep 3, 2016 at 3:56 PM, Nicholas Hughes <ni...@gmail.com> wrote:
>>> In previous versions, it was possible to run the UI over HTTPS without configuring users. In the most recent 0.x versions, I believe this was accomplished through setting a "default" role for the Anonymous user in the properties file.
>>> 
>>> How is this done in 1.x? I've been reading through the Admin Guide and playing with different settings, but I still can't seem to access the UI anonymously over HTTPS. The most promising mention in the guide points toward emptying the truststore properties:
>>> 
>>> "nifi.security.truststore - Filename of the Truststore that will be used to authorize those connecting to NiFi. If not set, all who attempt to connect will be provided access as the Anonymous user."
>>> 
>>> Given the past versions' expectation that the Anonymous user be defined a role, I'm guessing that's the part that I'm missing. The properties file no longer has a placeholder for setting the default role, so I assume that function has moved into the new "authorizations" and/or "users" XML files... but I'm not certain how to "hand jam" the proper information into those files (or if that's even possible).
>>> 
>>> Any assistance in setting up anonymous UI access over SSL is appreciated.
>>> 
>>> -Nick
> 

Re: "Insecure" NiFi 1.0.0 UI w/ SSL

[Nicholas Hughes <ni...@gmail.com>]

Thanks Matt,

Reading your last sentence and the JIRA ticket, I gather this is not
possible in 1.0.0 and the update to accommodate this configuration is
forthcoming in a future release.

-Nick


On Sun, Sep 4, 2016 at 12:18 AM, Matt Gilman <ma...@gmail.com>
wrote:

> Nick,
>
> In 1.0.0 we've moved away from role based authorities in favor of fine
> grain access controls with a delegated authorizer. Whether an anonymous
> user is authorized would be a function of the configured authorizer. The
> authorizer is given details about the users request and it will make an
> access decision accordingly. I've created a JIRA [1] to update the bundled
> file based authorizer to optionally allow anonymous access.
>
> Thanks.
>
> Matt
>
> [1] https://issues.apache.org/jira/browse/NIFI-2730
>
> On Sat, Sep 3, 2016 at 3:56 PM, Nicholas Hughes <
> nicholasmhughes.nifi@gmail.com> wrote:
>
>> In previous versions, it was possible to run the UI over HTTPS without
>> configuring users. In the most recent 0.x versions, I believe this was
>> accomplished through setting a "default" role for the Anonymous user in the
>> properties file.
>>
>> How is this done in 1.x? I've been reading through the Admin Guide and
>> playing with different settings, but I still can't seem to access the UI
>> anonymously over HTTPS. The most promising mention in the guide points
>> toward emptying the truststore properties:
>>
>> "nifi.security.truststore - Filename of the Truststore that will be used
>> to authorize those connecting to NiFi. If not set, all who attempt to
>> connect will be provided access as the *Anonymous* user."
>>
>> Given the past versions' expectation that the Anonymous user be defined a
>> role, I'm guessing that's the part that I'm missing. The properties file no
>> longer has a placeholder for setting the default role, so I assume that
>> function has moved into the new "authorizations" and/or "users" XML
>> files... but I'm not certain how to "hand jam" the proper information into
>> those files (or if that's even possible).
>>
>> Any assistance in setting up anonymous UI access over SSL is appreciated.
>>
>> -Nick
>>
>>
>

Re: "Insecure" NiFi 1.0.0 UI w/ SSL

[Matt Gilman <ma...@gmail.com>]

Nick,

In 1.0.0 we've moved away from role based authorities in favor of fine
grain access controls with a delegated authorizer. Whether an anonymous
user is authorized would be a function of the configured authorizer. The
authorizer is given details about the users request and it will make an
access decision accordingly. I've created a JIRA [1] to update the bundled
file based authorizer to optionally allow anonymous access.

Thanks.

Matt

[1] https://issues.apache.org/jira/browse/NIFI-2730

On Sat, Sep 3, 2016 at 3:56 PM, Nicholas Hughes <
nicholasmhughes.nifi@gmail.com> wrote:

> In previous versions, it was possible to run the UI over HTTPS without
> configuring users. In the most recent 0.x versions, I believe this was
> accomplished through setting a "default" role for the Anonymous user in the
> properties file.
>
> How is this done in 1.x? I've been reading through the Admin Guide and
> playing with different settings, but I still can't seem to access the UI
> anonymously over HTTPS. The most promising mention in the guide points
> toward emptying the truststore properties:
>
> "nifi.security.truststore - Filename of the Truststore that will be used
> to authorize those connecting to NiFi. If not set, all who attempt to
> connect will be provided access as the *Anonymous* user."
>
> Given the past versions' expectation that the Anonymous user be defined a
> role, I'm guessing that's the part that I'm missing. The properties file no
> longer has a placeholder for setting the default role, so I assume that
> function has moved into the new "authorizations" and/or "users" XML
> files... but I'm not certain how to "hand jam" the proper information into
> those files (or if that's even possible).
>
> Any assistance in setting up anonymous UI access over SSL is appreciated.
>
> -Nick
>
>