You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by David Dean via users <us...@nifi.apache.org> on 2023/01/13 00:04:49 UTC
How to auto-create users based on OIDC group membership?
Hi -
Is it possible for NiFi to automatically grant user access to NiFi based on an OIDC authenticated users group membership matching a group in NiFi?
I'm using the latest 1.19.1 with OIDC enabled and integrated with Keycloak.
In Keycloak I have created a test user and assigned them to group "Test Group".
In NiFi I have created a group called "Test Group" and granted it some policies.
I have enabled the "nifi.security.user.oidc.claim.groups" config option to obtain the OIDC groups from Keycloak.
If I pre-create a user account in NiFi and add them to "Test Group" then they can successfully login via OIDC and get the required policies.
But what I want is to not have to pre-create the users.
Instead I would like NiFi to evaluate an authenticated users OIDC group membership, and if a group name in OIDC matches one in NiFi then it should allow them access to NiFi using the policies assigned to the matching group in NiFi.
Is this possible?
Appreciate your help!
Dave
Re: How to auto-create users based on OIDC group membership?
Posted by Chris Sampson <ch...@naimuri.com>.
An option, if you're in an environment where you're happy to run scripts
and connect to the NiFi & Keycloak APIs, is to use a library package to
query Keycloak for the users/groups you want to map into NiFi and assign
wanted policies.
One possibility is to use the python-keycloak [1] library to connect to and
query Keycloak, then NiPyApi [2] to connect to NiFi (and/or NiFi Registry)
in order to create the users, groups and assign policies.
Other libraries and/or technologies are available, but unfortunately it
will currently require you to write your own scripts to achieve your goal
if you want to automate this mapping rather than doing it all manually via
the NiFi/Registry UIs.
[1] https://pypi.org/project/python-keycloak/
[2] https://pypi.org/project/nipyapi/
On Fri, 13 Jan 2023, 17:51 Kevin Doran, <kd...@apache.org> wrote:
> Hi Dave,
>
> I understand the type of auto-user registration for authenticated users
> that you're describing, which a lot of OIDC-based web apps support.
>
> Unfortunately, NiFi cannot support that at this time. It would be a cool
> feature. It's not impossible that NiFi could support it one day. We would
> have to enhance the NiFi Identity Provider, User Group Provider, and
> Authorizer implementations for OIDC to work together to support this.
>
> Currently, the closest you can get in NiFi is to use something like the
> LdapUserGroupProvider to point at the same user directory as Keycloak, then
> the users will be automatically synced from the same directory, including
> their group membership for setting nifi-specific access at the group level.
> But the OIDC identity would just be used for authentication, not group
> mapping or access policy loading (that would still come from the NiFi User
> Group Provider and Access Policy Provider).
>
> Hope this helps.
> Kevin
>
> On Jan 12, 2023 at 19:04:49, David Dean via users <us...@nifi.apache.org>
> wrote:
>
>> Hi -
>>
>> Is it possible for NiFi to automatically grant user access to NiFi based
>> on an OIDC authenticated users group membership matching a group in NiFi?
>>
>> I'm using the latest 1.19.1 with OIDC enabled and integrated with
>> Keycloak.
>>
>> In Keycloak I have created a test user and assigned them to group "Test
>> Group".
>>
>> In NiFi I have created a group called "Test Group" and granted it some
>> policies.
>>
>> I have enabled the "nifi.security.user.oidc.claim.groups" config option
>> to obtain the OIDC groups from Keycloak.
>>
>> If I pre-create a user account in NiFi and add them to "Test Group" then
>> they can successfully login via OIDC and get the required policies.
>>
>> But what I want is to not have to pre-create the users.
>>
>> Instead I would like NiFi to evaluate an authenticated users OIDC group
>> membership, and if a group name in OIDC matches one in NiFi then it should
>> allow them access to NiFi using the policies assigned to the matching group
>> in NiFi.
>>
>> Is this possible?
>>
>> Appreciate your help!
>>
>> Dave
>>
>>
>>
>>
Re: How to auto-create users based on OIDC group membership?
Posted by Kevin Doran <kd...@apache.org>.
Hi Dave,
I understand the type of auto-user registration for authenticated users
that you're describing, which a lot of OIDC-based web apps support.
Unfortunately, NiFi cannot support that at this time. It would be a cool
feature. It's not impossible that NiFi could support it one day. We would
have to enhance the NiFi Identity Provider, User Group Provider, and
Authorizer implementations for OIDC to work together to support this.
Currently, the closest you can get in NiFi is to use something like the
LdapUserGroupProvider to point at the same user directory as Keycloak, then
the users will be automatically synced from the same directory, including
their group membership for setting nifi-specific access at the group level.
But the OIDC identity would just be used for authentication, not group
mapping or access policy loading (that would still come from the NiFi User
Group Provider and Access Policy Provider).
Hope this helps.
Kevin
On Jan 12, 2023 at 19:04:49, David Dean via users <us...@nifi.apache.org>
wrote:
> Hi -
>
> Is it possible for NiFi to automatically grant user access to NiFi based
> on an OIDC authenticated users group membership matching a group in NiFi?
>
> I'm using the latest 1.19.1 with OIDC enabled and integrated with Keycloak.
>
> In Keycloak I have created a test user and assigned them to group "Test
> Group".
>
> In NiFi I have created a group called "Test Group" and granted it some
> policies.
>
> I have enabled the "nifi.security.user.oidc.claim.groups" config option
> to obtain the OIDC groups from Keycloak.
>
> If I pre-create a user account in NiFi and add them to "Test Group" then
> they can successfully login via OIDC and get the required policies.
>
> But what I want is to not have to pre-create the users.
>
> Instead I would like NiFi to evaluate an authenticated users OIDC group
> membership, and if a group name in OIDC matches one in NiFi then it should
> allow them access to NiFi using the policies assigned to the matching group
> in NiFi.
>
> Is this possible?
>
> Appreciate your help!
>
> Dave
>
>
>
>