You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@nifi.apache.org by Qcho <qc...@gmail.com> on 2018/03/23 21:32:00 UTC

Objection: LDAP Auth needs HTTPS

Hi,

I'm working on deploying a nifi cluster with kubernetes.

The idea was to place a nifi-cluster behind an nginx-ingress.

We want to be able to access:

nifi.mydomain.com and allow load-balancing over:

node1.nifi.mydomain.com
node2.nifi.mydomain.com
... etc

The problem here is that we want to perform SSL termination in the
load-balancer at nifi.mydomain.com and then just talk plain http with each
node. But then it seems Nifi is not allowing this because it thinks talking
over http is always insecure and therefore no LDAP auth is supported.

Any though on this? Anyone has been able to do some kind of proxying??

Maybe we can add an enable-if-you-know-what-you-are-doing config for
allowing http auth?

Thanks in advance!

Re: Objection: LDAP Auth needs HTTPS

Posted by Bryan Bende <bb...@gmail.com>.

Hello,

Passing LDAP credentials in plain-text over http would not be secure.

You'll want to have the SSL connection pass through the load balancer
all the way to the NiFi nodes.

There are several articles on setting up a secure NiFi cluster:

https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/
https://holisticsecurity.io/2017/05/17/apache-nifi-and-tls-toolkit-ansible-roles-to-create-a-multi-node-secure-nifi-cluster/
https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy

Thanks,

Bryan

On Fri, Mar 23, 2018 at 5:32 PM, Qcho <qc...@gmail.com> wrote:
> Hi,
>
> I'm working on deploying a nifi cluster with kubernetes.
>
> The idea was to place a nifi-cluster behind an nginx-ingress.
>
> We want to be able to access:
>
> nifi.mydomain.com and allow load-balancing over:
>
> node1.nifi.mydomain.com
> node2.nifi.mydomain.com
> ... etc
>
> The problem here is that we want to perform SSL termination in the
> load-balancer at nifi.mydomain.com and then just talk plain http with each
> node. But then it seems Nifi is not allowing this because it thinks talking
> over http is always insecure and therefore no LDAP auth is supported.
>
> Any though on this? Anyone has been able to do some kind of proxying??
>
> Maybe we can add an enable-if-you-know-what-you-are-doing config for
> allowing http auth?
>
> Thanks in advance!