[David Early <da...@grokstream.com>]

Hi all,

We are trying to get site-to-site working between 2 NiFi instances using 
SSL and single-user-provider authentication.

Systems are up, certs have been inserted into the trsutstores and we can 
log in with the single user, but site-to-site gives us a "Forbidden".

General instructions talk about adding a security policy to allow 
communications, but that option is not available in single user mode.  
When we set up an LDAP, then we see policies but right now they are not 
available.

If we enable the anonymous authentication, then site to site works, but 
we loose the single user sign in (which is providing some basic security 
ahead of final LDAP configuration).

Is there any way to allow site-to-site with single user without enabling 
the anonymous authentication?

David Early

Re: Site-to-site with SSL and single-user-provider

[David Handermann <ex...@apache.org>]

Hi David,

Secure site-to-site communication will not work with single user
authentication or authorization. Single user mode implies only one client,
whether through a web browser or through programmatic communication.

A secure configuration requires authorizing site-to-site peers for
connectivity, based on client certificate identities. Since the single user
authorizer is limited to one username, it is not possible to authorize
other clients. The standard managed authorizer, together with the
file-based authorizer, supports configuring permitted entities in local
configuration files.

If you have generated certificates for site-to-site communication, have you
considered using certificates for browser-based access? Although this
requires additional effort to generate and provide client certificates, it
is one approach to support multiple clients without necessarily requiring
LDAP.

Regards,
David Handermann

On Fri, Feb 11, 2022 at 11:18 AM David Early <da...@grokstream.com>
wrote:

> Hi all,
>
> We are trying to get site-to-site working between 2 NiFi instances
> )v1.15.1) using SSL and single-user-provider authentication.
>
> Systems are up, certs have been inserted into the trsutstores and we can
> log in with the single user, but site-to-site gives us a "Forbidden".
>
> General instructions talk about adding a security policy to allow
> communications, but that option is not available in single user mode.  When
> we set up an LDAP, then we see policies but right now they are not
> available.
>
> If we enable the anonymous authentication, then site to site works, but we
> loose the single user sign in (which is providing some basic security ahead
> of final LDAP configuration).
>
> Is there any way to allow site-to-site with single user without enabling
> the anonymous authentication?
>
> David Early
>

Site-to-site with SSL and single-user-provider

[David Early <da...@grokstream.com>]

Hi all,

We are trying to get site-to-site working between 2 NiFi instances 
)v1.15.1) using SSL and single-user-provider authentication.

Systems are up, certs have been inserted into the trsutstores and we can 
log in with the single user, but site-to-site gives us a "Forbidden".

General instructions talk about adding a security policy to allow 
communications, but that option is not available in single user mode.  
When we set up an LDAP, then we see policies but right now they are not 
available.

If we enable the anonymous authentication, then site to site works, but 
we loose the single user sign in (which is providing some basic security 
ahead of final LDAP configuration).

Is there any way to allow site-to-site with single user without enabling 
the anonymous authentication?

David Early