You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nifi.apache.org by Aaron Rich <aa...@gmail.com> on 2019/08/08 20:04:18 UTC
Nifi using keycloak for certs challenge
I've recently setup NiFi to use Keycloak <https://www.keycloak.org/>as an
authentication method for users. I was wondering if my understanding of
NiFi's security is correct, in that NiFi will *always* require a
certificate challenge, and regardless if that certificate challenge passes
or fails, NiFi *will not* use Keycloak. If the certificate challenge is
declined, then, and only then, will Keycloak be called upon for
authentication.
I've found that the process described here
<https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect>is
essentially what I'm after, but with certificates instead of a
username/password form. If go directly to /nifi on my NiFi server, I get
stuck with NiFi's certificate challenge and Keycloak is not used. I did at
least find a pattern that gives me what I want, but it isn't ideal:
1. Go to the NiFi server without any paths attached to the URL (ex:
https://localhost:8080/) and get prompted for a certificate -> Decline
giving a certificate
2. Land on the page that tells you that it's going to redirect you to
/nifi. After five seconds, I get redirected (to
https://localhost:8080/nifi) and prompted for a certificate again ->
This time I give a valid certificate
3. Land on the Keycloak login, which confirms the certificate being used
4. Successfully login to NiFi
I'd want to avoid this, since it isn't exactly straight forward.
Is there anyway to force NiFi to use Keycloak for all challenges?
Re: Nifi using keycloak for certs challenge
Posted by Andy LoPresto <al...@gmail.com>.
The short answer to your question is no, not right now. (Native NiFi) client certificate authentication is always enabled, and delegating the certificate examination to a third party is not supported at this time. The long explanation stems from legacy decisions due to the unique environment where the project originated. All other authentication mechanisms were added as supplemental, rather than replacement, processes.
For NiFi 2.0, we have discussed refactoring the authentication mechanisms to be much more flexible, including all treated as first-class options, enable/disable-able, and preferable via desired priority.
As of right now, however, with Keycloak or other third party certificate authentication systems, NiFi does not have an easy process for this delegation. You might want to look at the proxy authentication implemented for Knox integration that Jeff Storck did a while ago. It won’t be 1:1 translatable, but it might give you some ideas on how to write custom code to do this.
Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On Aug 8, 2019, at 14:04, Aaron Rich <aa...@gmail.com> wrote:
>
> I've recently setup NiFi to use Keycloak <https://www.keycloak.org/>as an
> authentication method for users. I was wondering if my understanding of
> NiFi's security is correct, in that NiFi will *always* require a
> certificate challenge, and regardless if that certificate challenge passes
> or fails, NiFi *will not* use Keycloak. If the certificate challenge is
> declined, then, and only then, will Keycloak be called upon for
> authentication.
>
> I've found that the process described here
> <https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect>is
> essentially what I'm after, but with certificates instead of a
> username/password form. If go directly to /nifi on my NiFi server, I get
> stuck with NiFi's certificate challenge and Keycloak is not used. I did at
> least find a pattern that gives me what I want, but it isn't ideal:
>
> 1. Go to the NiFi server without any paths attached to the URL (ex:
> https://localhost:8080/) and get prompted for a certificate -> Decline
> giving a certificate
> 2. Land on the page that tells you that it's going to redirect you to
> /nifi. After five seconds, I get redirected (to
> https://localhost:8080/nifi) and prompted for a certificate again ->
> This time I give a valid certificate
> 3. Land on the Keycloak login, which confirms the certificate being used
> 4. Successfully login to NiFi
>
> I'd want to avoid this, since it isn't exactly straight forward.
>
> Is there anyway to force NiFi to use Keycloak for all challenges?