You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nifi.apache.org by "Kalisz, John T." <Jo...@gd-ms.com> on 2015/03/19 12:09:33 UTC
NiFi LDAP Authentication
Is it possible to authenticate NiFI users against LDAP or AD. Where can I find instructions to do so. The instructions for setting up rules allude to the idea of using LDAP but I have found no properties related to LDAP ports or servers. If LDAP is not supported, is there a way to add users locally?
<users>
<user dn="[cn=John Smith,ou=people,dc=example,dc=com]">
<role name="ROLE_ADMIN"/>
</user>
</users>
John T. Kalisz
General Dynamics Mission Systems
Office 413-494-3376 | Cell 413-822-1883 | john.kalisz@gd-ms.com<ma...@gd-ms.com>
This message and/or attachments may include information subject to GD Corporate Policies 07-103 and 07-105 and is intended to be accessed only by authorized recipients. Use, storage and transmission are governed by General Dynamics and its policies. Contractual restrictions apply to third parties. Recipients should refer to the policies or contract to determine proper handling. Unauthorized review, use, disclosure or distribution is prohibited. If you are not an intended recipient, please contact the sender and destroy all copies of the original message.
Re: NiFi LDAP Authentication
Posted by Matt Gilman <ma...@gmail.com>.
Owie,
The authentication model is not extension point at the moment. You are
correct that the only means of authentication is certificate based. The
authorization model is what is extensible. Basically the application will
tell the AuthorityProvider who the user is and it provides what it is that
they are allowed to do.
I am not sure how a pluggable authentication model would work within the
context of NiFi but it's something that could certainly be considered.
Adding direct support for another type of authentication like basic when a
certificate is not present may also be a possibility.
Matt
On Fri, Mar 20, 2015 at 4:07 AM, owieboy <od...@exist.com> wrote:
> When I first read in the admin guide that NiFi comes with authentication
> feature I was expecting a HTTPS form based login page. After trying it for
> myself, I found that it uses a mutual certificate authentication which I
> read is more secured than the form-based scheme.
>
> If I want a form based login page, I guess I would have to implement it as
> an extension. Unless there's already an available implementation for such
> requirement and there's only lacking in the documentation. Please advice.
> Thanks
>
> Owie
>
>
>
> --
> View this message in context:
> http://apache-nifi-incubating-developer-list.39713.n7.nabble.com/NiFi-LDAP-Authentication-tp1007p1017.html
> Sent from the Apache NiFi (incubating) Developer List mailing list archive
> at Nabble.com.
>
Re: NiFi LDAP Authentication
Posted by owieboy <od...@exist.com>.
When I first read in the admin guide that NiFi comes with authentication
feature I was expecting a HTTPS form based login page. After trying it for
myself, I found that it uses a mutual certificate authentication which I
read is more secured than the form-based scheme.
If I want a form based login page, I guess I would have to implement it as
an extension. Unless there's already an available implementation for such
requirement and there's only lacking in the documentation. Please advice.
Thanks
Owie
--
View this message in context: http://apache-nifi-incubating-developer-list.39713.n7.nabble.com/NiFi-LDAP-Authentication-tp1007p1017.html
Sent from the Apache NiFi (incubating) Developer List mailing list archive at Nabble.com.
Re: NiFi LDAP Authentication
Posted by Matt Gilman <ma...@gmail.com>.
John,
NiFi supports an AuthorityProvider extension point. Currently, we do not
provide one that interacts with LDAP (though we would welcome any
contributions). Users are typically added by having them request accounts.
This is done by having them visit the NiFi instance in question. The
application will not recognize them and will provide an opportunity for
them to request an account. A little star icon will show up over the User
Management icon in the upper right whenever there are any pending account
requests. The Admin will be able to assign roles there (as well as revoked
and remove accounts). This will add (or remove) the entries to the local
authorized users file. This account request model was designed to allow the
Admins to not have to manually enter or edit DNs.
Alternatively, the Admin could manually add the entries to the local
authorized users file prior to starting the application.
Thanks.
Matt Gilman
On Thu, Mar 19, 2015 at 7:09 AM, Kalisz, John T. <Jo...@gd-ms.com>
wrote:
> Is it possible to authenticate NiFI users against LDAP or AD. Where can I
> find instructions to do so. The instructions for setting up rules allude
> to the idea of using LDAP but I have found no properties related to LDAP
> ports or servers. If LDAP is not supported, is there a way to add users
> locally?
>
> <users>
> <user dn="[cn=John Smith,ou=people,dc=example,dc=com]">
> <role name="ROLE_ADMIN"/>
> </user>
> </users>
>
> John T. Kalisz
> General Dynamics Mission Systems
>
> Office 413-494-3376 | Cell 413-822-1883 | john.kalisz@gd-ms.com
> <ma...@gd-ms.com>
>
> This message and/or attachments may include information subject to GD
> Corporate Policies 07-103 and 07-105 and is intended to be accessed only by
> authorized recipients. Use, storage and transmission are governed by
> General Dynamics and its policies. Contractual restrictions apply to third
> parties. Recipients should refer to the policies or contract to determine
> proper handling. Unauthorized review, use, disclosure or distribution is
> prohibited. If you are not an intended recipient, please contact the
> sender and destroy all copies of the original message.
>
>