NiFi Security

This topic describes how the Login Identity Provider provides authentication options for username and password for NiFi.

NiFi supports different authorization providers. The user authentication through username and password is performed by Login Identity Provider. Login Identity Provider provides three options to authenticate username and password:
  1. Single User
  2. Lightweight Directory Access Protocol/ Active Directory (LDAP/ AD)
  3. Kerberos
To learn more, see User Authentication.

By default, you can log in using Single User option on secured clusters.

MapR-SASL does not support UI login and impersonation.

Kerberos

To authenticate username and password by using Kerberos on cluster, perform the following:
  1. Add the following properties in opt/mapr/nifi/nifi-<version>/conf/nifi.properties file.
    nifi.security.user.authorizer=managed-authorizer 
    nifi.security.user.login.identity.provider=kerberos-provider 
    nifi.kerberos.krb5.file=/etc/krb5.conf 
  2. Add the following providers in /opt/mapr/nifi/nifi-<version>/conf/login-identity-providers.xml file.
     <provider> 
            <identifier>kerberos-provider</identifier> 
            <class>org.apache.nifi.kerberos.KerberosProvider</class> 
            <property name="Default Realm">YOUR_REALM</property> 
            <property name="Authentication Expiration">12 hours</property> 
        </provider> 
  3. Add the following authorizers in /opt/mapr/nifi/nifi-<version>/conf/authorizers.xml file.
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
    <authorizers> 
        <userGroupProvider> 
            <identifier>file-user-group-provider</identifier> 
            <class>org.apache.nifi.authorization.FileUserGroupProvider</class> 
            <property name="Users File">./conf/users.xml</property> 
            <property name="Legacy Authorized Users File"></property> 
            <property name="Initial User Identity 1">YOUR_USER@REALM (example: root/admin@NODE1)</property> 
        </userGroupProvider> 
        <accessPolicyProvider> 
            <identifier>file-access-policy-provider</identifier> 
            <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> 
            <property name="User Group Provider">file-user-group-provider</property> 
            <property name="Authorizations File">./conf/authorizations.xml</property> 
            <property name="Initial Admin Identity"> YOUR_USER@REALM (example: root/admin@NODE1) </property> 
            <property name="Legacy Authorized Users File"></property>   
            <property name="Node Identity 1"></property> 
        </accessPolicyProvider> 
        <authorizer> 
            <identifier>managed-authorizer</identifier> 
            <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> 
            <property name="Access Policy Provider">file-access-policy-provider</property> 
        </authorizer> 
    </authorizers> 
    
     

You can now log in with YOUR_USER and set proper policies for other users .

LDAP/AD

To authenticate username and password by using LDAP/AD on cluster, perform the following:
  1. Add the following properties in opt/mapr/nifi/nifi-<version>/conf/nifi.properties file.
    nifi.security.user.login.identity.provider=ldap-provider 
    nifi.security.user.authorizer=managed-authorizer 
  2. Add the following providers in /opt/mapr/nifi/nifi-<version>/conf/login-identity-providers.xml file.
    <provider> 
            <identifier>ldap-provider</identifier> 
            <class>org.apache.nifi.ldap.LdapProvider</class> 
            <property name="Authentication Strategy">SIMPLE</property>   
            <property name="Manager DN">MANAGER_DN (example: cn=admin,dc=mapr,dc=local)</property> 
            <property name="Manager Password">PASSWORD</property>   
            <property name="TLS - Keystore"></property> 
            <property name="TLS - Keystore Password"></property> 
            <property name="TLS - Keystore Type"></property> 
            <property name="TLS - Truststore"></property> 
            <property name="TLS - Truststore Password"></property> 
            <property name="TLS - Truststore Type"></property> 
            <property name="TLS - Client Auth"></property> 
            <property name="TLS - Protocol"></property> 
            <property name="TLS - Shutdown Gracefully"></property> 
            <property name="Referral Strategy">FOLLOW</property> 
            <property name="Connect Timeout">10 secs</property> 
            <property name="Read Timeout">10 secs</property>  
            <property name="Url">LDAP_URL (example: ldap://127.0.0.1:389)</property> 
            <property name="User Search Base">dc=mapr,dc=local</property> 
            <property name="User Search Filter">(cn={0})</property>  
            <property name="Identity Strategy">USE_DN</property> 
            <property name="Authentication Expiration">12 hours</property> 
        </provider> 
    
    
  3. Add the following authorizers in /opt/mapr/nifi/nifi-<version>/conf/authorizers.xml file.
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
    <authorizers> 
        <userGroupProvider> 
            <identifier>file-user-group-provider</identifier> 
            <class>org.apache.nifi.authorization.FileUserGroupProvider</class> 
            <property name="Users File">./conf/users.xml</property> 
            <property name="Legacy Authorized Users File"></property>   
            <property name="Initial User Identity 1">ADMIN_USER (example: cn=admin,dc=mapr,dc=local)</property> 
        </userGroupProvider> 
        <accessPolicyProvider> 
            <identifier>file-access-policy-provider</identifier> 
            <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> 
            <property name="User Group Provider">file-user-group-provider</property> 
            <property name="Authorizations File">./conf/authorizations.xml</property> 
            <property name="Initial Admin Identity">ADMIN_USER (example: cn=admin,dc=mapr,dc=local) </property> 
            <property name="Legacy Authorized Users File"></property> 
            <property name="Node Identity 1"></property> 
        </accessPolicyProvider> 
        <authorizer> 
            <identifier>managed-authorizer</identifier> 
            <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> 
            <property name="Access Policy Provider">file-access-policy-provider</property> 
        </authorizer> 
    </authorizers> 
    

You can now log in with ADMIN_USER and add new users, groups and policies to NiFi. .