NiFi Security
This topic describes how the Login Identity Provider provides authentication options for username and password for NiFi.
NiFi supports different authorization providers. The user authentication through username and
password is performed by Login Identity Provider. Login Identity Provider provides three
options to authenticate username and password:
- Single User
- Lightweight Directory Access Protocol/ Active Directory (LDAP/ AD)
- Kerberos
By default, you can log in using Single User option on secured clusters.
MapR-SASL does not support UI login and impersonation.
Kerberos
To authenticate username and password by using Kerberos on cluster, perform the
following:
- Add the following properties in
opt/mapr/nifi/nifi-<version>/conf/nifi.properties
file.nifi.security.user.authorizer=managed-authorizer nifi.security.user.login.identity.provider=kerberos-provider nifi.kerberos.krb5.file=/etc/krb5.conf
- Add the following providers in
/opt/mapr/nifi/nifi-<version>/conf/login-identity-providers.xml
file.<provider> <identifier>kerberos-provider</identifier> <class>org.apache.nifi.kerberos.KerberosProvider</class> <property name="Default Realm">YOUR_REALM</property> <property name="Authentication Expiration">12 hours</property> </provider>
- Add the following authorizers in
/opt/mapr/nifi/nifi-<version>/conf/authorizers.xml
file.<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 1">YOUR_USER@REALM (example: root/admin@NODE1)</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity"> YOUR_USER@REALM (example: root/admin@NODE1) </property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 1"></property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers>
You can now log in with YOUR_USER and set proper policies for other users .
LDAP/AD
To authenticate username and password by using LDAP/AD on cluster, perform the
following:
- Add the following properties in
opt/mapr/nifi/nifi-<version>/conf/nifi.properties
file.nifi.security.user.login.identity.provider=ldap-provider nifi.security.user.authorizer=managed-authorizer
- Add the following providers in
/opt/mapr/nifi/nifi-<version>/conf/login-identity-providers.xml
file.<provider> <identifier>ldap-provider</identifier> <class>org.apache.nifi.ldap.LdapProvider</class> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">MANAGER_DN (example: cn=admin,dc=mapr,dc=local)</property> <property name="Manager Password">PASSWORD</property> <property name="TLS - Keystore"></property> <property name="TLS - Keystore Password"></property> <property name="TLS - Keystore Type"></property> <property name="TLS - Truststore"></property> <property name="TLS - Truststore Password"></property> <property name="TLS - Truststore Type"></property> <property name="TLS - Client Auth"></property> <property name="TLS - Protocol"></property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">LDAP_URL (example: ldap://127.0.0.1:389)</property> <property name="User Search Base">dc=mapr,dc=local</property> <property name="User Search Filter">(cn={0})</property> <property name="Identity Strategy">USE_DN</property> <property name="Authentication Expiration">12 hours</property> </provider>
- Add the following authorizers in
/opt/mapr/nifi/nifi-<version>/conf/authorizers.xml
file.<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 1">ADMIN_USER (example: cn=admin,dc=mapr,dc=local)</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">ADMIN_USER (example: cn=admin,dc=mapr,dc=local) </property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 1"></property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers>
You can now log in with ADMIN_USER and add new users, groups and policies to NiFi. .