Understanding Authentication and Authorization in Hortonworks Data Flow (HDF -NiFi)

Jay Bilgaye
Aug 28, 2018 · 3 min read

This story helps you understand required configuration information on NiFi and NiFi Registry authentication and authorization strategies.This article includes my experience working with HDF.I would recommend to read HWX docs as much as possible.I have articulated as much information and added links which I found useful and interesting in this article.

HDF version taken into consideration: HDF 3.x

What is supported and what is not?

NiFi supports Authentication and authorization only if SSL is enabled for NiFi.

NiFi supports below Authentication strategies
1.LDAP
2.Kerberos

NiFi supports following Authorization

  1. File-based policies (managed within NiFi)
  2. Ranger-based policies (managed within Ranger)
  3. Custom pluggable authorizers

Some interesting facts:

  • Authentication over HTTP is not possible in NiFi and so NiFi registry.
    Only if NiFi configured to use https(SSL) then only authentication is possible.
  • By default authentication strategy is SSL.You can login to NiFi if you provide certificate from Browser.
  • If you do not have certificate then it moves to next authentication startegy i.e. LDAP or Kerberos.
  • *While SSL is always enabled, you can only add either LDAP or Kerberos, but not both. i.e. only alternative authentication strategy can be configured after SSL.

Looks Simple enough…

So to login to NiFi securely involves following list of items

Configure SSL for NiFi

You need to generate certs for NiFi using TLS toolkit or any other way.At the end, you should have information like Key store, trust store and their passwords.

1st Approach:
Generate certs using TLS toolkit:
https://docs.hortonworks.com/HDPDocuments/HDF3/HDF-3.1.2/bk_administration/content/standalone.html

OR

Any other way,

Once you have this information proceed to next step:

2.Using existing certs or certs generated in the last step using :
https://docs.hortonworks.com/HDPDocuments/HDF2/HDF-2.1.4/bk_ambari-installation/content/enabling-ssl-without-ca.html

2nd Approach:
Use Nifi Certificate Authority (CA) to generate self-signed certificates:

Using NiFi CA certs
https://docs.hortonworks.com/HDPDocuments/HDF2/HDF-2.1.4/bk_ambari-installation/content/enabling-ssl-with-ca.html

Configure LDAP or Kerberos as auth strategy.

Once SSL is configured, proceed to configure LDAP authentication or kerberos Authentication.

  1. Configure LDAP as auth strategy for NiFi

OR

2. Configure Kerberos as auth strategy for NiFi

Now lets talk about authorization,

*Sample Login prompt comes up after enabling SSL+LDAP*

Authorization

This can be implemented as File based authorizer or managed authorizer and using Ranger authorization method.

  1. Configure File based/managed authorizer for NiFi -
    https://docs.hortonworks.com/HDPDocuments/HDF3/HDF-3.1.2/bk_security/content/ch07s02s01.html
    https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#config-users-access-policies

2. Configure Ranger authorization for NiFi
https://docs.hortonworks.com/HDPDocuments/HDF3/HDF-3.1.2/bk_security/content/ch06s01.html

How to use Ranger policies for Nifi -

https://community.hortonworks.com/articles/60842/hdf-20-defining-nifi-policies-in-ranger.html

Below links will be available soon:

  • This example will let you understand how to Configure SSL + LDAP for NiFi.
  • This example will let you understand how to Configure SSL + LDAP for NiFi Registry.


This is the 1st part of this series.This series will cover using NiFi and NiFi Registry with SSL and LDAP and many more interesting tutorials.

Keep watching this space.Good luck with HDF!

Jay Bilgaye

Written by

I know something. ;)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade