Understanding Authentication and Authorization in Hortonworks Data Flow (HDF -NiFi)

3 min readAug 28, 2018

This story helps you understand required configuration information on NiFi and NiFi Registry authentication and authorization strategies.This article includes my experience working with HDF.I would recommend to read HWX docs as much as possible.I have articulated as much information and added links which I found useful and interesting in this article.

HDF version taken into consideration: HDF 3.x

What is supported and what is not?

NiFi supports Authentication and authorization only if SSL is enabled for NiFi.

NiFi supports below Authentication strategies
1.LDAP
2.Kerberos

NiFi supports following Authorization

File-based policies (managed within NiFi)
Ranger-based policies (managed within Ranger)
Custom pluggable authorizers

Some interesting facts:

Authentication over HTTP is not possible in NiFi and so NiFi registry.
Only if NiFi configured to use https(SSL) then only authentication is possible.
By default authentication strategy is SSL.You can login to NiFi if you provide certificate from Browser.
If you do not have certificate then it moves to next authentication startegy i.e. LDAP or Kerberos.
*While SSL is always enabled, you can only add either LDAP or Kerberos, but not both. i.e. only alternative authentication strategy can be configured after SSL.

Looks Simple enough…

So to login to NiFi securely involves following list of items

Configure SSL for NiFi

You need to generate certs for NiFi using TLS toolkit or any other way.At the end, you should have information like Key store, trust store and their passwords.

1st Approach:
Generate certs using TLS toolkit:
https://docs.hortonworks.com/HDPDocuments/HDF3/HDF-3.1.2/bk_administration/content/standalone.html

Any other way,

Once you have this information proceed to next step:

2.Using existing certs or certs generated in the last step using :
https://docs.hortonworks.com/HDPDocuments/HDF2/HDF-2.1.4/bk_ambari-installation/content/enabling-ssl-without-ca.html

2nd Approach:
Use Nifi Certificate Authority (CA) to generate self-signed certificates:

Using NiFi CA certs
https://docs.hortonworks.com/HDPDocuments/HDF2/HDF-2.1.4/bk_ambari-installation/content/enabling-ssl-with-ca.html

Configure LDAP or Kerberos as auth strategy.

Once SSL is configured, proceed to configure LDAP authentication or kerberos Authentication.

Configure LDAP as auth strategy for NiFi

2. Configure Kerberos as auth strategy for NiFi

Now lets talk about authorization,

*Sample Login prompt comes up after enabling SSL+LDAP*

Authorization

This can be implemented as File based authorizer or managed authorizer and using Ranger authorization method.

Configure File based/managed authorizer for NiFi -
https://docs.hortonworks.com/HDPDocuments/HDF3/HDF-3.1.2/bk_security/content/ch07s02s01.html
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#config-users-access-policies

2. Configure Ranger authorization for NiFi
https://docs.hortonworks.com/HDPDocuments/HDF3/HDF-3.1.2/bk_security/content/ch06s01.html

Using Unsecured Ranger:
https://community.hortonworks.com/articles/58769/hdf-20-enable-ranger-authorization-for-hdf-compone.html
Using unsecured Ranger:
https://community.hortonworks.com/articles/60001/hdf-20-integrating-secured-nifi-with-secured-range.html

How to use Ranger policies for Nifi -

https://community.hortonworks.com/articles/60842/hdf-20-defining-nifi-policies-in-ranger.html

Below links will be available soon:

This example will let you understand how to Configure SSL + LDAP for NiFi.
This example will let you understand how to Configure SSL + LDAP for NiFi Registry.

Understanding Authentication and Authorization in Hortonworks Data Flow (HDF -NiFi)

Configure SSL for NiFi

Configure LDAP or Kerberos as auth strategy.

Authorization

Below links will be available soon:

Other Important links:

Written by Jay Bilgaye