Understanding Authentication and Authorization in Hortonworks Data Flow (HDF -NiFi)
This story helps you understand required configuration information on NiFi and NiFi Registry authentication and authorization strategies.This article includes my experience working with HDF.I would recommend to read HWX docs as much as possible.I have articulated as much information and added links which I found useful and interesting in this article.
HDF version taken into consideration: HDF 3.x
What is supported and what is not?
NiFi supports Authentication and authorization only if SSL is enabled for NiFi.
NiFi supports below Authentication strategies
1.LDAP
2.Kerberos
NiFi supports following Authorization
- File-based policies (managed within NiFi)
- Ranger-based policies (managed within Ranger)
- Custom pluggable authorizers
Some interesting facts:
- Authentication over HTTP is not possible in NiFi and so NiFi registry.
Only if NiFi configured to use https(SSL) then only authentication is possible. - By default authentication strategy is SSL.You can login to NiFi if you provide certificate from Browser.
- If you do not have certificate then it moves to next authentication startegy i.e. LDAP or Kerberos.
- *While SSL is always enabled, you can only add either LDAP or Kerberos, but not both. i.e. only alternative authentication strategy can be configured after SSL.
Looks Simple enough…
So to login to NiFi securely involves following list of items
Configure SSL for NiFi
You need to generate certs for NiFi using TLS toolkit or any other way.At the end, you should have information like Key store, trust store and their passwords.
1st Approach:
Generate certs using TLS toolkit:
https://docs.hortonworks.com/HDPDocuments/HDF3/HDF-3.1.2/bk_administration/content/standalone.html
OR
Any other way,
Once you have this information proceed to next step:
2.Using existing certs or certs generated in the last step using :
https://docs.hortonworks.com/HDPDocuments/HDF2/HDF-2.1.4/bk_ambari-installation/content/enabling-ssl-without-ca.html
2nd Approach:
Use Nifi Certificate Authority (CA) to generate self-signed certificates:
Using NiFi CA certs
https://docs.hortonworks.com/HDPDocuments/HDF2/HDF-2.1.4/bk_ambari-installation/content/enabling-ssl-with-ca.html
Configure LDAP or Kerberos as auth strategy.
Once SSL is configured, proceed to configure LDAP authentication or kerberos Authentication.
- Configure LDAP as auth strategy for NiFi
OR
2. Configure Kerberos as auth strategy for NiFi
Now lets talk about authorization,
Authorization
This can be implemented as File based authorizer or managed authorizer and using Ranger authorization method.
- Configure File based/managed authorizer for NiFi -
https://docs.hortonworks.com/HDPDocuments/HDF3/HDF-3.1.2/bk_security/content/ch07s02s01.html
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#config-users-access-policies
2. Configure Ranger authorization for NiFi
https://docs.hortonworks.com/HDPDocuments/HDF3/HDF-3.1.2/bk_security/content/ch06s01.html
- Using Unsecured Ranger:
https://community.hortonworks.com/articles/58769/hdf-20-enable-ranger-authorization-for-hdf-compone.html - Using unsecured Ranger:
https://community.hortonworks.com/articles/60001/hdf-20-integrating-secured-nifi-with-secured-range.html
How to use Ranger policies for Nifi -
https://community.hortonworks.com/articles/60842/hdf-20-defining-nifi-policies-in-ranger.html
Below links will be available soon:
- This example will let you understand how to Configure SSL + LDAP for NiFi.
- This example will let you understand how to Configure SSL + LDAP for NiFi Registry.
Other Important links:
Enable SSL for NiFi from Ambari
https://community.hortonworks.com/articles/58009/hdf-20-enable-ssl-for-apache-nifi-from-ambari.html
Enable Ranger authorization for HDF components (Nifi, Kafka, Storm)
Link: https://community.hortonworks.com/articles/58769/hdf-20-enable-ranger-authorization-for-hdf-compone.html
Automate Deployment of HDF 2.x/3.0 clusters using Ambari blueprints
Link: https://community.hortonworks.com/articles/56849/automate-deployment-of-hdf-20-clusters-using-ambar.html
Use Ambari to enable kerberos for HDF cluster using Active Directory
Link: https://community.hortonworks.com/articles/60186/hdf-20-use-ambari-to-enable-kerberos-for-hdf-clust-1.html
Use Ambari to enable kerberos for HDF cluster running Nifi, Kafka and Storm
Lin: https://community.hortonworks.com/articles/58793/hdf-20-use-ambari-to-enable-kerberos-for-hdf-clust.html
NiFi Security: User Authentication with Kerberos
This is the 1st part of this series.This series will cover using NiFi and NiFi Registry with SSL and LDAP and many more interesting tutorials.
Keep watching this space.Good luck with HDF!