Understanding Authentication and Authorization in Hortonworks Data Flow (HDF -NiFi)
This story helps you understand required configuration information on NiFi and NiFi Registry authentication and authorization strategies.This article includes my experience working with HDF.I would recommend to read HWX docs as much as possible.I have articulated as much information and added links which I found useful and interesting in this article.
HDF version taken into consideration: HDF 3.x
What is supported and what is not?
NiFi supports Authentication and authorization only if SSL is enabled for NiFi.
NiFi supports below Authentication strategies
NiFi supports following Authorization
- File-based policies (managed within NiFi)
- Ranger-based policies (managed within Ranger)
- Custom pluggable authorizers
Some interesting facts:
- Authentication over HTTP is not possible in NiFi and so NiFi registry.
Only if NiFi configured to use https(SSL) then only authentication is possible.
- By default authentication strategy is SSL.You can login to NiFi if you provide certificate from Browser.
- If you do not have certificate then it moves to next authentication startegy i.e. LDAP or Kerberos.
- *While SSL is always enabled, you can only add either LDAP or Kerberos, but not both. i.e. only alternative authentication strategy can be configured after SSL.
Looks Simple enough…
So to login to NiFi securely involves following list of items
Configure SSL for NiFi
You need to generate certs for NiFi using TLS toolkit or any other way.At the end, you should have information like Key store, trust store and their passwords.
Generate certs using TLS toolkit:
Any other way,
Once you have this information proceed to next step:
2.Using existing certs or certs generated in the last step using :
Use Nifi Certificate Authority (CA) to generate self-signed certificates:
Configure LDAP or Kerberos as auth strategy.
Once SSL is configured, proceed to configure LDAP authentication or kerberos Authentication.
- Configure LDAP as auth strategy for NiFi
2. Configure Kerberos as auth strategy for NiFi
Now lets talk about authorization,
This can be implemented as File based authorizer or managed authorizer and using Ranger authorization method.
- Configure File based/managed authorizer for NiFi -
2. Configure Ranger authorization for NiFi
- Using Unsecured Ranger:
- Using unsecured Ranger:
How to use Ranger policies for Nifi -
Below links will be available soon:
- This example will let you understand how to Configure SSL + LDAP for NiFi.
- This example will let you understand how to Configure SSL + LDAP for NiFi Registry.
Other Important links:
Enable SSL for NiFi from Ambari
Enable Ranger authorization for HDF components (Nifi, Kafka, Storm)
Automate Deployment of HDF 2.x/3.0 clusters using Ambari blueprints
Use Ambari to enable kerberos for HDF cluster using Active Directory
Use Ambari to enable kerberos for HDF cluster running Nifi, Kafka and Storm
NiFi Security: User Authentication with Kerberos
This is the 1st part of this series.This series will cover using NiFi and NiFi Registry with SSL and LDAP and many more interesting tutorials.
Keep watching this space.Good luck with HDF!