Matt, Yes communication between the proxy and nifi is http. What I was hoping for was behind able to pass headers such as the following the request and have the user be authenticated using that information.
X-SSL-client-serial X-SSL-client-s-dn X-SSL-client-i-dn X-SSL-client-session-id X-SSL-client-verify There seems to other schemes that are used but they have a similar concept. Also have you guys looked at Apache Shiro[1] for pluggable authentication? Cheers, Edgardo [1] http://shiro.apache.org/ On Fri, Sep 11, 2015 at 8:54 AM, Matt Gilman <[email protected]> wrote: > Awesome. If I understand your set up correctly, you are sending a HTTP > request from the proxy to the NiFi instance. NiFi does support reading user > details from an HTTP header but only when authenticating a user (or your > proxy in this case). Additionally, the admin must grant the proxy has > having ROLE_PROXY in order to authorize it to proxy user requests. NiFi > currently only supports user authentication with two way SSL using > certificates. There is discussion ongoing about adding support for other > authentication models [1]. > > If a HTTP request is received, it will treat the user as anonymous. > > Matt > > [1] > https://cwiki.apache.org/confluence/display/NIFI/Pluggable+Authentication > > > On Fri, Sep 11, 2015 at 8:39 AM, Edgardo Vega <[email protected]> > wrote: > > > Matt, > > > > It worked great. I just added those headers and it all worked. Follow on > > question is about ssl user authentication through a proxy. Can you add > > headers that nifi will use to authenticate a user so you can do terminate > > the ssl connection at the proxy? > > > > Cheers, > > > > Edgardo > > > > On Thu, Sep 10, 2015 at 6:46 PM, Matt Gilman <[email protected]> > > wrote: > > > > > Edgardo, > > > > > > There are a couple of key items to know when standing up NiFi behind a > > > proxy. > > > > > > 1) NiFi is comprised of a number of web applications (web ui, web api, > > > documentation, custom ui's, etc). So you'll need to set up your mapping > > to > > > the root path. That way all context paths are pass through accordingly. > > For > > > instance, if you only mapped the /nifi context path, the custom ui for > > > Update Attributes will not work since it's available at > > > /update-attribute-ui-<version>. > > > > > > 2) NiFi's rest api will generate uri's for each component on the graph. > > > Since your coming through a proxy, you'll need to override certain > > elements > > > of the uri's being generated. This is why your able to view the graph, > > but > > > you cannot modify anything. It attempting to call back directly to your > > > NiFi, not through your proxy. You can override the elements of the uri > by > > > adding the following HTTP headers when your proxy generates the HTTP > > > request to the NiFi instance: > > > > > > X-ProxyScheme - the scheme to use to connect to your proxy (https in > this > > > case) > > > X-ProxyHost - the host of your proxy > > > X-ProxyPort - the port your proxy is listening on > > > X-ProxyContextPath - the path you've configured to map to the NiFi > > instance > > > > > > I've never done the proxying through nginx so please let me know if > this > > > helps. > > > > > > Matt > > > > > > On Thu, Sep 10, 2015 at 6:04 PM, Edgardo Vega <[email protected]> > > > wrote: > > > > > > > I am trying to setup Nifi unsung nginx as a reverse proxy. I would > like > > > > nginx to terminate the ssl connection and then run nifi on http. I > have > > > > tried to set it up but ran into an issue were any viewing operation > > works > > > > but cannot make any changes (move, start, stop, etc). The browser > > > complains > > > > about mixed content. > > > > > > > > So how do you configure nifi to work correctly in this scenario? > > > > > > > > > > > > -- > > > > Cheers, > > > > > > > > Edgardo > > > > > > > > Sent from Gmail Mobile > > > > > > > > > > > > > > > -- > > Cheers, > > > > Edgardo > > > -- Cheers, Edgardo
