NiFi does support passing the client DN in a HTTP header. However, in order to trust that the proxy is allowed to proxy user requests we need to know who sent the request and that they are authorized to do so. Because NiFi only supports client authentication using two way SSL with certificates that incoming request needs to be over HTTPs.
I have heard about Apache Shiro before however, most of the initial discussion has been around JAAS. I will update the Feature Proposal to consider Shiro as an option as well. Thanks! Matt On Fri, Sep 11, 2015 at 9:42 AM, Edgardo Vega <[email protected]> wrote: > Matt, > > Yes communication between the proxy and nifi is http. What I was hoping for > was behind able to pass headers such as the following the request and have > the user be authenticated using that information. > > X-SSL-client-serial > X-SSL-client-s-dn > X-SSL-client-i-dn > X-SSL-client-session-id > X-SSL-client-verify > > > There seems to other schemes that are used but they have a similar concept. > > Also have you guys looked at Apache Shiro[1] for pluggable authentication? > > Cheers, > > Edgardo > > [1] > http://shiro.apache.org/ > > > > On Fri, Sep 11, 2015 at 8:54 AM, Matt Gilman <[email protected]> > wrote: > > > Awesome. If I understand your set up correctly, you are sending a HTTP > > request from the proxy to the NiFi instance. NiFi does support reading > user > > details from an HTTP header but only when authenticating a user (or your > > proxy in this case). Additionally, the admin must grant the proxy has > > having ROLE_PROXY in order to authorize it to proxy user requests. NiFi > > currently only supports user authentication with two way SSL using > > certificates. There is discussion ongoing about adding support for other > > authentication models [1]. > > > > If a HTTP request is received, it will treat the user as anonymous. > > > > Matt > > > > [1] > > > https://cwiki.apache.org/confluence/display/NIFI/Pluggable+Authentication > > > > > > On Fri, Sep 11, 2015 at 8:39 AM, Edgardo Vega <[email protected]> > > wrote: > > > > > Matt, > > > > > > It worked great. I just added those headers and it all worked. Follow > on > > > question is about ssl user authentication through a proxy. Can you add > > > headers that nifi will use to authenticate a user so you can do > terminate > > > the ssl connection at the proxy? > > > > > > Cheers, > > > > > > Edgardo > > > > > > On Thu, Sep 10, 2015 at 6:46 PM, Matt Gilman <[email protected]> > > > wrote: > > > > > > > Edgardo, > > > > > > > > There are a couple of key items to know when standing up NiFi behind > a > > > > proxy. > > > > > > > > 1) NiFi is comprised of a number of web applications (web ui, web > api, > > > > documentation, custom ui's, etc). So you'll need to set up your > mapping > > > to > > > > the root path. That way all context paths are pass through > accordingly. > > > For > > > > instance, if you only mapped the /nifi context path, the custom ui > for > > > > Update Attributes will not work since it's available at > > > > /update-attribute-ui-<version>. > > > > > > > > 2) NiFi's rest api will generate uri's for each component on the > graph. > > > > Since your coming through a proxy, you'll need to override certain > > > elements > > > > of the uri's being generated. This is why your able to view the > graph, > > > but > > > > you cannot modify anything. It attempting to call back directly to > your > > > > NiFi, not through your proxy. You can override the elements of the > uri > > by > > > > adding the following HTTP headers when your proxy generates the HTTP > > > > request to the NiFi instance: > > > > > > > > X-ProxyScheme - the scheme to use to connect to your proxy (https in > > this > > > > case) > > > > X-ProxyHost - the host of your proxy > > > > X-ProxyPort - the port your proxy is listening on > > > > X-ProxyContextPath - the path you've configured to map to the NiFi > > > instance > > > > > > > > I've never done the proxying through nginx so please let me know if > > this > > > > helps. > > > > > > > > Matt > > > > > > > > On Thu, Sep 10, 2015 at 6:04 PM, Edgardo Vega < > [email protected]> > > > > wrote: > > > > > > > > > I am trying to setup Nifi unsung nginx as a reverse proxy. I would > > like > > > > > nginx to terminate the ssl connection and then run nifi on http. I > > have > > > > > tried to set it up but ran into an issue were any viewing operation > > > works > > > > > but cannot make any changes (move, start, stop, etc). The browser > > > > complains > > > > > about mixed content. > > > > > > > > > > So how do you configure nifi to work correctly in this scenario? > > > > > > > > > > > > > > > -- > > > > > Cheers, > > > > > > > > > > Edgardo > > > > > > > > > > Sent from Gmail Mobile > > > > > > > > > > > > > > > > > > > > > -- > > > Cheers, > > > > > > Edgardo > > > > > > > > > -- > Cheers, > > Edgardo >
