Matt, That makes sense what is the header that nifi uses to receive that user information?
Cheers, Edgardo On Fri, Sep 11, 2015 at 9:50 AM, Matt Gilman <[email protected]> wrote: > NiFi does support passing the client DN in a HTTP header. However, in order > to trust that the proxy is allowed to proxy user requests we need to know > who sent the request and that they are authorized to do so. Because NiFi > only supports client authentication using two way SSL with certificates > that incoming request needs to be over HTTPs. > > I have heard about Apache Shiro before however, most of the initial > discussion has been around JAAS. I will update the Feature Proposal to > consider Shiro as an option as well. > > Thanks! > > Matt > > On Fri, Sep 11, 2015 at 9:42 AM, Edgardo Vega <[email protected]> > wrote: > > > Matt, > > > > Yes communication between the proxy and nifi is http. What I was hoping > for > > was behind able to pass headers such as the following the request and > have > > the user be authenticated using that information. > > > > X-SSL-client-serial > > X-SSL-client-s-dn > > X-SSL-client-i-dn > > X-SSL-client-session-id > > X-SSL-client-verify > > > > > > There seems to other schemes that are used but they have a similar > concept. > > > > Also have you guys looked at Apache Shiro[1] for pluggable > authentication? > > > > Cheers, > > > > Edgardo > > > > [1] > > http://shiro.apache.org/ > > > > > > > > On Fri, Sep 11, 2015 at 8:54 AM, Matt Gilman <[email protected]> > > wrote: > > > > > Awesome. If I understand your set up correctly, you are sending a HTTP > > > request from the proxy to the NiFi instance. NiFi does support reading > > user > > > details from an HTTP header but only when authenticating a user (or > your > > > proxy in this case). Additionally, the admin must grant the proxy has > > > having ROLE_PROXY in order to authorize it to proxy user requests. NiFi > > > currently only supports user authentication with two way SSL using > > > certificates. There is discussion ongoing about adding support for > other > > > authentication models [1]. > > > > > > If a HTTP request is received, it will treat the user as anonymous. > > > > > > Matt > > > > > > [1] > > > > > > https://cwiki.apache.org/confluence/display/NIFI/Pluggable+Authentication > > > > > > > > > On Fri, Sep 11, 2015 at 8:39 AM, Edgardo Vega <[email protected]> > > > wrote: > > > > > > > Matt, > > > > > > > > It worked great. I just added those headers and it all worked. Follow > > on > > > > question is about ssl user authentication through a proxy. Can you > add > > > > headers that nifi will use to authenticate a user so you can do > > terminate > > > > the ssl connection at the proxy? > > > > > > > > Cheers, > > > > > > > > Edgardo > > > > > > > > On Thu, Sep 10, 2015 at 6:46 PM, Matt Gilman < > [email protected]> > > > > wrote: > > > > > > > > > Edgardo, > > > > > > > > > > There are a couple of key items to know when standing up NiFi > behind > > a > > > > > proxy. > > > > > > > > > > 1) NiFi is comprised of a number of web applications (web ui, web > > api, > > > > > documentation, custom ui's, etc). So you'll need to set up your > > mapping > > > > to > > > > > the root path. That way all context paths are pass through > > accordingly. > > > > For > > > > > instance, if you only mapped the /nifi context path, the custom ui > > for > > > > > Update Attributes will not work since it's available at > > > > > /update-attribute-ui-<version>. > > > > > > > > > > 2) NiFi's rest api will generate uri's for each component on the > > graph. > > > > > Since your coming through a proxy, you'll need to override certain > > > > elements > > > > > of the uri's being generated. This is why your able to view the > > graph, > > > > but > > > > > you cannot modify anything. It attempting to call back directly to > > your > > > > > NiFi, not through your proxy. You can override the elements of the > > uri > > > by > > > > > adding the following HTTP headers when your proxy generates the > HTTP > > > > > request to the NiFi instance: > > > > > > > > > > X-ProxyScheme - the scheme to use to connect to your proxy (https > in > > > this > > > > > case) > > > > > X-ProxyHost - the host of your proxy > > > > > X-ProxyPort - the port your proxy is listening on > > > > > X-ProxyContextPath - the path you've configured to map to the NiFi > > > > instance > > > > > > > > > > I've never done the proxying through nginx so please let me know if > > > this > > > > > helps. > > > > > > > > > > Matt > > > > > > > > > > On Thu, Sep 10, 2015 at 6:04 PM, Edgardo Vega < > > [email protected]> > > > > > wrote: > > > > > > > > > > > I am trying to setup Nifi unsung nginx as a reverse proxy. I > would > > > like > > > > > > nginx to terminate the ssl connection and then run nifi on http. > I > > > have > > > > > > tried to set it up but ran into an issue were any viewing > operation > > > > works > > > > > > but cannot make any changes (move, start, stop, etc). The browser > > > > > complains > > > > > > about mixed content. > > > > > > > > > > > > So how do you configure nifi to work correctly in this scenario? > > > > > > > > > > > > > > > > > > -- > > > > > > Cheers, > > > > > > > > > > > > Edgardo > > > > > > > > > > > > Sent from Gmail Mobile > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Cheers, > > > > > > > > Edgardo > > > > > > > > > > > > > > > -- > > Cheers, > > > > Edgardo > > > -- Cheers, Edgardo
