The header is X-ProxiedEntitiesChain
and the value in your case would be the user DN in <>'s. It does technically support a chain of proxies with the end user being the first element. Matt On Fri, Sep 11, 2015 at 10:00 AM, Edgardo Vega <[email protected]> wrote: > Matt, > > That makes sense what is the header that nifi uses to receive that user > information? > > Cheers, > > Edgardo > > On Fri, Sep 11, 2015 at 9:50 AM, Matt Gilman <[email protected]> > wrote: > > > NiFi does support passing the client DN in a HTTP header. However, in > order > > to trust that the proxy is allowed to proxy user requests we need to know > > who sent the request and that they are authorized to do so. Because NiFi > > only supports client authentication using two way SSL with certificates > > that incoming request needs to be over HTTPs. > > > > I have heard about Apache Shiro before however, most of the initial > > discussion has been around JAAS. I will update the Feature Proposal to > > consider Shiro as an option as well. > > > > Thanks! > > > > Matt > > > > On Fri, Sep 11, 2015 at 9:42 AM, Edgardo Vega <[email protected]> > > wrote: > > > > > Matt, > > > > > > Yes communication between the proxy and nifi is http. What I was hoping > > for > > > was behind able to pass headers such as the following the request and > > have > > > the user be authenticated using that information. > > > > > > X-SSL-client-serial > > > X-SSL-client-s-dn > > > X-SSL-client-i-dn > > > X-SSL-client-session-id > > > X-SSL-client-verify > > > > > > > > > There seems to other schemes that are used but they have a similar > > concept. > > > > > > Also have you guys looked at Apache Shiro[1] for pluggable > > authentication? > > > > > > Cheers, > > > > > > Edgardo > > > > > > [1] > > > http://shiro.apache.org/ > > > > > > > > > > > > On Fri, Sep 11, 2015 at 8:54 AM, Matt Gilman <[email protected]> > > > wrote: > > > > > > > Awesome. If I understand your set up correctly, you are sending a > HTTP > > > > request from the proxy to the NiFi instance. NiFi does support > reading > > > user > > > > details from an HTTP header but only when authenticating a user (or > > your > > > > proxy in this case). Additionally, the admin must grant the proxy has > > > > having ROLE_PROXY in order to authorize it to proxy user requests. > NiFi > > > > currently only supports user authentication with two way SSL using > > > > certificates. There is discussion ongoing about adding support for > > other > > > > authentication models [1]. > > > > > > > > If a HTTP request is received, it will treat the user as anonymous. > > > > > > > > Matt > > > > > > > > [1] > > > > > > > > > > https://cwiki.apache.org/confluence/display/NIFI/Pluggable+Authentication > > > > > > > > > > > > On Fri, Sep 11, 2015 at 8:39 AM, Edgardo Vega < > [email protected]> > > > > wrote: > > > > > > > > > Matt, > > > > > > > > > > It worked great. I just added those headers and it all worked. > Follow > > > on > > > > > question is about ssl user authentication through a proxy. Can you > > add > > > > > headers that nifi will use to authenticate a user so you can do > > > terminate > > > > > the ssl connection at the proxy? > > > > > > > > > > Cheers, > > > > > > > > > > Edgardo > > > > > > > > > > On Thu, Sep 10, 2015 at 6:46 PM, Matt Gilman < > > [email protected]> > > > > > wrote: > > > > > > > > > > > Edgardo, > > > > > > > > > > > > There are a couple of key items to know when standing up NiFi > > behind > > > a > > > > > > proxy. > > > > > > > > > > > > 1) NiFi is comprised of a number of web applications (web ui, web > > > api, > > > > > > documentation, custom ui's, etc). So you'll need to set up your > > > mapping > > > > > to > > > > > > the root path. That way all context paths are pass through > > > accordingly. > > > > > For > > > > > > instance, if you only mapped the /nifi context path, the custom > ui > > > for > > > > > > Update Attributes will not work since it's available at > > > > > > /update-attribute-ui-<version>. > > > > > > > > > > > > 2) NiFi's rest api will generate uri's for each component on the > > > graph. > > > > > > Since your coming through a proxy, you'll need to override > certain > > > > > elements > > > > > > of the uri's being generated. This is why your able to view the > > > graph, > > > > > but > > > > > > you cannot modify anything. It attempting to call back directly > to > > > your > > > > > > NiFi, not through your proxy. You can override the elements of > the > > > uri > > > > by > > > > > > adding the following HTTP headers when your proxy generates the > > HTTP > > > > > > request to the NiFi instance: > > > > > > > > > > > > X-ProxyScheme - the scheme to use to connect to your proxy (https > > in > > > > this > > > > > > case) > > > > > > X-ProxyHost - the host of your proxy > > > > > > X-ProxyPort - the port your proxy is listening on > > > > > > X-ProxyContextPath - the path you've configured to map to the > NiFi > > > > > instance > > > > > > > > > > > > I've never done the proxying through nginx so please let me know > if > > > > this > > > > > > helps. > > > > > > > > > > > > Matt > > > > > > > > > > > > On Thu, Sep 10, 2015 at 6:04 PM, Edgardo Vega < > > > [email protected]> > > > > > > wrote: > > > > > > > > > > > > > I am trying to setup Nifi unsung nginx as a reverse proxy. I > > would > > > > like > > > > > > > nginx to terminate the ssl connection and then run nifi on > http. > > I > > > > have > > > > > > > tried to set it up but ran into an issue were any viewing > > operation > > > > > works > > > > > > > but cannot make any changes (move, start, stop, etc). The > browser > > > > > > complains > > > > > > > about mixed content. > > > > > > > > > > > > > > So how do you configure nifi to work correctly in this > scenario? > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Cheers, > > > > > > > > > > > > > > Edgardo > > > > > > > > > > > > > > Sent from Gmail Mobile > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Cheers, > > > > > > > > > > Edgardo > > > > > > > > > > > > > > > > > > > > > -- > > > Cheers, > > > > > > Edgardo > > > > > > > > > -- > Cheers, > > Edgardo >
