To follow up to Bryan’s excellent response (which I agree with), if you truly want all communication to be secured (i.e. confidentiality, integrity, and authenticity of channel communications) but don’t care about user authentication & authorization, you could use Kerberos [1] and set up a shared service ticket via a keytab [2], and allow all of your users to use the same keytab to connect. Granted, I don’t think this is a *good* idea, but if you’ve evaluated your threat model and decided anonymous access is fine as long as the channel is encrypted, this would work.
Good luck. [1] http://www.roguelynn.com/words/explain-like-im-5-kerberos/ [2] https://kb.iu.edu/d/aumh <https://kb.iu.edu/d/aumh> Andy LoPresto [email protected] [email protected] PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Jan 30, 2017, at 1:29 PM, Bryan Rosander <[email protected]> wrote: > > Hey Matt, > > If you don't want to use certificate authentication with the secured NiFi > instance, you could point it at an LDAP [1] server and then use a > username/password login to NiFi. > > NiFi's processors can do everything from manipulating the filesystem of the > machine it is running on to dropping tables from databases (given the > credentials). > > If you've gone to the trouble of securing the instance from MITM attacks, > wouldn't it make sense to also protect it from malicious users? > > Thanks, > Bryan > > [1] > http://ijokarumawak.github.io/nifi/2016/11/15/nifi-auth/#how-to-use-ldap-to-authn-requests > > On Mon, Jan 30, 2017 at 4:04 PM, <[email protected]> wrote: > >> Is it possible to configure Apache Nifi 1.1.1 using HTTPS with Anonymous >> access/administration? >> >> I am able to configure the server to authenticate using certs, but would >> like to be able to administer the system without distributing certs >> throughout the network. >> >> -Matt Gibboney >>
signature.asc
Description: Message signed with OpenPGP using GPGMail
