Hi YuNing, In your original post, you mentioned a need for multi-tenant authorization. For that use case, I would not recommend transmitting passwords, even encrypted/hashed passwords, over unencrypted HTTP, as the authorized operations would be still be vulnerable to man-in-the-middle (MITM) attacks and replay attacks.
As you mentioned, modifying the NiFi source code to allow authorization over HTTP instead of HTTPS would be a significant task, and at the end of the day would have the vulnerabilities I described. My advice is that it would be a better use of time and effort to configure your NiFi server(s) to use HTTPS. The NiFi Toolkit [1] [2] includes TLS utilities to make this easier, and there are plenty of folks on this list who can assist you if you have questions while setting up HTTPS. If you truly do not need to worry about security for your use case and do not want to use HTTPS, then using HTTP without authorization is an option. Regards, Kevin [1] https://nifi.apache.org/download.html [2] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit On 7/24/17, 23:00, "Sam Feng" <[email protected]> wrote: Hello Kevinï¼ Your answers helps me a lot. Now i am trying to modify nifi`s sourcecode to enable http authentication, because the platform where i am using nifi is not that sensitive about security, and we use ldap as login-identity-providers whitch password is already encrypted by an unique key. But i find it difficult to modify it`s sourceCode. there so many places that limit login and authentication from http, and i have to edit all of it, which will certainly take a lot of time to find them. Do you have any idea on how to modify nifi`s code more efficiently, or if there are some other way to get what i want. As you can see my English is poor, thanks for you patience. Thanks for your reply. Best Regards YuNing On 2017-07-21 19:07 (+0800), Kevin Doran <[email protected]> wrote: > Hi, > > You are correct, NiFi requires an encrypted connection for user authentication. This is because client identity is established in one of two ways: > > - user name & password, which should not be sent over a non-encrypted connection > - client certificate in a two-way TLS (HTTPS) connection > > I hope this answers your question. If HTTPS is suitable for your needs, here are some resources to help you get started: > > - NiFi System Administration Guide, specifically sections on User Authentication [1] and Multi-Tenant Authorization [2] > - Bryan Bende's blog post on NiFi Authorization and Multi-Tenancy [3] > > I hope this helps! If you have any questions you can post back to this thread. > > Regards, > Kevin > > [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication > [2] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization > [3] http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy > > > On 7/21/17, 02:02, "[email protected]" <[email protected]> wrote: > > > Helloï¼ I am a developer from china, i recently want to apply multi-tenant authorization on nifi, but find that nifi doesn't support authorization over http. can you tell me the reason, and can i enable authentication over http by modify it's source code. > > Thanks for your early reply. > Best Regards > > > > > >
