Modifying NiFi’s source code to provide user authentication and authorization over HTTP is highly discouraged. Along with the possibility for credential leak that Kevin mentioned, any plaintext HTTP request can be intercepted, monitored, and modified before being relayed to the NiFi application. This means that any and all actions are susceptible to malicious changes, and any entity monitoring the network can perform actions under the assumed identity of another user. This would be an incredible amount of effort and almost definitely pointless.
Andy LoPresto [email protected] [email protected] PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Jul 25, 2017, at 7:09 AM, Kevin Doran <[email protected]> wrote: > > Hi YuNing, > > In your original post, you mentioned a need for multi-tenant authorization. > For that use case, I would not recommend transmitting passwords, even > encrypted/hashed passwords, over unencrypted HTTP, as the authorized > operations would be still be vulnerable to man-in-the-middle (MITM) attacks > and replay attacks. > > As you mentioned, modifying the NiFi source code to allow authorization over > HTTP instead of HTTPS would be a significant task, and at the end of the day > would have the vulnerabilities I described. My advice is that it would be a > better use of time and effort to configure your NiFi server(s) to use HTTPS. > The NiFi Toolkit [1] [2] includes TLS utilities to make this easier, and > there are plenty of folks on this list who can assist you if you have > questions while setting up HTTPS. > > If you truly do not need to worry about security for your use case and do not > want to use HTTPS, then using HTTP without authorization is an option. > > Regards, > Kevin > > [1] https://nifi.apache.org/download.html > [2] > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit > > On 7/24/17, 23:00, "Sam Feng" <[email protected]> wrote: > > Hello Kevinï¼ > > Your answers helps me a lot. Now i am trying to modify nifi`s > sourcecode to enable http authentication, because the platform where i am > using nifi is not that sensitive about security, and we use ldap as > login-identity-providers whitch password is already encrypted by an unique > key. > But i find it difficult to modify it`s sourceCode. there so many > places that limit login and authentication from http, and i have to edit all > of it, which will certainly take a lot of time to find them. > Do you have any idea on how to modify nifi`s code more efficiently, or > if there are some other way to get what i want. > > As you can see my English is poor, thanks for you patience. > > Thanks for your reply. > Best Regards > YuNing > > > On 2017-07-21 19:07 (+0800), Kevin Doran <[email protected]> wrote: >> Hi, >> >> You are correct, NiFi requires an encrypted connection for user >> authentication. This is because client identity is established in one of two >> ways: >> >> - user name & password, which should not be sent over a non-encrypted >> connection >> - client certificate in a two-way TLS (HTTPS) connection >> >> I hope this answers your question. If HTTPS is suitable for your needs, here >> are some resources to help you get started: >> >> - NiFi System Administration Guide, specifically sections on User >> Authentication [1] and Multi-Tenant Authorization [2] >> - Bryan Bende's blog post on NiFi Authorization and Multi-Tenancy [3] >> >> I hope this helps! If you have any questions you can post back to this >> thread. >> >> Regards, >> Kevin >> >> [1] >> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication >> [2] >> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization >> [3] >> http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy >> >> >> On 7/21/17, 02:02, "[email protected]" <[email protected]> wrote: >> >> >> Helloï¼ I am a developer from china, i recently want to apply >> multi-tenant authorization on nifi, but find that nifi doesn't support >> authorization over http. can you tell me the reason, and can i enable >> authentication over http by modify it's source code. >> >> Thanks for your early reply. >> Best Regards >> >> >> >> >> >> > > >
signature.asc
Description: Message signed with OpenPGP using GPGMail
