Luke,

To follow up on your original point, we’re sorry that securing NiFi has proven 
challenging for you. If you have specific suggestions of what steps could be 
called out and made easier, tooling to avoid manual operations, or places where 
you started down the wrong path and had to back out, we would love to make 
improvements there.

As to why NiFi doesn’t provide a “sign up” page or allow you to define users 
and passwords directly, securing that storage is a difficult problem, and one 
that very few people deploying a system like NiFi will take seriously. Through 
many discussions, we have determined that a better solution is to offload the 
security of those credentials to a robust external system like LDAP or OpenID 
Connect, which are widely used and have the support of a large community behind 
them.

I understand the desire for a “simple” setup, especially when trying NiFi out 
for the first time to evaluate it. However, we strongly feel that providing an 
option that isn’t as secure as possible by default is irresponsible to our 
users, and would be abused in production environments, leading to an overall 
weakening of the project.

I know there was previous work to develop a local username/password storage 
option that was objected to in the past. Perhaps there are new developments on 
that front and it makes sense to revisit and evaluate again.

Please let me know if you have additional questions or suggestions here. Thanks.

Andy LoPresto
[email protected]
[email protected]
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Sep 21, 2018, at 7:20 AM, Bryan Bende <[email protected]> wrote:
> 
> Hi Luke,
> 
> Just to elaborate a little bit more, the options for authenticating users 
> are...
> 
> - Client certificates
> - LDAP username/password
> - Kerberos username/password
> - Kerberos SPNEGO
> - Knox SSO
> - Open ID Connect
> - Custom login identity provider
> 
> As Pierre mentioned, the management of the users and passwords would
> be done external to NiFi in whichever of these approaches is being
> used.
> 
> -Bryan
> 
> On Fri, Sep 21, 2018 at 7:53 AM Pierre Villard
> <[email protected]> wrote:
>> 
>> Hi Luke,
>> 
>> Login/password authentication is possible (and the most frequently used
>> option in enterprises) as long as you have a LDAP/AD backend. However you
>> can't have NiFi allowing you to create users with a password.
>> 
>> Let us know if something is not clear.
>> 
>> Thanks,
>> Pierre
>> 
>> Le ven. 21 sept. 2018 à 13:05, Luke <[email protected]> a
>> écrit :
>> 
>>> Hi guys,
>>> 
>>> After spending half a day configuring NiFi to be secure enough to even
>>> contemplate reading the next section on user authentication, it seems
>>> like there is no simple username+password authentication available.
>>> 
>>> Is this correct and am I mistaken??
>>> 
>>> I have NiFi running behind Nginx so I might just use BASIC auth, which
>>> means 'unsecuring' NiFi so authentication can be skipped.
>>> 
>>> It's just exasperating that NiFi's tight security has actually caused me
>>> to give up on securing it.
>>> 
>>> Regards,
>>> 
>>> - Luke
>>> 

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Reply via email to