Hi Mark, NiFi supports many different forms of authentication. The "simple" way is "http basic" and you can roll your own /etc/passwd style authenticator with it. I actually recommend NOT doing this unless it's a test system as http basic is trash and can be a right pest if you need to "unauth".
Single Sign-On refers to the literal SSO auth framework, where you'll need an IdP and so forth per the SSO spec. You can allegedly get this to work with AWS IAM but I've never tried. Note NiFi is designed first up to integrate into an Apache/HDFS environment so there's often assumptions like you have HDFS and you have a schema service and you have Ranger for auth. Bear this in mind because it'll make flow configuration make more sense once you've got the system up. Note you can also mix different kinds; such as keep a break-glass admin account with http basic but do more enterprise auth with LDAP which integrates okish with RBAC in NiFi for daily users incl those with admin privs via RBAC. This can be handy for those times when *cough* AD *cough* dies again. Authentication is one of the key configuration items to understand prior to deployment because your choice will drive what steps are necessary. E.g. with TLS auth you will need to add the CA chain to the truststore and make sure the users.xml is entirely accurate including spaces with the DN from the x509 data. If you have a cluster, you need to understand auth is not synced, each cluster member is its own individual instance & so some steps have to be repeated on each member. There's a fantastic ansible script from cavemandaveman to manage deployments properly and I do recommend that path over manual editing even with a single instance. Kind regards, On Thu, 4 Apr 2024, 08:59 Mark Woodcock, <woodc...@usna.edu.invalid> wrote: > What does the documentation mean by this paragraph: > > >For Single sign-on authentication, NiFi will redirect users to the > Identity Provider before returning to NiFi. NiFi will then process > responses and convert attributes to application token information. > > I've gotten local instances of Nifi to work before, but getting it to run > on an AWS/EC2 instance (across a couple of proxies, to manage local > firewalls) is not going well. I can see (from login-identity-providers.xml) > that I've successfully set a simple username/password, but it always fails > when I get to the UI. But, is the single-sign-on stuff not part of NiFi? > What sort of redirection is going on at this point? > > thx, > > mew > > > On Thu, Mar 28, 2024 at 4:31 PM Mark Woodcock <woodc...@usna.edu> wrote: > > > Howdy, > > > > Cranked up an EC2 instance. > > Installed Java 11. > > set up JAVA_HOME > > Downloaded Nifi 1.25.0 > > unzipped Nifi > > set a nifi.sensitive.properties.key > > (https.port is default 8443) > > > > bin/nifi.sh start > > > > But, I can't even seem to access the most basic bit of the UI: > > > > curl -vvvk https://54.91.56.55:8443 > > * Trying 54.91.56.55:8443... > > * connect to 54.91.56.55 port 8443 failed: Connection refused > > * Failed to connect to 54.91.56.55 port 8443 after 17 ms: Connection > > refused > > * Closing connection 0 > > curl: (7) Failed to connect to 54.91.56.55 port 8443 after 17 ms: > > Connection refused > > > > I have no doubt, I'm doing something astonishingly dumb. Would someone > be > > kind enough to point it out? > > > > thx, > > > > mew > > > > >
