I found another 9 page potentially useful article on Medium. "https://sandundayananda.medium.com/deploy-apache-nifi-on-docker-with-aws-ec2-instance-and-connect-to-web-interface-3e516e06fe04";
https://sandundayananda.medium.com/deploy-apache-nifi-on-docker-with-aws-ec2-instance-and-connect-to-web-interface-3e516e06fe04 Deploy Apache NiFi on Docker with AWS EC2 instance and Connect to Web Interface sandundayananda.medium.com -Jim > On Apr 3, 2024, at 8:32 PM, Matthew Hawkins <hawko2...@gmail.com> wrote: > > Hi Mark, > > NiFi supports many different forms of authentication. The "simple" way is > "http basic" and you can roll your own /etc/passwd style authenticator with > it. I actually recommend NOT doing this unless it's a test system as http > basic is trash and can be a right pest if you need to "unauth". > > Single Sign-On refers to the literal SSO auth framework, where you'll need > an IdP and so forth per the SSO spec. You can allegedly get this to work > with AWS IAM but I've never tried. Note NiFi is designed first up to > integrate into an Apache/HDFS environment so there's often assumptions like > you have HDFS and you have a schema service and you have Ranger for auth. > Bear this in mind because it'll make flow configuration make more sense > once you've got the system up. > > Note you can also mix different kinds; such as keep a break-glass admin > account with http basic but do more enterprise auth with LDAP which > integrates okish with RBAC in NiFi for daily users incl those with admin > privs via RBAC. This can be handy for those times when *cough* AD *cough* > dies again. > > Authentication is one of the key configuration items to understand prior to > deployment because your choice will drive what steps are necessary. E.g. > with TLS auth you will need to add the CA chain to the truststore and make > sure the users.xml is entirely accurate including spaces with the DN from > the x509 data. If you have a cluster, you need to understand auth is not > synced, each cluster member is its own individual instance & so some steps > have to be repeated on each member. There's a fantastic ansible script from > cavemandaveman to manage deployments properly and I do recommend that path > over manual editing even with a single instance. > > Kind regards, > > On Thu, 4 Apr 2024, 08:59 Mark Woodcock, <woodc...@usna.edu.invalid> wrote: > >> What does the documentation mean by this paragraph: >> >>> For Single sign-on authentication, NiFi will redirect users to the >> Identity Provider before returning to NiFi. NiFi will then process >> responses and convert attributes to application token information. >> >> I've gotten local instances of Nifi to work before, but getting it to run >> on an AWS/EC2 instance (across a couple of proxies, to manage local >> firewalls) is not going well. I can see (from login-identity-providers.xml) >> that I've successfully set a simple username/password, but it always fails >> when I get to the UI. But, is the single-sign-on stuff not part of NiFi? >> What sort of redirection is going on at this point? >> >> thx, >> >> mew >> >> >> On Thu, Mar 28, 2024 at 4:31 PM Mark Woodcock <woodc...@usna.edu> wrote: >> >>> Howdy, >>> >>> Cranked up an EC2 instance. >>> Installed Java 11. >>> set up JAVA_HOME >>> Downloaded Nifi 1.25.0 >>> unzipped Nifi >>> set a nifi.sensitive.properties.key >>> (https.port is default 8443) >>> >>> bin/nifi.sh start >>> >>> But, I can't even seem to access the most basic bit of the UI: >>> >>> curl -vvvk https://54.91.56.55:8443 >>> * Trying 54.91.56.55:8443... >>> * connect to 54.91.56.55 port 8443 failed: Connection refused >>> * Failed to connect to 54.91.56.55 port 8443 after 17 ms: Connection >>> refused >>> * Closing connection 0 >>> curl: (7) Failed to connect to 54.91.56.55 port 8443 after 17 ms: >>> Connection refused >>> >>> I have no doubt, I'm doing something astonishingly dumb. Would someone >> be >>> kind enough to point it out? >>> >>> thx, >>> >>> mew >>> >>> >>
