Hi Nicolas,
As you already know, all authentication methods implemented in NiFi
require a secure connection.
Each implementation class uses HttpServletRequest.isSecure method to
determine if authentication is necessary.
For example, JWTAuthenticationFilter:
https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java#L42
NiFi uses Jetty inside, and Jetty has ForwardedRequestCustomizer which
uses X-Forwarded-* headers to customize requests so that NiFi sees
HTTP requests forwarded by a reverse-proxy server as HTTPS. But NiFi
doesn't use that currently.
So, I believe enabling auth in HTTP is not supported now.
There have been similar requests and existing JIRA NIFI-6152 (that is
specific for OIDC though).
https://issues.apache.org/jira/browse/NIFI-6152
Which authentication method are you planning to use?
Thanks,
Koji
On Fri, Jul 5, 2019 at 5:43 PM Nicolas Delsaux wrote:
>
> Hi
>
> I'm trying to deploy Nifi in Kubernetes with authentcation.
>
> In Kubernetes, it is possible (and recommended in my organization) to
> have SSL managed by cluster at edge route level. Which means request
> seen by Nifi are http ones.
>
> According to nifi documentation, it seems to imply no authentication is
> possible in this case.
>
> However, in our context, the X-Forwarded-Proto header is set (see
> https://en.wikipedia.org/wiki/List_of_HTTP_header_fields#Common_non-standard_request_fields),
> which could be used to enable authentication in HTTP.
>
> So is it possible to do that ? And if so, how ?
>
