Just wanted to add to Bryan's response that there is a JIRA [1] that captures the ability to synchronize LDAP user/groups. This is probably a good place to capture any additional use cases.
Matt [1] https://issues.apache.org/jira/browse/NIFI-3409 On Sun, Jan 29, 2017 at 6:25 PM, Bryan Bende <[email protected]> wrote: > Hi Tim, > > Currently NiFi only supports LDAP for authentication (i.e. login identity > provider). In this case it is only using the LDAP to determine if the > provided username and password are valid. > > For authorization there are currently two options - NiFi's policy-based > authorizer and the Apache Ranger authorizer. With NiFi's policy-based > authorizer, all of the users and groups have to be defined in NiFi, and > then policies are defined for those users and groups. All of this is stored > in the users.xml and authorizations.xml you referenced. > > I think there are two different improvements that might help with what you > are looking for... > > The first would be a utility that could sync users/groups from LDAP into > NiFi's policy-based authorizer. In this case you would still define all the > policies in NiFi, but you wouldn't have to manually redefine the users and > groups. You could probably create a simple tool that read from your LDAP > and pushed users/group into NiFi using NiFi's REST API. Of course it gets a > little tricky to keep this in sync when users are deleted, or their groups > are changed, but it could be done. > > The second would be an Authorizer implementation that used LDAP. The > Authorizer interface is an extension point and you could create a custom > NAR with an authorizer implementation and deploy it to the lib directory. > Its just that no one has gotten around to creating one that used LDAP yet. > Either of the existing authorizers would be good examples to look at. > > Thanks, > > Bryan > > On Sun, Jan 29, 2017 at 4:56 PM, Timothy Findlay < > [email protected]> wrote: > >> Hello Nifi Users, >> >> >> >> I have been getting Nifi up and running with LDAP, and this seems to work >> for authentication, however it looks like I have to do the authorization >> part manually. >> >> >> >> So far, I have made the “login-identity-providers.xml” and set: >> >> nifi.login.identity.provider.configuration.file=./conf/login >> -identity-providers.xml >> >> nifi.security.user.login.identity.provider=ldap-provider >> >> >> >> I know I can configure my admin user/group in “users.xml” and the >> authorizations in “authorizations.xml”. >> >> >> >> But I cant work out how to configure it to use LDAP groups. I suspect I >> need to put something in authorizers.xml, but cant find much documentation >> on this. Any tips/examples of how I can map the groups ? >> >> >> >> Thanks, >> >> Tim. >> >> >> > >
