Hello Ryan, I am not on my development laptop right now, but I can send you an example Knox topology that uses Knox, SSO, and NiFi.
Regarding the two options you listed above, both can be used simultaneously. If you only want to use option 1, you can set the Knox properties in nifi.properties and NiFi will be able to redirect users to log in through Knox. For option 2, you do not have to set those properties, but you will have to generate a cert for Knox to identify itself to NiFi, and add the DN from that cert as a node identity in NiFi (grant that identity proxy privileges). The main concern between option 1 and 2 is if you'd like users to be able to access NiFi directly, or you'd like to force them to go through a security gateway (Knox) first. Looking at the Knox documentation in the NiFi Admin Guide, we do need to add a section for configuring Knox to proxy to NiFI with Knox doing the authentication. I've created a JIRA [1] and will work on adding the documentation. [1] https://issues.apache.org/jira/browse/NIFI-4931 On Sat, Mar 3, 2018 at 4:14 PM Ryan H <ryan.howell.developm...@gmail.com> wrote: > Hi All, > > I am trying to set up a secure NiFi cluster (or just a single node to > start with rather) that uses Knox for AuthN. I want to configure Knox with > an OpenID provider. From what I can tell I have two options: > 1. Access NiFi directly which would then kick back to Knox for Auth (which > is then configured with the OpenID provider) > 2. Access NiFi thru Knox (would not directly access NiFi but rather proxy > thru Knox always). > > I understand that I can just configure NiFi to use the OpenID provider and > not use Knox. However, there are some issues with this (for my use case), > specifically if I want to automate scaling up/down cluster nodes (redirect > url for OpenID has to be explicitly granted with the provider for each > callback url which is troublesome if dynamically scaling, and the way I am > exposing the service and the limitation with the NiFi Host Header with > 1.5). > > Based on the 2 assumed options listed above, is there a preference over > one or the other? I've found a couple blogs on configuring NiFi with Knox, > but it mostly leaves me with more questions (may just be my lack of > experience with Knox). Can anyone provide clear and concise direction on > what is exactly required for NiFi to work with Knox? Any sample Knox > configs? Is anything else req'd for NiFi config other than the Knox props > in the nifi.properties file? > > Any help is appreciated! > > Cheers, > > Ryan >
