Yes, some additional documentation would be great for Knox integration.
Another question I have based on the two options above:

If users will access NiFi via Knox (rather than accessing NiFi directly and
then auth to Knox), once a user authenticates to Knox (and subsequently to
whatever provider is configured for KnoxSSO), will NiFi only see the user
as the Knox identity or will NiFi see the user as the user that
authenticated to Knox? In this setup would Knox be the initial admin
identity or would it be the user I have set up in my IDP (
someu...@somemail.com)? I’m just wondering if accessing NiFi thru Knox will
result in losing the concept of users. Hopefully this makes sense!



On Sun, Mar 4, 2018 at 1:33 PM Jeff <jtsw...@gmail.com> wrote:

> Hello Ryan,
> I am not on my development laptop right now, but I can send you an example
> Knox topology that uses Knox, SSO, and NiFi.
> Regarding the two options you listed above, both can be used
> simultaneously.  If you only want to use option 1, you can set the Knox
> properties in nifi.properties and NiFi will be able to redirect users to
> log in through Knox.  For option 2, you do not have to set those
> properties, but you will have to generate a cert for Knox to identify
> itself to NiFi, and add the DN from that cert as a node identity in NiFi
> (grant that identity proxy privileges).
> The main concern between option 1 and 2 is if you'd like users to be able
> to access NiFi directly, or you'd like to force them to go through a
> security gateway (Knox) first.
> Looking at the Knox documentation in the NiFi Admin Guide, we do need to
> add a section for configuring Knox to proxy to NiFI with Knox doing the
> authentication.  I've created a JIRA [1] and will work on adding the
> documentation.
> [1] https://issues.apache.org/jira/browse/NIFI-4931
> On Sat, Mar 3, 2018 at 4:14 PM Ryan H <ryan.howell.developm...@gmail.com>
> wrote:
>> Hi All,
>> I am trying to set up a secure NiFi cluster (or just a single node to
>> start with rather) that uses Knox for AuthN. I want to configure Knox with
>> an OpenID provider. From what I can tell I have two options:
>> 1. Access NiFi directly which would then kick back to Knox for Auth
>> (which is then configured with the OpenID provider)
>> 2. Access NiFi thru Knox (would not directly access NiFi but rather proxy
>> thru Knox always).
>> I understand that I can just configure NiFi to use the OpenID provider
>> and not use Knox. However, there are some issues with this (for my use
>> case), specifically if I want to automate scaling up/down cluster nodes
>> (redirect url for OpenID has to be explicitly granted with the provider for
>> each callback url which is troublesome if dynamically scaling, and the way
>> I am exposing the service and the limitation with the NiFi Host Header with
>> 1.5).
>> Based on the 2 assumed options listed above, is there a preference over
>> one or the other? I've found a couple blogs on configuring NiFi with Knox,
>> but it mostly leaves me with more questions (may just be my lack of
>> experience with Knox). Can anyone provide clear and concise direction on
>> what is exactly required for NiFi to work with Knox? Any sample Knox
>> configs? Is anything else req'd for NiFi config other than the Knox props
>> in the nifi.properties file?
>> Any help is appreciated!
>> Cheers,
>> Ryan

Reply via email to