The effective user will be the enduser authenticated by Knox not the knox
I actually believe that you have the whole chain of users when proxying -
so you won't lose either.

On Wed, Mar 7, 2018 at 4:14 PM, Ryan H <>

> Hi,
> Yes, some additional documentation would be great for Knox integration.
> Another question I have based on the two options above:
> If users will access NiFi via Knox (rather than accessing NiFi directly
> and then auth to Knox), once a user authenticates to Knox (and subsequently
> to whatever provider is configured for KnoxSSO), will NiFi only see the
> user as the Knox identity or will NiFi see the user as the user that
> authenticated to Knox? In this setup would Knox be the initial admin
> identity or would it be the user I have set up in my IDP (
> I’m just wondering if accessing NiFi thru Knox
> will result in losing the concept of users. Hopefully this makes sense!
> Cheers,
> Ryan
> On Sun, Mar 4, 2018 at 1:33 PM Jeff <> wrote:
>> Hello Ryan,
>> I am not on my development laptop right now, but I can send you an
>> example Knox topology that uses Knox, SSO, and NiFi.
>> Regarding the two options you listed above, both can be used
>> simultaneously.  If you only want to use option 1, you can set the Knox
>> properties in and NiFi will be able to redirect users to
>> log in through Knox.  For option 2, you do not have to set those
>> properties, but you will have to generate a cert for Knox to identify
>> itself to NiFi, and add the DN from that cert as a node identity in NiFi
>> (grant that identity proxy privileges).
>> The main concern between option 1 and 2 is if you'd like users to be able
>> to access NiFi directly, or you'd like to force them to go through a
>> security gateway (Knox) first.
>> Looking at the Knox documentation in the NiFi Admin Guide, we do need to
>> add a section for configuring Knox to proxy to NiFI with Knox doing the
>> authentication.  I've created a JIRA [1] and will work on adding the
>> documentation.
>> [1]
>> On Sat, Mar 3, 2018 at 4:14 PM Ryan H <>
>> wrote:
>>> Hi All,
>>> I am trying to set up a secure NiFi cluster (or just a single node to
>>> start with rather) that uses Knox for AuthN. I want to configure Knox with
>>> an OpenID provider. From what I can tell I have two options:
>>> 1. Access NiFi directly which would then kick back to Knox for Auth
>>> (which is then configured with the OpenID provider)
>>> 2. Access NiFi thru Knox (would not directly access NiFi but rather
>>> proxy thru Knox always).
>>> I understand that I can just configure NiFi to use the OpenID provider
>>> and not use Knox. However, there are some issues with this (for my use
>>> case), specifically if I want to automate scaling up/down cluster nodes
>>> (redirect url for OpenID has to be explicitly granted with the provider for
>>> each callback url which is troublesome if dynamically scaling, and the way
>>> I am exposing the service and the limitation with the NiFi Host Header with
>>> 1.5).
>>> Based on the 2 assumed options listed above, is there a preference over
>>> one or the other? I've found a couple blogs on configuring NiFi with Knox,
>>> but it mostly leaves me with more questions (may just be my lack of
>>> experience with Knox). Can anyone provide clear and concise direction on
>>> what is exactly required for NiFi to work with Knox? Any sample Knox
>>> configs? Is anything else req'd for NiFi config other than the Knox props
>>> in the file?
>>> Any help is appreciated!
>>> Cheers,
>>> Ryan

Reply via email to