The effective user will be the enduser authenticated by Knox not the knox user. I actually believe that you have the whole chain of users when proxying - so you won't lose either.
On Wed, Mar 7, 2018 at 4:14 PM, Ryan H <ryan.howell.developm...@gmail.com> wrote: > Hi, > > Yes, some additional documentation would be great for Knox integration. > Another question I have based on the two options above: > > If users will access NiFi via Knox (rather than accessing NiFi directly > and then auth to Knox), once a user authenticates to Knox (and subsequently > to whatever provider is configured for KnoxSSO), will NiFi only see the > user as the Knox identity or will NiFi see the user as the user that > authenticated to Knox? In this setup would Knox be the initial admin > identity or would it be the user I have set up in my IDP ( > someu...@somemail.com)? I’m just wondering if accessing NiFi thru Knox > will result in losing the concept of users. Hopefully this makes sense! > > Cheers, > > Ryan > > On Sun, Mar 4, 2018 at 1:33 PM Jeff <jtsw...@gmail.com> wrote: > >> Hello Ryan, >> >> I am not on my development laptop right now, but I can send you an >> example Knox topology that uses Knox, SSO, and NiFi. >> >> Regarding the two options you listed above, both can be used >> simultaneously. If you only want to use option 1, you can set the Knox >> properties in nifi.properties and NiFi will be able to redirect users to >> log in through Knox. For option 2, you do not have to set those >> properties, but you will have to generate a cert for Knox to identify >> itself to NiFi, and add the DN from that cert as a node identity in NiFi >> (grant that identity proxy privileges). >> >> The main concern between option 1 and 2 is if you'd like users to be able >> to access NiFi directly, or you'd like to force them to go through a >> security gateway (Knox) first. >> >> Looking at the Knox documentation in the NiFi Admin Guide, we do need to >> add a section for configuring Knox to proxy to NiFI with Knox doing the >> authentication. I've created a JIRA  and will work on adding the >> documentation. >> >>  https://issues.apache.org/jira/browse/NIFI-4931 >> >> On Sat, Mar 3, 2018 at 4:14 PM Ryan H <ryan.howell.developm...@gmail.com> >> wrote: >> >>> Hi All, >>> >>> I am trying to set up a secure NiFi cluster (or just a single node to >>> start with rather) that uses Knox for AuthN. I want to configure Knox with >>> an OpenID provider. From what I can tell I have two options: >>> 1. Access NiFi directly which would then kick back to Knox for Auth >>> (which is then configured with the OpenID provider) >>> 2. Access NiFi thru Knox (would not directly access NiFi but rather >>> proxy thru Knox always). >>> >>> I understand that I can just configure NiFi to use the OpenID provider >>> and not use Knox. However, there are some issues with this (for my use >>> case), specifically if I want to automate scaling up/down cluster nodes >>> (redirect url for OpenID has to be explicitly granted with the provider for >>> each callback url which is troublesome if dynamically scaling, and the way >>> I am exposing the service and the limitation with the NiFi Host Header with >>> 1.5). >>> >>> Based on the 2 assumed options listed above, is there a preference over >>> one or the other? I've found a couple blogs on configuring NiFi with Knox, >>> but it mostly leaves me with more questions (may just be my lack of >>> experience with Knox). Can anyone provide clear and concise direction on >>> what is exactly required for NiFi to work with Knox? Any sample Knox >>> configs? Is anything else req'd for NiFi config other than the Knox props >>> in the nifi.properties file? >>> >>> Any help is appreciated! >>> >>> Cheers, >>> >>> Ryan >>> >>