Hi Ryan, NiFi nodes will use their own certificates as identities to authenticate against the NiFi Registry and the NiFi nodes will then proxy the users connected to the NiFi instances for the interactions with the registry. You have to configure the NiFi node identities as well as where to get the users/groups informations using the authorizers.xml file [1]. Once the users/groups are known in the NiFi Registry you can define the authorizations as you described for the users and groups and it will reflected for the users/groups when they connect to NiFi. If, however, you want to allow users to authenticate on the NiFi Registry UI (to create buckets for instance), then you'd have to also configure the authentication parts on the Registry [2] (note that OIDC is not supported yet [3]).
Hope this helps a bit. [1] https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#authorizers-setup [2] https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#user_authentication [3] https://issues.apache.org/jira/browse/NIFIREG-313 Le jeu. 24 oct. 2019 à 03:54, Ryan H <[email protected]> a écrit : > Hi All, > > We currently have a multi-node NiFi cluster (1.8.0) that is secured using > the OIDC provider for authentication. We are setting up a secure NiFi > Registry (0.5.0) which our secure NiFi cluster will connect to. > > What is the recommended way to connect the OIDC secured NiFi instance to > the secure NiFi Registry (only option looks to be using certs since we are > not using LDAP or Kerb)? I am assuming the only way is to do a cert import > to NiFi which will then open up all buckets to the entire cluster (based on > the permissions of the user tied to the certificate). > > We are operating in a multi-tenant environment and would like to achieve > bucket level permissions for the various users of the system. Accessing the > UI of the NiFi Registry instance isn't super important, except for maybe a > couple users for which generating a couple certs isn't a big deal. However, > allowing users to only access certain buckets may be important. > > For now just being able to get this hooked up is ideal. Thoughts? > > > Thanks in Advance, > > Ryan H. > >
