Yep exactly as you said it. Let me know if you run into trouble.
________________________________ From: Ryan H <[email protected]> Sent: Thursday, October 24, 2019 8:56 AM To: [email protected] Subject: Re: OIDC Secured NiFi with Secure NiFi Registry (certs?) Pierre/Kevin, Thanks for the additional info on this. Yes, this makes sense to me. I wasn't sure if what I was wanting to do worked or was supported at this time, but now I see how it will. To summarize, I just need to spin up the registry with an initial admin user which will have a cert created to access the registry UI. From the UI, the initial admin can add in users for the NiFi Nodes and any users that should have access to Registry (with whatever bucket permissions desired). When connecting NiFi to Registry, the nodes will identify themselves via their node certs which will succeed as long as corresponding node users have been created on Registry. When users place something under version control, they will only be able to access Buckets that they have been granted permissions for via their corresponding/matching user identities as created on Registry via the initial admin user. I hope I summarized this correctly. As always, thanks for the quick responses and help. Cheers, Ryan H On Thu, Oct 24, 2019 at 8:33 AM Kevin Doran <[email protected]<mailto:[email protected]>> wrote: This is a very good question, and Pierre gives a good summary of how to go about solving for it. Essentially, you need to configure NiFi Registry for how to know about the users and groups that will be passed to it. That is the authorizers.xml file Pierre mentioned. There are two options for a UserGroupProvider: File based and LDAP based. If your NiFi OIDC provider is backed by an LDAP directory you can hook up to directly, that would be an option, even if you are not using LDAP for authentication in Registry. If that's not the case, then configuring the FileUserGroupProvider and an initial admin (for example, a client cert authenticated admin), will let you manually define users through the Registry UI that match the identities of the OIDC users that will be passed by NiFi. Best, Kevin On Thu, Oct 24, 2019 at 5:54 AM Pierre Villard <[email protected]<mailto:[email protected]>> wrote: > > Hi Ryan, > > NiFi nodes will use their own certificates as identities to authenticate > against the NiFi Registry and the NiFi nodes will then proxy the users > connected to the NiFi instances for the interactions with the registry. You > have to configure the NiFi node identities as well as where to get the > users/groups informations using the authorizers.xml file [1]. Once the > users/groups are known in the NiFi Registry you can define the authorizations > as you described for the users and groups and it will reflected for the > users/groups when they connect to NiFi. If, however, you want to allow users > to authenticate on the NiFi Registry UI (to create buckets for instance), > then you'd have to also configure the authentication parts on the Registry > [2] (note that OIDC is not supported yet [3]). > > Hope this helps a bit. > > [1] > https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#authorizers-setup > [2] > https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#user_authentication > [3] https://issues.apache.org/jira/browse/NIFIREG-313 > > Le jeu. 24 oct. 2019 à 03:54, Ryan H > <[email protected]<mailto:[email protected]>> > a écrit : >> >> Hi All, >> >> We currently have a multi-node NiFi cluster (1.8.0) that is secured using >> the OIDC provider for authentication. We are setting up a secure NiFi >> Registry (0.5.0) which our secure NiFi cluster will connect to. >> >> What is the recommended way to connect the OIDC secured NiFi instance to the >> secure NiFi Registry (only option looks to be using certs since we are not >> using LDAP or Kerb)? I am assuming the only way is to do a cert import to >> NiFi which will then open up all buckets to the entire cluster (based on the >> permissions of the user tied to the certificate). >> >> We are operating in a multi-tenant environment and would like to achieve >> bucket level permissions for the various users of the system. Accessing the >> UI of the NiFi Registry instance isn't super important, except for maybe a >> couple users for which generating a couple certs isn't a big deal. However, >> allowing users to only access certain buckets may be important. >> >> For now just being able to get this hooked up is ideal. Thoughts? >> >> >> Thanks in Advance, >> >> Ryan H. >>
