Drew put together some good videos that are linked to from the registry page on the website:
https://www.youtube.com/watch?v=qD03ao3R-a4&feature=youtu.be https://www.youtube.com/watch?v=DSO12fhnZ90&feature=youtu.be On Thu, Oct 24, 2019 at 8:56 AM Ryan H <[email protected]> wrote: > > Pierre/Kevin, > > Thanks for the additional info on this. Yes, this makes sense to me. I wasn't > sure if what I was wanting to do worked or was supported at this time, but > now I see how it will. To summarize, I just need to spin up the registry with > an initial admin user which will have a cert created to access the registry > UI. From the UI, the initial admin can add in users for the NiFi Nodes and > any users that should have access to Registry (with whatever bucket > permissions desired). When connecting NiFi to Registry, the nodes will > identify themselves via their node certs which will succeed as long as > corresponding node users have been created on Registry. When users place > something under version control, they will only be able to access Buckets > that they have been granted permissions for via their corresponding/matching > user identities as created on Registry via the initial admin user. I hope I > summarized this correctly. > > As always, thanks for the quick responses and help. > > > Cheers, > > Ryan H > > On Thu, Oct 24, 2019 at 8:33 AM Kevin Doran <[email protected]> wrote: >> >> This is a very good question, and Pierre gives a good summary of how >> to go about solving for it. >> >> Essentially, you need to configure NiFi Registry for how to know about >> the users and groups that will be passed to it. That is the >> authorizers.xml file Pierre mentioned. There are two options for a >> UserGroupProvider: File based and LDAP based. If your NiFi OIDC >> provider is backed by an LDAP directory you can hook up to directly, >> that would be an option, even if you are not using LDAP for >> authentication in Registry. If that's not the case, then configuring >> the FileUserGroupProvider and an initial admin (for example, a client >> cert authenticated admin), will let you manually define users through >> the Registry UI that match the identities of the OIDC users that will >> be passed by NiFi. >> >> Best, >> Kevin >> >> On Thu, Oct 24, 2019 at 5:54 AM Pierre Villard >> <[email protected]> wrote: >> > >> > Hi Ryan, >> > >> > NiFi nodes will use their own certificates as identities to authenticate >> > against the NiFi Registry and the NiFi nodes will then proxy the users >> > connected to the NiFi instances for the interactions with the registry. >> > You have to configure the NiFi node identities as well as where to get the >> > users/groups informations using the authorizers.xml file [1]. Once the >> > users/groups are known in the NiFi Registry you can define the >> > authorizations as you described for the users and groups and it will >> > reflected for the users/groups when they connect to NiFi. If, however, you >> > want to allow users to authenticate on the NiFi Registry UI (to create >> > buckets for instance), then you'd have to also configure the >> > authentication parts on the Registry [2] (note that OIDC is not supported >> > yet [3]). >> > >> > Hope this helps a bit. >> > >> > [1] >> > https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#authorizers-setup >> > [2] >> > https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#user_authentication >> > [3] https://issues.apache.org/jira/browse/NIFIREG-313 >> > >> > Le jeu. 24 oct. 2019 à 03:54, Ryan H <[email protected]> a >> > écrit : >> >> >> >> Hi All, >> >> >> >> We currently have a multi-node NiFi cluster (1.8.0) that is secured using >> >> the OIDC provider for authentication. We are setting up a secure NiFi >> >> Registry (0.5.0) which our secure NiFi cluster will connect to. >> >> >> >> What is the recommended way to connect the OIDC secured NiFi instance to >> >> the secure NiFi Registry (only option looks to be using certs since we >> >> are not using LDAP or Kerb)? I am assuming the only way is to do a cert >> >> import to NiFi which will then open up all buckets to the entire cluster >> >> (based on the permissions of the user tied to the certificate). >> >> >> >> We are operating in a multi-tenant environment and would like to achieve >> >> bucket level permissions for the various users of the system. Accessing >> >> the UI of the NiFi Registry instance isn't super important, except for >> >> maybe a couple users for which generating a couple certs isn't a big >> >> deal. However, allowing users to only access certain buckets may be >> >> important. >> >> >> >> For now just being able to get this hooked up is ideal. Thoughts? >> >> >> >> >> >> Thanks in Advance, >> >> >> >> Ryan H. >> >>
