Yeah, I've read all of that and I have a semi-working configuration. The problem is that when using OpenID tokens (oidc) in a clustered configuration, the node that requests the authentication is the only one that can validate it. If a user authenticates to node-1, but then later node-2 gets a request with the token (because its clustered and the user has no control over which node handles the request), node-2 cannot verify the token and rejects it. Even configuring sticky-sessions and cookie affinity in the nginx ingress proxy don't solve the problem as far as I can tell.
I don't even know if having it all behind a single root path would make a difference for the authentication issue, it just makes setting up the reverse proxy configuration easier since you only need to worry about 1 path instead of multiple. On Wed, Mar 18, 2020 at 2:46 PM Matt Gilman <[email protected]> wrote: > Wyllys, > > NiFi is comprised of any number of web applications. NiFi offers extension > points for custom processor configuration UIs and data type viewers. These > UIs can be bundled and discovered at runtime. These docs [1] detail the > steps necessary for proxying a NiFi instance. > > Thanks > > Matt > > [1] > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#proxy_configuration > > On Wed, Mar 18, 2020 at 1:29 PM Wyllys Ingersoll < > [email protected]> wrote: > >> >> I'm surprised you haven't had lots of requests for this already. As it >> stands now, I cannot figure out how to configure a secure cluster behind a >> reverse proxy (for example, in a kubernetes environment behind an nginx >> ingress) that also incorporates OpenID authentication from an external >> service. I was thinking that if the NiFi nodes were able to operate under a >> single root path, it might make it easier to reverse proxy all of the >> different paths that Nifi uses (/nifi, /nifi-api, for example) behind a >> single ingress. I think having multiple ingress paths for the nifi service >> makes the reverse proxy configuration very complex when authentication >> tokens are involved. Without authentication, it works fine. >> >> Thanks, >> Wyllys Ingersoll >> >> On Wed, Mar 18, 2020 at 12:56 PM Andy LoPresto <[email protected]> >> wrote: >> >>> Hi Wyllys, >>> >>> As I started reading, I was going to suggest the proxy approach. >>> Unfortunately, at this time I am unaware of any way to change the paths >>> within NiFi itself - there would be substantial refactoring required to >>> make that an option. You can open a feature request Jira for that, or >>> perhaps the ability to inject a path prefix, but I expect it to be a high >>> level of effort to implement. >>> >>> >>> Andy LoPresto >>> [email protected] >>> *[email protected] <[email protected]>* >>> He/Him >>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 >>> >>> On Mar 18, 2020, at 9:25 AM, Wyllys Ingersoll < >>> [email protected]> wrote: >>> >>> >>> Is there a way to configure nifi to use a different root directory for >>> web requests? >>> >>> We would like everything to be under a common root such as: >>> /XXX/nifi/... >>> /XXX/nifi-api/... >>> >>> Having to proxy 2 (/nifi and /nifi-api) paths makes it very difficult to >>> setup a reverse proxy that also can incorporate OpenID authentication >>> tokens to a secure backend cluster of nodes. >>> >>> >>> >>> >>>
