Every user has to authenticate themselves before using NiFI.
There are multiple options to set up the authentication of users.
All authentication related parameters are configured under spec.clusterConfig.authentication
.
The Single user
allows the creation of one admin user for NiFi. This is a simple authentication method to quickly test and login to the canvas.
However, due to it being a single user with all rights, this is not recommended in production.
apiVersion: authentication.stackable.tech/v1alpha1
kind: AuthenticationClass
metadata:
name: simple-nifi-users # (1)
spec:
provider:
static:
userCredentialsSecret:
name: nifi-admin-credentials # (2)
-
The name of the
AuthenticationClass
that will be referenced in the NiFi cluster. -
The name of the
Secret
containing the admin credentials.
apiVersion: v1
kind: Secret
metadata:
name: nifi-admin-credentials # (1)
stringData:
admin: admin # (2)
bob: bob # (3)
-
The name of the
Secret
containing the admin user credentials. -
The user and password combination of the admin user. The username must be "admin" and cannot be changed. The NiFi pods will not start if they cannot mount the "admin" entry from the secret. The password can be adapted.
-
The secret maybe used by other products of the Stackable Data Platform that allow more than one user. The Stackable Operator for Apache NiFi will ignore all users except for "admin".
spec:
clusterConfig:
authentication:
- authenticationClass: simple-nifi-users # (1)
-
The reference to an
AuthenticationClass
. NiFi only supports one authentication mechanism at a time.
NiFi supports authentication of users against an LDAP server. This requires setting up an AuthenticationClass for the LDAP server. The AuthenticationClass is then referenced in the NifiCluster resource as follows:
apiVersion: nifi.stackable.tech/v1alpha1
kind: NifiCluster
metadata:
name: test-nifi
spec:
clusterConfig:
authentication:
- authenticationClass: ldap # (1)
-
The reference to an AuthenticationClass called
ldap
You can follow the nightly@home:tutorials:authentication_with_openldap.adoc tutorial to learn how to set up an AuthenticationClass for an LDAP server, as well as consulting the nightly@home:reference:authenticationclass.adoc reference.
NiFi supports multiple authorization methods documented here. The available authorization methods depend on the chosen authentication method.
Authorization is not fully implemented by the Stackable Operator for Apache NiFi.
The operator uses the FileUserGroupProvider
and FileAccessPolicyProvider to bind the LDAP user to the NiFi administrator group. This user is then able to create and modify groups and polices in the web interface. These changes local to the Pod
running NiFi and are not persistent.