Apache NiFi 1.14.0 - Secure by Default
One of the major improvements in Apache NiFi 1.14.0 was to enable security for the default configuration. This means
all you have to do now is run
bin/nifi.sh start, and your local instance will be running over
https with the ability
to login via username and password.
The overall work for this improvement was done through NIFI-8220 and required three major pieces:
- Automatic generation of a self-signed certificate
- Single User Login Identity Provider
- Single User Authorizer
From a high level, the overall setup looks like the following:
Automatic Certificate Generation
In order to have any form of authentication & authorization, we first need to be connecting over
which means NiFi’s web server needs a keystore and truststore.
In order to achieve this, NIFI-8403 introduced the ability to
generate a self-signed certficate during start-up. When keystore and truststore files are specified in
nifi.properties and the
files don’t exist, they will automatically be generated and
nifi.properties will be updated with the passwords.
As a result, the default
nifi.propeties file now comes with provided values for the keystore and truststore:
nifi.security.keystore=./conf/keystore.p12 nifi.security.keystoreType=PKCS12 nifi.security.keystorePasswd= nifi.security.keyPasswd= nifi.security.truststore=./conf/truststore.p12 nifi.security.truststoreType=PKCS12 nifi.security.truststorePasswd=
In addition, the default web host and port have been switched to the following
As a side note, there are two other new properties related to certificates:
nifi.security.autoreload.enabled=false nifi.security.autoreload.interval=10 secs
These were not required for the default secure setup, but they allow the keystore and truststore to be reloaded while the application is running. This can be helpful for replacing certificates that may be close to expiring.
Single User Login Identity Provider
The next step was to provide a mechanism for authenticating the user. NiFi supports many different authentication mechanisms, but most of them require additional dependencies and/or configuration.
In this case, we want a user to login with a username and password without doing anything else. In order to achieve this, NIFI-8363 introduced the Single User Login Identity Provider.
This login identity provider allows a single username/password pair to be configured. When this provider is initialized, if the
username and password are not present, random values will be generated and
login-identity-providers.xml will be updated with
login-identity-providers.xml now contains the following configuration:
<provider> <identifier>single-user-provider</identifier> <class>org.apache.nifi.authentication.single.user.SingleUserLoginIdentityProvider</class> <property name="Username"></property> <property name="Password"></property> </provider>
NOTE: The password value here is the hashed password. See the last section below about obtaining and changing the default values.
nifi.properies then specifies this login identity provider:
Single User Authorizer
The next step was providing a mechanism to perform authorization. In this case, we just want the default user to be authorized for all actions. In order to achieve this, NIFI-8363 introduced the Single User Authorizer.
This authorizer just returns true for all authorization checks, with the caveat that it can only be used when the Single User Login Identity Provider is also configured.
authorizers.xml now contains the following configuration:
<authorizer> <identifier>single-user-authorizer</identifier> <class>org.apache.nifi.authorization.single.user.SingleUserAuthorizer</class> </authorizer>
nifi.properties then specifies this authorizer:
The first time the application is started, the Single User Login Identity Provider generates the username and
password and logs them to
nifi-app.log. An example would be the following:
2021-07-16 15:46:31,006 INFO [main] o.a.n.w.c.ApplicationStartupContextListener Flow Controller started successfully. 2021-07-16 15:46:31,026 INFO [main] o.a.n.a.s.u.SingleUserLoginIdentityProvider Generated Username [6fcaba96-5445-4835-822f-e004c4642d3b] Generated Password [ScCULiVSEwlqVLG6aHxGv/utRTHxWa7n] 2021-07-16 15:46:31,026 INFO [main] o.a.n.a.s.u.SingleUserLoginIdentityProvider Run the following command to change credentials: nifi.sh set-single-user-credentials USERNAME PASSWORD 2021-07-16 15:46:31,338 INFO [main] o.a.n.a.s.u.SingleUserLoginIdentityProvider Updating Login Identity Providers Configuration [./conf/login-identity-providers.xml]
If you then access
https://localhost:8443/nifi in your browser (accept warnings about
self-signed certificates), you should be able to login with the username/password.
As the logs mention above, the default username/password can be changed by running the following utility:
./bin/nifi.sh set-single-user-credentials USERNAME PASSWORD
blog comments powered by Disqus