Apache NiFi 1.14.0 - Secure by Default


One of the major improvements in Apache NiFi 1.14.0 was to enable security for the default configuration. This means all you have to do now is run bin/nifi.sh start, and your local instance will be running over https with the ability to login via username and password.

The overall work for this improvement was done through NIFI-8220 and required three major pieces:

  • Automatic generation of a self-signed certificate
  • Single User Login Identity Provider
  • Single User Authorizer

From a high level, the overall setup looks like the following:

Automatic Certificate Generation

In order to have any form of authentication & authorization, we first need to be connecting over https, which means NiFi’s web server needs a keystore and truststore.

In order to achieve this, NIFI-8403 introduced the ability to generate a self-signed certficate during start-up. When keystore and truststore files are specified in nifi.properties and the files don’t exist, they will automatically be generated and nifi.properties will be updated with the passwords.

As a result, the default nifi.propeties file now comes with provided values for the keystore and truststore:

nifi.security.keystore=./conf/keystore.p12
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=./conf/truststore.p12
nifi.security.truststoreType=PKCS12
nifi.security.truststorePasswd=

In addition, the default web host and port have been switched to the following https values:

nifi.web.https.host=127.0.0.1
nifi.web.https.port=8443

As a side note, there are two other new properties related to certificates:

nifi.security.autoreload.enabled=false
nifi.security.autoreload.interval=10 secs

These were not required for the default secure setup, but they allow the keystore and truststore to be reloaded while the application is running. This can be helpful for replacing certificates that may be close to expiring.

Single User Login Identity Provider

The next step was to provide a mechanism for authenticating the user. NiFi supports many different authentication mechanisms, but most of them require additional dependencies and/or configuration.

In this case, we want a user to login with a username and password without doing anything else. In order to achieve this, NIFI-8363 introduced the Single User Login Identity Provider.

This login identity provider allows a single username/password pair to be configured. When this provider is initialized, if the username and password are not present, random values will be generated and login-identity-providers.xml will be updated with the values.

The default login-identity-providers.xml now contains the following configuration:

<provider>
   <identifier>single-user-provider</identifier>
   <class>org.apache.nifi.authentication.single.user.SingleUserLoginIdentityProvider</class>
   <property name="Username"></property>
   <property name="Password"></property>
</provider>

NOTE: The password value here is the hashed password. See the last section below about obtaining and changing the default values.

The default nifi.properies then specifies this login identity provider:

nifi.security.user.login.identity.provider=single-user-provider

Single User Authorizer

The next step was providing a mechanism to perform authorization. In this case, we just want the default user to be authorized for all actions. In order to achieve this, NIFI-8363 introduced the Single User Authorizer.

This authorizer just returns true for all authorization checks, with the caveat that it can only be used when the Single User Login Identity Provider is also configured.

The default authorizers.xml now contains the following configuration:

<authorizer>
   <identifier>single-user-authorizer</identifier>
   <class>org.apache.nifi.authorization.single.user.SingleUserAuthorizer</class>
</authorizer>

The default nifi.properties then specifies this authorizer:

nifi.security.user.authorizer=single-user-authorizer

Default Username/Password

The first time the application is started, the Single User Login Identity Provider generates the username and password and logs them to nifi-app.log. An example would be the following:

2021-07-16 15:46:31,006 INFO [main] o.a.n.w.c.ApplicationStartupContextListener Flow Controller started successfully.
2021-07-16 15:46:31,026 INFO [main] o.a.n.a.s.u.SingleUserLoginIdentityProvider

Generated Username [6fcaba96-5445-4835-822f-e004c4642d3b]
Generated Password [ScCULiVSEwlqVLG6aHxGv/utRTHxWa7n]

2021-07-16 15:46:31,026 INFO [main] o.a.n.a.s.u.SingleUserLoginIdentityProvider Run the following command to change credentials: nifi.sh set-single-user-credentials USERNAME PASSWORD
2021-07-16 15:46:31,338 INFO [main] o.a.n.a.s.u.SingleUserLoginIdentityProvider Updating Login Identity Providers Configuration [./conf/login-identity-providers.xml]

If you then access https://localhost:8443/nifi in your browser (accept warnings about self-signed certificates), you should be able to login with the username/password.

As the logs mention above, the default username/password can be changed by running the following utility:

./bin/nifi.sh set-single-user-credentials USERNAME PASSWORD

blog comments powered by Disqus