Apache-NiFi授权与用户认证

Apache-NiFi授权与用户认证

本文针对apache-nifi的授权与ldap服务器用户认证进行简单的介绍。如有错误之处，请指正。

apache-nifi均在https连接的情况下才能进行授权和用户认证，因此我们首先需要一个keystore证书，我一个truststore证书。这里我们用nifi附带的一个证书生成工具nifi-toolkit来生成我们需要的证书。

1、证书

nifi-toolkit 下载后我们可以使用cmd命令操作符进入到toolkit的解压路径。输入指令bin\tls-toolkit.bat standalone -n “localhost” -C “CN=XX, OU=XX” -o target。enter后我们发现在toolkit路径下生成target文件夹。
目录结构如下

target/
├── CN=xx_OU=xx.p12
├── CN=xx_OU=xx.password
├── localhost
│ ├── keystore.jks
│ ├── nifi.properties
│ └── truststore.jks
├── nifi-cert.pem
└── nifi-key.key

2、生成证书后，修改nifi-bin的配置文件/conf/nifi.properties

# web properties #
nifi.web.war.directory=./lib
nifi.web.http.host=
nifi.web.http.port=
nifi.web.https.host=localhost
nifi.web.https.port=9443
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200

toolkit生成nifi.properties文件默认如上，可以修改访问端口。证书的密码和如下，

nifi.security.keystore=./conf/keysore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=kd/7UJP
nifi.security.keyPasswd=kd/7UJP
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=CGH9TgbIo95PBiKGnPlgzoAOC91ZgCefW3fgRpyl/C8

用生成的nifi.properties文件替换nifi-bin/conf下的nifi.properties，将证书文件放到nifi-bin/conf下。

3、第一次配置nifi的安全连接时，在conf/authorizers.xml文件里设定”Initial Admin Identity”的值，这个值为你生成证书时输入的值即CN=XX, OU=XX，这个用户将作为你启动nifi的“超级权限用户”。

4、重新启动nifi，访问https://localhost:9443/nifi,浏览器中导入安全证书nifi-toolkit/target/CN=xx_OU=xx.p12，证书密码在CN=xx_OU=xx.p12.password文件可以查看，选择安全证书后进入nifi页面，此时登录的用户为生成证书时输入的值。

5、点击菜单>USERS，点击新增用户按钮，

6、点击菜单polices按钮，打开授权页面，选择相应的授权项，添加授权用户。

apache-nifi用户登录认证

apache-nifi提供了两种登录认证模式，ldap认证和Kerberos认证。nifi官方关于用户认证的说明
我们需要配置两个文件

/conf/nifi.properties
/conf/login-identity-providers.xml

nifi.properties文件里我们需要修改两个属性为如下内容

nifi.login.identity.provider.configuration.file=./conf/login-identity-providers.xml
nifi.security.user.login.identity.provider=ldap-provider

这里翻译nifi官方文档的一段说明

NiFi supports user authentication via client certificates or via username/password. Username/password authentication is performed by a Login Identity Provider. The Login Identity Provider is a pluggable mechanism for authenticating users via their username/password. Which Login Identity Provider to use is configured in two properties in the nifi.properties file.The nifi.login.identity.provider.configuration.file property specifies the configuration file for Login Identity Providers. The nifi.security.user.login.identity.provider property indicates which of the configured Login Identity Provider should be used. If this property is not configured, NiFi will not support username/password authentication and will require client certificates for authenticating users over HTTPS. By default, this property is not configured meaning that username/password must be explicitly enabled.

nifi支持通过客户端证书或者用户密码进行用户认证。用户名密码认证是通过一个登录身份提供商执行的。登录身份提供商通过用户提供的用户名密码进行身份认证是一种可插入的机制，它使用的方法是在nifi.properties文件中配置两个属性。nifi.login.identity.provider.configuration.file属性定义了登录身份提供商的配置文件。nifi.security.user.login.identity.provider属性确定使用哪一个配置好的登录身份提供商。如果不配置这两个属性，nifi不会支持使用用户名密码登录，而是需要提供证书访问https来进行身份的认证。默认情况下，这个属性是未配置的。

本文只介绍ldap认证方式。nifi默认的login-identity-providers.xml文件里定义的ldap-provider

<provider>        <identifier>ldap-provider</identifier>        <class>org.apache.nifi.ldap.LdapProvider</class>        <property name="Authentication Strategy">START_TLS</property>        <property name="Manager DN"></property>        <property name="Manager Password"></property>        <property name="TLS - Keystore"></property>        <property name="TLS - Keystore Password"></property>        <property name="TLS - Keystore Type"></property>        <property name="TLS - Truststore"></property>        <property name="TLS - Truststore Password"></property>        <property name="TLS - Truststore Type"></property>        <property name="TLS - Client Auth"></property>        <property name="TLS - Protocol"></property>        <property name="TLS - Shutdown Gracefully"></property>        <property name="Referral Strategy">FOLLOW</property>        <property name="Connect Timeout">10 secs</property>        <property name="Read Timeout">10 secs</property>        <property name="Url"></property>        <property name="User Search Base"></property>        <property name="User Search Filter"></property>        <property name="Identity Strategy">USE_DN</property>        <property name="Authentication Expiration">12 hours</property>    </provider>

属性说明如下

‘Authentication Strategy’ – How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.‘Manager DN’ – The DN of the manager that is used to bind to the LDAP server to search for users.‘Manager Password’ – The password of the manager that is used to bind to the LDAP server to search for users.‘TLS – Keystore’ – Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.‘TLS – Keystore Password’ – Password for the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.‘TLS – Keystore Type’ – Type of the Keystore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12).‘TLS – Truststore’ – Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.‘TLS – Truststore Password’ – Password for the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.‘TLS – Truststore Type’ – Type of the Truststore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12).‘TLS – Client Auth’ – Client authentication policy when connecting to LDAP using LDAPS or START_TLS. Possible values are REQUIRED, WANT, NONE.‘TLS – Protocol’ – Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS, TLSv1.1, TLSv1.2, etc).‘TLS – Shutdown Gracefully’ – Specifies whether the TLS should be shut down gracefully before the target context is closed. Defaults to false.‘Referral Strategy’ – Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.‘Connect Timeout’ – Duration of connect timeout. (i.e. 10 secs).‘Read Timeout’ – Duration of read timeout. (i.e. 10 secs).‘Url’ – Url of the LDAP server (i.e. ldap://<hostname>:<port>).‘User Search Base’ – Base DN for searching for users (i.e. CN=Users,DC=example,DC=com).‘User Search Filter’ – Filter for searching for users against the ‘User Search Base’. (i.e. sAMAccountName={0}). The user specified name is inserted into ‘{0}’.‘Identity Strategy’ – Strategy to identify users. Possible values are USE_DN and USE_USERNAME. The default functionality if this property is missing is USE_DN in order to retain backward compatibility. USE_DN will use the full DN of the user entry if possible. USE_USERNAME will use the username the user logged in with.‘Authentication Expiration’ – The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration.

启动一个ldap服务器

这里采用一个非常方便的工具Apache Directory Studio，下载安装windows版本，安装后打开Apache Directory Studio，面板左下脚右键server，new server，选择版本后Finish
设置端口，新增partition，保存


右键新建的server，点击run，然后点击create connection，创建一个连接。打开连接后如下图

右键选择import，选择LDIF import，复制下面的内容，新建一个文本存为ldif格式的文件，导入该文件，点击finish，导入后如下图

dn: ou=people,dc=nifi,dc=comobjectclass: organizationalUnitobjectClass: extensibleObjectobjectclass: topou: peopledn: ou=groups,dc=nifi,dc=comobjectclass: organizationalUnitobjectClass: extensibleObjectobjectclass: topou: groupsdn: cn=users,ou=groups,dc=nifi,dc=comobjectClass: groupOfUniqueNamesobjectClass: topcn: usersuniqueMember: cn=test,ou=people,dc=nifi,dc=comdn: cn=admins,ou=groups,dc=nifi,dc=comobjectClass: groupOfUniqueNamesobjectClass: topcn: adminsuniqueMember: cn=admin,ou=people,dc=nifi,dc=comdn: cn=test,ou=people,dc=nifi,dc=comobjectclass: inetOrgPersonobjectclass: organizationalPersonobjectclass: personobjectclass: topcn: testdescription: A test usersn: testuid: testmail: test@nifi.comuserpassword: passworddn: cn=admin,ou=people,dc=nifi,dc=comobjectclass: inetOrgPersonobjectclass: organizationalPersonobjectclass: personobjectclass: topcn: admindescription: A admin usersn: adminuid: adminmail: admin@nifi.comuserpassword: password

修改login-identity-provider.xml文件。

<provider>        <identifier>ldap-provider</identifier>        <class>org.apache.nifi.ldap.LdapProvider</class>        <property name="Authentication Strategy">SIMPLE</property>        <property name="Manager DN">uid=admin,ou=system</property>        <property name="Manager Password">secret</property>        <property name="TLS - Keystore">./conf/nifi.p12</property>        <property name="TLS - Keystore Password">kd/7UJP</property>        <property name="TLS - Keystore Type">PKCS12</property>        <property name="TLS - Truststore">./conf/truststore.jks</property>        <property name="TLS - Truststore Password">CGH9TgbIo95PBiKGnPlgzoAOC91ZgCefW3fgRpyl/C8</property>        <property name="TLS - Truststore Type">jks</property>        <property name="TLS - Client Auth"></property>        <property name="TLS - Protocol">TLS</property>        <property name="TLS - Shutdown Gracefully"></property>        <property name="Referral Strategy">FOLLOW</property>        <property name="Connect Timeout">10 secs</property>        <property name="Read Timeout">10 secs</property>        <property name="Url">ldap://localhost:10399</property>        <property name="User Search Base">ou=people,dc=nifi,dc=com</property>        <property name="User Search Filter">uid={0}</property>        <property name="Identity Strategy">USE_USERNAME</property>        <property name="Authentication Expiration">12 hours</property>    </provider>

保存后重新启动nifi，访问https://localhost:9443/nifi/login

选择证书将不会进入登录页面认证，不选择证书将进入登录页面使用用户名密码认证。输入admin password,登录成功，但是由于你没有添加admin用户，因此会报错

Unknown user with identity ‘admin’. Contact the system administrator

这时访问https://localhost:9443/nifi选择证书，使用“超级管理员”用户添加一个admin用户，并授权view the user interface,admin用户将得到访问nifi canvas的权限

退出登录，重新使用admin用户登录，如下图