This post is about securing the NiFi and user will be authorized by Google using OAuth 2.0 login provider.
So the scenario is like this:
- I have Google account with Gmail ID reachchinu(\at)gmail(\dot)com
- OpenStack Cloud is provided by the university where I am working.
- I have an instance running in the Openstack cloud.
- IP of that instance is 172.17.66.101.
- NiFi is running here
Current Setup:
Now I am accessing the Nifi instance with out any security. Anyone with the IP and port with in the the University network can access the Nifi's UI.
What I need:
NiFi should ask some kind of login info before allowing anyone to access the UI.
What can be done:
Enable the security feature of Nifi. After this, every time you are trying to access Nifi's UI, you need to make yourself authenticated with your Google's OAuth 2.0 provider.
Pre-requisite:
I have access to that Nifi instance over SSH.
Nifi is installed on /usr/local/bin directories
Steps:
Install and configure Nfi :
Follow URL: https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html
Nifi is installed on /usr/local/bin
Nifi version: 1.11.4
Stop Nifi service if it is running
cd /usr/local/bin
./nifi-1.11.4/bin/nifi.sh stop
Download Nifi toolkit to /usr/local/bin: https://archive.apache.org/dist/nifi/1.11.4/nifi-toolkit-1.11.4-bin.tar.gz
Unzip the downloaded toolkit in the same location
Make sure current directory is /usr/local/bin/
Execute following command to generate signed certificate for localhost
./nifi-toolkit-1.11.4/bin/tls-toolkit.sh standalone -n "localhost"
Copy the new content with following content
cp -rv ./localhost/* /usr/local/bin/nifi-1.11.4/conf/.
Open the nifi.properties file present in the /usr/local/bin/nifi-1.11.4/conf directory:
sudo vim /usr/local/bin/nifi-1.11.4/conf/nifi.properties
Edit following line (remove localhost)
nifi.web.https.host=<give here IP>.xip.io
Open authorizer.xml file
sudo vim /usr/local/bin/nifi-1.11.4/conf/authorizers.xml
Edit following line in <userGroupProvider> section
<property name="Initial User Identity 1">YOUR_ACCOUNT@gmail.com</property>
Edit following line in <accessPolicyProvider> section
<property name="Initial Admin Identity">YOUR_ACCOUNT@gmail.com</property>
At the end authorizer.xml file should look like below:
<userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 1">reachinu@gmail.com</property> </userGroupProvider>
<accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">reachinu@gmail.com</property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 1"></property> <property name="Node Group"></property> </accessPolicyProvider> |
Before proceeding next, have the following information:
IP address of the Nifi instance
Port number
You can get this from /usr/local/bin/nifi-1.11.4/conf/nifi.properties file
The line looks like nifi.web.https.port=8443
[src2] Login to the Google Developers Console with your Google account:
https://console.developers.google.com/apis/credentials
Select project if you want to change as shown in below figure:
Click on “CREATE CREDENTIALS” as shown in above figure.
Now select “OAuth client ID”:
Fill the next page according to the figure below:
Application type:
Name:
URIs: Change IP address and port number as per your case
Now click on “CREATE”
In the next dialog box, you will see the Client ID and Client secret.
Note down following thing :
Your Email add, which is used in the project
Client ID
Client Secrete
And following url:
https://accounts.google.com/.well-known/openid-configuration
Open the nifi.properties file present in the /usr/local/bin/nifi-1.11.4/conf directory:
nifi.security.user.oidc.discovery.url=https://accounts.google.com/.well-known/openid-configuration nifi.security.user.oidc.connect.timeout=5 secs nifi.security.user.oidc.read.timeout=5 secs nifi.security.user.oidc.client.id=<YOUR-CLIENT-ID> nifi.security.user.oidc.client.secret=<YOUR-CLIENT-SECRET> nifi.security.user.oidc.preferred.jwsalgorithm=
|
At this point, it is expected that the Nifi is stopped
Now start the Nifi
./nifi-1.11.4/bin/nifi.sh start
Now go the browser (Here I am using Mozilla firefox) and enter
https://<ip address >.xip.io:<port number>
E.g. https://172.17.66.105.xip.io:8443
Click on “Advanced...”
Click on “Accept the Risk and Continue”.
Enter your email address and other details.
In my case I entered reachinu@gmail.com
Possible Errors:
If you put wrong email address, you will be prompted following message:
In your browser, if you ignore .xip.io part, you will be prompted following message:
If you try to access nifi with http instead of https, you will get some random character or something like following: