Securing Nifi with Google's OAuth 2.0 provider

This post is about securing the NiFi and user will be authorized by Google using OAuth 2.0 login provider.

So the scenario is like this:

• I have my own PC.

• I have Google account with Gmail ID reachchinu(\at)gmail(\dot)com
  

• OpenStack Cloud is provided by the  university where I am working.
  

• I have an instance running in the Openstack cloud.

• IP of that instance is 172.17.66.101.
• NiFi is running here

Current Setup:

 Now I am accessing the Nifi instance with out any security. Anyone with the IP and port with in the the University network can access the Nifi's UI.

What I need:

 NiFi should ask some kind of login info before allowing anyone to access the UI.

What can be done:

Enable the security feature of Nifi. After this, every time you are trying to access Nifi's UI, you need to make yourself authenticated with your Google's OAuth 2.0 provider. 

Pre-requisite:

I have access to that Nifi instance over SSH.

Nifi is installed on /usr/local/bin directories

Steps: 

1. Install and configure Nfi : 

1. Follow URL: https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html 

2. Nifi is installed on /usr/local/bin

3. Nifi version: 1.11.4

4. Stop Nifi service if it is running

cd /usr/local/bin

./nifi-1.11.4/bin/nifi.sh stop

2. Download Nifi toolkit to /usr/local/bin: https://archive.apache.org/dist/nifi/1.11.4/nifi-toolkit-1.11.4-bin.tar.gz 

3. Unzip the downloaded toolkit in the same location

4. Make sure current directory is /usr/local/bin/

5. Execute following command to generate signed certificate for localhost

./nifi-toolkit-1.11.4/bin/tls-toolkit.sh standalone -n "localhost"

6. Copy the new content with following content

cp -rv ./localhost/* /usr/local/bin/nifi-1.11.4/conf/.

7. Open the nifi.properties file present in the /usr/local/bin/nifi-1.11.4/conf directory:

        sudo vim /usr/local/bin/nifi-1.11.4/conf/nifi.properties

8. Edit following line (remove localhost)

nifi.web.https.host=<give here IP>.xip.io

9. Open authorizer.xml file

sudo vim /usr/local/bin/nifi-1.11.4/conf/authorizers.xml

10. Edit following line in <userGroupProvider> section

<property name="Initial User Identity 1">YOUR_ACCOUNT@gmail.com</property>

11. Edit following line in <accessPolicyProvider> section

<property name="Initial Admin Identity">YOUR_ACCOUNT@gmail.com</property>

12. At the end authorizer.xml file should look like below:

<userGroupProvider>         <identifier>file-user-group-provider</identifier>         <class>org.apache.nifi.authorization.FileUserGroupProvider</class>         <property name="Users File">./conf/users.xml</property>         <property name="Legacy Authorized Users File"></property>        <property name="Initial User Identity 1">reachinu@gmail.com</property> </userGroupProvider> <accessPolicyProvider>         <identifier>file-access-policy-provider</identifier>         <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>         <property name="User Group Provider">file-user-group-provider</property>         <property name="Authorizations File">./conf/authorizations.xml</property>         <property name="Initial Admin Identity">reachinu@gmail.com</property>         <property name="Legacy Authorized Users File"></property>         <property name="Node Identity 1"></property>         <property name="Node Group"></property> </accessPolicyProvider>

13. Before proceeding next, have the following information:

1. IP address of the Nifi instance

2. Port number 

         You can get this from /usr/local/bin/nifi-1.11.4/conf/nifi.properties file

The line looks like nifi.web.https.port=8443

14. [src2] Login to the Google Developers Console with your Google account:
    https://console.developers.google.com/apis/credentials 

15. Select project if you want to change as shown in below figure:

16. Click on “CREATE CREDENTIALS” as shown in above figure.

17.  Now select “OAuth client ID”:

18. Fill the next page according to the figure below:
    Application type: 

Name: 

URIs: Change IP address and port number as per your case 

19. Now click on “CREATE” 

20. In the next dialog box, you will see the Client ID and Client secret.

21. 

22. Note down following thing :

1. Your Email add, which is used in the project

2. Client ID

3. Client Secrete 

4. And following url:

https://accounts.google.com/.well-known/openid-configuration 

23. Open the nifi.properties file present in the /usr/local/bin/nifi-1.11.4/conf directory:

nifi.security.user.oidc.discovery.url=https://accounts.google.com/.well-known/openid-configuration nifi.security.user.oidc.connect.timeout=5 secs nifi.security.user.oidc.read.timeout=5 secs nifi.security.user.oidc.client.id=<YOUR-CLIENT-ID> nifi.security.user.oidc.client.secret=<YOUR-CLIENT-SECRET> nifi.security.user.oidc.preferred.jwsalgorithm=

24. At this point, it is expected that the Nifi is stopped

25. Now start the Nifi 

./nifi-1.11.4/bin/nifi.sh start

26. Now go the browser (Here I am using Mozilla firefox) and enter 

https://<ip address >.xip.io:<port number> 

E.g. https://172.17.66.105.xip.io:8443 

 

Click on “Advanced...”

Click on “Accept the Risk and Continue”.

Enter your email address and other details. 

In my case I entered reachinu@gmail.com

 

 

Possible Errors:

1. If you put wrong email address, you will be prompted following message:

2. In your browser, if you ignore .xip.io part, you will be prompted following message:

3. If you try to access nifi with http instead of https, you will get some random character or something like following: 

References

[src1]: https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html 

[src2]: https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect 

 

Note: This work is partially funded by the European Union’s Horizon 2020 research and innovation project RADON (825040).