Has anyone been able to make progress on successfully authenticating via REST calls (/nifi-api) with an OIDC-secured NiFi instance? I've scoured the interwebs and see a lot of old posts asking about it, but no updated info.
I have NiFi configured such that we can successfully authenticate via the UI with a redirect to Azure Active Directory. However, we need to now start building a custom application that can edit flows on users’ behalf, and thus our application needs to communicate directly with NiFi APIs. I’ve played around with creating a new Service Principal in Azure and getting a bearer token for that service principal, which is in the same tenant that my OIDC setup is configured to, but I cannot for the life of me figure out how to trade that valid (from AAD’s perspective) Bearer token for a JWT from NiFi. Is there any programmatic way of interacting with the /access/oidc/exchange endpoint?
I can reach into the browser and copy the JWT from an authenticated browser session with the NiFi UI and execute REST calls with /nifi-api that way and it works, but that's obviously not a valid flow here. We need something that doesn't rely on browser redirects.
NiFi does not support this feature yet. Please refer to the Jira issue here. https://issues.apache.org/jira/browse/NIFI-11014
I managed to access NiFi APIs from java program using X.509 authentication. Below are the steps.
NiFi 1.15.3 is secured with Keycloak using OIDC protocol.
composite-file-user-group provider configured at authorizers.xml file.
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">CN=api_client, OU=**, O=**, ST=**, C=**</property>
</userGroupProvider>
<userGroupProvider>
<identifier>composite-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
<property name="User Group Provider 1">file-user-group-provider</property>
<property name="User Group Provider 2">ldap-user-group-provider</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">composite-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">***</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
<property name="Node Group"></property>
<property name="NiFi Identity 1">CN=api_client, OU=dastc, O=**, L=**, ST=**, C=**</property>
</accessPolicyProvider>
I have generated a client certificate and provided NiFi Identity property.CN=api_client, OU=, O=, L=, ST=*, C=**
Started NiFi server
Logged-in to NiFi UI as initial admin and granted all global access policies and component level access policies to Flow
Developed a Java program to using mutual ssl handshake (Send client certificates as SSL context) and now I can invoke NiFi APIs.
Test authentication API
curl https://****:9443/nifi-api/access --insecure --cacert root-ca.pem --key api_client.key --cert api_client.cert.pem
Response: {"accessStatus":{"identity":"CN=api_client, OU=**, O=**, L=**, ST=**, C=**","status":"ACTIVE","message":"Access Granted: Certificate authenticated."}}
Related
I have generated certificates for Initial Admin Identity using tls toolkit and secured my standalone NiFi node. I am able to login with Initial Admin Identity via client certificates. I have also created my LDAP users in NiFi and given them permissions to view and modify NiFi UI using Initial Admin Identity user.
But when I am trying to login with my LDAP users, I am getting unable to login in NiFi UI.
LDAP Configuration:
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">cn=admin,dc=example,dc=org</property>
<property name="Manager Password">admin</property>
<property name="Referral Strategy">IGNORE</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://192.168.99.100</property>
<property name="User Search Base">dc=example,dc=org</property>
<property name="User Search Filter">cn={0}</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
There is no information present in app and users NiFi logs related to unable to login issue.
Can someone suggest where things are going wrong & why am I getting unable to login in NiFi UI? How can we successfully login in NiFi with LDAP as authentication provider?
Am Developing an application in Spring MVC & JPA with Spring Security. Now Integrating the OUD (Oracle Unified Directory) through LDAP. If the authentication type is none. Is there is any need for userDn and Password
<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldaps://192.168.0.182:1636/o=company"/>
<property name="userDn" value="cn=userid,ou=groups,o=company"/>
<property name="password" value="password"/>
</bean>
I am new to LDAP. To my understanding userDn and Password is needed when the authentication type is simple.
Pl.help me to understand
You are correct: authentication type none implies a so-called anonymous bind where you access the LDAP directory without authentication and with public rights.
Typically, this is used to resolve a username into the full Distinguished Name (DN) of the user that is logging in. A DN is usually of the form CN=user,OU=department,O=organization
For any other authentication types, you will need that DN of the user logging in, and a credential. When you are accessing Active Directory you may also log in using the User Principal Name of the form user#domain. Don't encourage that :-/
I was creating a spring oath2 application. It works. I have a doubt.
Based on this URL http://projects.spring.io/spring-security-oauth/docs/oauth2.html there are only 2 real options:
JdbcTokenStore, JwtTokenStore.
Is it possible to use JDBCTokenStore but not refer to it in the resourceServers?
I mean can we not have it referred directly only in the AuthorizationServer and the resource servers could use an endpoint from AuthorizationServer instead of configuring another direct JDBCTokenStore reference.
Motive: Want to avoid sharing a database between AuthorizationServer and multiple ResourceServers. Is there any other way to achieve this motive.
R
In your Resource Servers you can use RemoteTokenServices. This class queries the /check_token endpoint present in Authorization Server to verify tokens.
You can have a database only for authentication server and another databases for your resource servers.
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.RemoteTokenServices">
<property name="checkTokenEndpointUrl" value="${auth.service.url:https://localhost:8443/auth-service}/oauth/check_token"/>
<property name="clientId" value="${auth.client.name:TEST_API}"/>
<property name="clientSecret" value="${auth.client.secret:password}"/>
<property name="accessTokenConverter" ref="accessTokenConverter"/>
<property name="restTemplate" ref="oauth2RestTemplate"/>
</bean>
I've got application with spring security SAML filters. There is configuration with ADFS 2.0. Server is standing on machine out of domain. I try to login on my App on domain account of user (but window to input domain user principals is displayed). Is there possibility to config this to autologin for user on which domain user we're logged on windows?
Thanks a log.
You can configure custom authnContext sent in your SAML request by changing bean samlEntryPoint in the following way:
<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
<property name="defaultProfileOptions">
<bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="authnContexts"
value="urn:federation:authentication:windows"/>
</bean>
</property>
</bean>
Here's the scenario. I have a WAR that is connected to using SSL from an Eclipse RCP client using an X.509 certificate. After I verified that I have the certificate I want to retrieve the user details (ie. implement the loadUserByUsername) and read the userId from the request header (supplied by the client) and NOT use the supplied DN from the certificate. Is this possible? Essentially I trust the caller to supply me with the userId that I should use in my Spring security context.
My Spring configuration currently looks like this and works for the standard case of extracting the DN from the X.509 cert and loading the user.
<security:http>
<security:intercept-url pattern="/**" requires-channel="https" />
<security:x509 subject-principal-regex="^(.*?)$" />
</security:http>
<security:authentication-manager>
<security:authentication-provider user-service-ref="myUserDetailsService" />
</security:authentication-manager>
I need this to support the scenario of PKI client (user1) -> PKI service A -> PKI service B (run service B as user1).*