An identity provider for Apache NiFi 1.0.0 or later, providing authentication of users based on username/password credentials. Credentials are stored in a local file with Bcrypt-hashed passwords. This may be suitable for environments without LDAP or Kerberos, or when X.509 client certificates are impractical.
To install and use this provider you must complete the following steps:
- Build the provider NAR file
- Deploy the provider NAR file to your NiFi installation
- Configure NiFi for HTTPS
- Configure the File Authorization Provider
login-identity-providers.xml
- Identity of the File Authorization Provider must be set in
nifi.properties
- Users and their Bcrypt-hashed passwords must be added to
login-credentials.xml
Build this package with:
mvn clean package
You will need to deploy the resulting NAR file from the nifi-file-identity-provider-nar/target
directory
(NAR file will look like nifi-file-identity-provider-nar-1.0.0.nar
).
The provider NAR file should be deployed to your NiFi's lib
directory.
NiFi must be configured for HTTPS, including at least the following settings in nifi.properties
:
- nifi.web.https.port
- nifi.security.keystore
- nifi.security.keystoreType
- nifi.security.keystorePasswd
- nifi.security.keyPasswd
- nifi.security.truststore
- nifi.security.truststoreType
- nifi.security.truststorePasswd
Please see the NiFi Administration Guide for more information on secure access configurations.
The following Login Identity Provider configuration should be added to login-identity-providers.xml
:
<provider>
<identifier>file-identity-provider</identifier>
<class>com.batchiq.nifi.authentication.file.FileIdentityProvider</class>
<property name="Credentials File">conf/login-credentials.xml</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
After the provider itself is configured, reference this provider in nifi.properties
.
nifi.security.user.login.identity.provider=file-identity-provider
User credentials must be initialized in the credentials store file conf/login-credentials.xml
.
This is an XML file with the following format:
<!--
This file contains users and their hashed passwords. Please see the
com.batchiq.nifi.authentication.file.CredentialsStore for details.
User Format:
name - must match the "identity" in authorized-users.xml
passwordHash - hashed passwords in Bcrypt 2a format / 10 rounds, looks
like "$2a$10$24wB0UAUsRbOXz4KRZ5KlenzcEddnhIyXMyPkpTnS/29Tt12jfJJW"
-->
<credentials>
<!--
<user name="admin" passwordHash="(reset to populate)" />
-->
</credentials>
Any tool capable of generating Bcyrpt type 2a hashed passwords may be used. This package includes a simple command-line
utility in the PasswordHasherCLI
class (see below). Additional known compatible tools and APIs include:
- Spring Security's BCryptPasswordEncoder class
- Python package bcrypt
This package includes a command-line tool for simple operations on users and passwords. Use of this tool is not required, it is possible to administer users with a text editor and any tool capable of generating Bcrypt 2a hashes.
The JAR file nifi-file-identity-provider-1.0.0-cli.jar
is output in the nifi-file-identity-provider/target directory.
Add a user, you will be prompted for a password:
>java -jar nifi-file-identity-provider-1.0.0-cli.jar add credentials.xml jane
Password for jane: ****
Added user jane
Reset password, you will be prompted for password:
>java -jar nifi-file-identity-provider-1.0.0-cli.jar reset credentials.xml jane
New Password for jane:
Password reset for user jane
List users
>java -jar nifi-file-identity-provider-1.0.0-cli.jar list credentials.xml
john
jane
frank
Delete user
>java -jar nifi-file-identity-provider-1.0.0-cli.jar remove credentials.xml frank
Removed user frank
Apache License 2.0