Identity Mapping Properties
These properties can be utilized to normalize user identities. When implemented, identities authenticated by different identity providers (certificates, LDAP, Kerberos) are treated the same internally in NiFi. As a result, duplicate users are avoided and user-specific configurations such as authorizations only need to be setup once per user.
The following examples demonstrate normalizing DNs from certificates and principals from Kerberos:
nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$ nifi.security.identity.mapping.value.dn=$1@$2 nifi.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$ nifi.security.identity.mapping.value.kerb=$1@$2
The last segment of each property is an identifier used to associate the pattern with
the replacement value. When a user makes a request to NiFi, their identity is checked to
see if it matches each of those patterns in lexicographical order. For the first one that
matches, the replacement specified in the
nifi.security.identity.mapping.value.xxxx
property is used. So a
login with CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA,
C=US
matches the DN mapping pattern above and the DN mapping value
$1@$2
is applied. The user is normalized to localhost@Apache
NiFi
.
These mappings are also applied to the "Initial Admin Identity" and "Cluster Node Identity" properties in the authorizers.xml file (See Authorizers.xml Setup).