Apache NiFi Registry System Administrator's Guide
Also available as:

User Authentication

A secured instance of NiFi Registry cannot be accessed anonymously, so a method of user authentication must be configured.

NiFi Registry does not perform user authentication over HTTP. Using HTTP, all users will have full permissions.

Any secured instance of NiFi Registry supports authentication via client certificates that are trusted by the NiFi Registry's SSL Context Truststore. Alternatively, a secured NiFi Registry can be configured to authenticate users via username/password.

Username/password authentication is performed by an 'Identity Provider'. The Identity Provider is a pluggable mechanism for authenticating users via their username/password. Which Identity Provider to use is configured in the nifi-registry.properties file. Currently NiFi Registry offers Identity Providers for LDAP and Kerberos.

Identity Providers are configured using two properties in the nifi-registry.properties file:

  • The nifi.registry.security.identity.providers.configuration.file property specifies the configuration file where identity providers are defined. By default, the identity-providers.xml file located in the root installation conf directory is selected.

  • The nifi.registry.security.identity.provider property indicates which of the configured identity providers in the identity-providers.xml file to use. By default, this property is not configured meaning that username/password must be explicitly enabled.

NiFi Registry can only be configured to use one Identity Provider at a given time.