Identity and policies in NiFi

When a user accesses NiFi, NiFi first determines the identity of the user, then the user group the user belongs to, and then the access policies assigned to the user.

The following image explains the link between authentication and authorization:

When a user accesses NiFi, the following actions take place:
  1. NiFi determines the identity of the user:
    • If the user configures a private key, the distinguished name associated to the private key will be the identity of the user. NiFi nodes use this method to authenticate each other.
    • If the user passes Kerberos credentials along with the access request, the Kerberos principal will be the identity of the user.
    • If the user accesses NiFi through Knox, the authentication (login/password) is done at the Knox level (against the configured identity provider at Knox level) and if the user is allowed to access the NiFi service (Ranger policies defined for Knox), then the user name that is passed to NiFi will be the identity of the user.
  2. NiFi determines the group the user belongs to.
  3. NiFi determines the policies assigned to the user.