NiFi supports user authentication via client certificates, via username/password, via Apache Knox, or via OpenId Connect.
Username/password authentication is performed by a 'Login Identity Provider'. The Login Identity Provider is a pluggable mechanism for authenticating users via their username/password. Which Login Identity Provider to use is configured in the nifi.properties file. Currently NiFi offers username/password with Login Identity Providers options for Lightweight Directory Access Protocol (LDAP) and Kerberos.
nifi.login.identity.provider.configuration.file property specifies the configuration file for Login Identity Providers. By default, this property is set to
nifi.security.user.login.identity.provider property indicates which of the configured Login Identity Provider should be used. By default, this property is not configured meaning that username/password must be explicitly enabled.
During OpenId Connect authentication, NiFi will redirect users to login with the Provider before returning to NiFi. NiFi will then call the Provider to obtain the user identity.
During Apache Knox authentication, NiFi will redirect users to login with Apache Knox before returning to NiFi. NiFi will verify the Apache Knox token during authentication.
A user cannot anonymously authenticate with a secured instance of NiFi unless
nifi.security.allow.anonymous.authentication is set to
true. If this is the case, NiFi must also be configured with an
Authorizer that supports authorizing an anonymous user. Currently, NiFi does not ship with
any Authorizers that support this. There is a feature request here to help support it
There are three scenarios to consider when setting
nifi.security.allow.anonymous.authentication. When the user is directly calling an endpoint with no attempted authentication then
nifi.security.allow.anonymous.authentication will control whether the request is authenticated or rejected. The other two scenarios are when the request is proxied. This could either be proxied by a NiFi node (e.g. a node in the NiFi cluster) or by a separate proxy that is proxying a request for an anonymous user. In these proxy scenarios
nifi.security.allow.anonymous.authentication will control whether the request is authenticated or rejected. In all three of these scenarios if the request is authenticated it will subsequently be subjected to normal authorization based on the requested resource.