When a user accesses NiFi, NiFi first determines the identity of the user, then the user
group the user belongs to, and then the access policies assigned to the user.
The following image explains the link between authentication and authorization:
When a user accesses NiFi, the following actions take place:
NiFi determines the identity of the user:
If the user configures a client certificate, the distinguished name associated
to the client certificate will be the identity of the user. NiFi nodes use this method
to authenticate each other.
If the user passes Kerberos credentials along with the access request, the
Kerberos principal will be the identity of the user.
If the user accesses NiFi through Knox, the authentication (login/password) is done at the
Knox level (against the configured identity provider at Knox level) and if the user is
allowed to access the NiFi service (Ranger policies defined for Knox), then the user name
that is passed to NiFi will be the identity of the user.
NiFi determines the group the user belongs to.
NiFi determines the policies assigned to the user.
