[
https://issues.apache.org/jira/browse/NIFI-1614?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15191661#comment-15191661
]
ASF GitHub Bot commented on NIFI-1614:
--------------------------------------
Github user jvwing commented on the pull request:
https://github.com/apache/nifi/pull/267#issuecomment-195596621
@alopresto, thanks for kick-starting the discussion with your feedback,
these are great topics. I address some of the concerns you mention below, and
ask some questions back to you at the end.
#### Incremental Delivery
I propose this PR as a viable first step on a potentially long path. I
believe this increment can be useful to pilot the concept on its own, leaving
further enhancements pending feedback and expressed interest.
#### Credentials File
I decided not to provide a sample credentials XML file. If included, it
would most naturally fit with other configuration files in the `conf`
directory. But the default permissions on the conf directory files are not
appropriate for this credentials file. I felt that including the file at that
location would lead to it simply being left there. On the other hand, creating
an entirely new folder or permission might be presumptuous for a controversial
and unproven feature.
After carefully considering these factors, I chose the lazy and cowardly
way out by just documenting what the file should look like, and leaving it up
to the user to find a home for it.
#### User Management Tool
I provide no tool in this PR for generating password hashes. I simply
document it as "bcrypt 2a, 10 rounds". bcrypt is a standard of sorts, and
there are many libraries and some command-line utilities available for it.
I am absolutely open to providing a tool, bundled in NiFi or sold
separately. I did not find similar command-line utilities shipped with NiFi,
and again, it seemed presumptuous to build out a structure for that at this
time. Am I missing them?
There are also other possible hashing algorithm and tooling combinations.
We might consider SHA256 or another algorithm that might have better default
installation support. I wasn't real happy with the options OpenSSL provided,
MD5 is widely derided for passwords, but bcrypt fits the bill and was
conveniently included in the Spring package. I'm open to others, and an
obvious future expansion would be to permit several.
#### Comparability with Other Providers
I considered that NiFi provides no tool for generating certificates, does
not include default keystore or truststore files, nor suggest their locations
and what permissions you should or should not have on them. This is an
imperfect comparison, since this intends to be simpler, but perhaps a
reasonable choice for an initial release.
#### General Wisdom Of Doing This At All
This identity provider is opt-in. As you point out, it currently requires
determined configuration and admin work to get it running given that I provide
neither tools nor a credentials file.
#### Questions
* What is required to make this viable?
* Is there a better medium than bcrypt that combines widespread tool
support with decent encryption.
* Are we open to including a command-line user admin tool?
* Are we open to including a sample credentials file? Where would you
recommend it go?
* Are we open to documenting this identity provider on the front-page of
the Admin Guide alongside X.509 and LDAP? Where else should I do so?
> Simple Username/Password Authentication
> ---------------------------------------
>
> Key: NIFI-1614
> URL: https://issues.apache.org/jira/browse/NIFI-1614
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Extensions
> Reporter: James Wing
> Priority: Minor
>
> NiFi should include a simple option for username/password authentication
> backed by a local file store. NiFi's existing certificate and LDAP
> authentication schemes are very secure. However, the configuration and setup
> is complex, making them more suitable for long-lived corporate and government
> installations, but less accessible for casual or short-term use. Simple
> username/password authentication would help more users secure more NiFi
> installations beyond anonymous admin access.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
