Hi Tim, Currently NiFi only supports LDAP for authentication (i.e. login identity provider). In this case it is only using the LDAP to determine if the provided username and password are valid.
For authorization there are currently two options - NiFi's policy-based authorizer and the Apache Ranger authorizer. With NiFi's policy-based authorizer, all of the users and groups have to be defined in NiFi, and then policies are defined for those users and groups. All of this is stored in the users.xml and authorizations.xml you referenced. I think there are two different improvements that might help with what you are looking for... The first would be a utility that could sync users/groups from LDAP into NiFi's policy-based authorizer. In this case you would still define all the policies in NiFi, but you wouldn't have to manually redefine the users and groups. You could probably create a simple tool that read from your LDAP and pushed users/group into NiFi using NiFi's REST API. Of course it gets a little tricky to keep this in sync when users are deleted, or their groups are changed, but it could be done. The second would be an Authorizer implementation that used LDAP. The Authorizer interface is an extension point and you could create a custom NAR with an authorizer implementation and deploy it to the lib directory. Its just that no one has gotten around to creating one that used LDAP yet. Either of the existing authorizers would be good examples to look at. Thanks, Bryan On Sun, Jan 29, 2017 at 4:56 PM, Timothy Findlay < [email protected]> wrote: > Hello Nifi Users, > > > > I have been getting Nifi up and running with LDAP, and this seems to work > for authentication, however it looks like I have to do the authorization > part manually. > > > > So far, I have made the “login-identity-providers.xml” and set: > > nifi.login.identity.provider.configuration.file=./conf/ > login-identity-providers.xml > > nifi.security.user.login.identity.provider=ldap-provider > > > > I know I can configure my admin user/group in “users.xml” and the > authorizations in “authorizations.xml”. > > > > But I cant work out how to configure it to use LDAP groups. I suspect I > need to put something in authorizers.xml, but cant find much documentation > on this. Any tips/examples of how I can map the groups ? > > > > Thanks, > > Tim. > > >
