Thanks Bryan,
I’m not overly excited about syncing users/groups. Replicating data has its own
minefield of problems.
So I do like the second idea of implementing an LDAP Authorizer which could
potentially use a configuration to query the directory and extract “memberOf”
elements and treat these like groups which can be statically mapped to
policy’s. So bypass the user definition, and just generate a UUID for the user
and assign to a group like…
<tenants>
<groups>
<group identifier="de1d560f-0159-1000-9177-8d7d37454c0a" memberOf
="CN=MyGroup,OU=MyTeam,DC=MyOrg " />
<group identifier="de1d560f-0159-1000-9177-8d7d37454c0b" memberOf
="CN=ThisGroup,OU=MyTeam,DC=MyOrg " />
<group identifier="de1d560f-0159-1000-9177-8d7d37454c0c" memberOf
="CN=ThatGroup,OU=MyTeam,DC=MyOrg " />
</groups>
</tenants>
Then map that to authorizations per normal.
I like the idea of generating the users in-memory from the LDAP object rather
than caching/syncing on disk. Leave the data in the directory, just match to
the groups and assign security form that.
I’m a pretty rusty developer, but I’ll fork the repo and have a look to see if
I can make sense or what I’d need to do.
Thanks again for the tips.
Tim.
From: Bryan Bende [mailto:[email protected]]
Sent: Monday, 30 January 2017 10:25 AM
To: [email protected]
Subject: Re: LDAP Group Authorization
Hi Tim,
Currently NiFi only supports LDAP for authentication (i.e. login identity
provider). In this case it is only using the LDAP to determine if the provided
username and password are valid.
For authorization there are currently two options - NiFi's policy-based
authorizer and the Apache Ranger authorizer. With NiFi's policy-based
authorizer, all of the users and groups have to be defined in NiFi, and then
policies are defined for those users and groups. All of this is stored in the
users.xml and authorizations.xml you referenced.
I think there are two different improvements that might help with what you are
looking for...
The first would be a utility that could sync users/groups from LDAP into NiFi's
policy-based authorizer. In this case you would still define all the policies
in NiFi, but you wouldn't have to manually redefine the users and groups. You
could probably create a simple tool that read from your LDAP and pushed
users/group into NiFi using NiFi's REST API. Of course it gets a little tricky
to keep this in sync when users are deleted, or their groups are changed, but
it could be done.
The second would be an Authorizer implementation that used LDAP. The Authorizer
interface is an extension point and you could create a custom NAR with an
authorizer implementation and deploy it to the lib directory. Its just that no
one has gotten around to creating one that used LDAP yet. Either of the
existing authorizers would be good examples to look at.
Thanks,
Bryan
On Sun, Jan 29, 2017 at 4:56 PM, Timothy Findlay
<[email protected]<mailto:[email protected]>> wrote:
Hello Nifi Users,
I have been getting Nifi up and running with LDAP, and this seems to work for
authentication, however it looks like I have to do the authorization part
manually.
So far, I have made the “login-identity-providers.xml” and set:
nifi.login.identity.provider.configuration.file=./conf/login-identity-providers.xml
nifi.security.user.login.identity.provider=ldap-provider
I know I can configure my admin user/group in “users.xml” and the
authorizations in “authorizations.xml”.
But I cant work out how to configure it to use LDAP groups. I suspect I need to
put something in authorizers.xml, but cant find much documentation on this. Any
tips/examples of how I can map the groups ?
Thanks,
Tim.
