Yes, you can think of it the same as how NiFi -> NiFi Registry works... User accesses NiFi and authenticates in some way, could be client cert, they then perform an action that calls registry. NiFi makes a 2-way TLS connection to registry using it's own server cert and sends the end user identity to NiFi Registry in the X-ProxiedEntitiesChain header.
NiFi Registry then sees the client certificates NiFi server, sees that there is X-ProxiedEntities, authorizes that NiFi service is allowed to proxy (as well as any other identities in the chain besides the top entry for the user), and if so then proceeds to authorize the rest of the request as the end user identity. On Wed, Oct 20, 2021 at 10:10 AM Shawn Weeks <swe...@weeksconsulting.us> wrote: > > I didn't know that was supported. Does this require the Proxy to do 2-way ssl > back to NiFi? > > Thanks > Shawn > > -----Original Message----- > From: Bryan Bende <bbe...@gmail.com> > Sent: Wednesday, October 20, 2021 9:02 AM > To: users@nifi.apache.org > Subject: Re: Nifi and Registry behind Citrix ADC. > > If the load balancer can pass the client cert DN in the > X-ProxiedEntitiesChain header, then it doesn't have to be a straight pass > through. The load balancer identity would need to be authorized as a proxy in > NiFi or NiFi Registry. > > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#proxy_configuration > > On Tue, Oct 19, 2021 at 8:43 PM Shawn Weeks <swe...@weeksconsulting.us> wrote: > > > > If you’re authenticating with 2-way ssl you’ll have to setup your load > > balancer to directly pass the TCP traffic through. Otherwise NiFi > > doesn’t see the users cert. NiFi doesn’t currently support getting the > > SSL Cert name from an HTTP Header like some other systems do. Usually > > if your using an HTTP Load Balancer you’d authenticate with SSO(SAML > > or OIDC) or LDAP(Username/Password) > > > > > > > > Thanks > > > > Shawn > > > > > > > > From: Jens M. Kofoed <jmkofoed....@gmail.com> > > Sent: Tuesday, October 19, 2021 1:16 AM > > To: users@nifi.apache.org > > Subject: Re: Nifi and Registry behind Citrix ADC. > > > > > > > > Only if you want other ways to authenticate users. I have setup our NIFI > > systems to talk with our MS AD via ldaps, and defined different AD groups > > which in nifi has different policy rules. Some people can manage every > > thing, others can only start/stop specific processors in specific process > > groups. > > > > Using personal certificates is no problem, I have some admins which also > > use there personal certificates. But with certificates you would have to > > add and manage users manually in NIFI. Users can of course being added to > > internal groups in NIFI and policy configured to groups. > > > > > > > > reagrd > > > > Jens > > > > > > > > Den tir. 19. okt. 2021 kl. 07.43 skrev Jakobsson Stefan > > <stefan.jakobs...@scania.com>: > > > > We are currently authenticating with personal certificates, should we > > change that then? > > > > > > > > Stefan Jakobsson > > > > > > Systems Manager | Scania IT, IKCA | Scania CV AB > > > > Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76 > > > > Forskargatan 20, SE-151 87 Södertälje, Sweden > > > > stefan.jakobs...@scania.com > > > > > > > > From: Shawn Weeks <swe...@weeksconsulting.us> > > Sent: den 18 oktober 2021 21:35 > > To: users@nifi.apache.org > > Subject: RE: Nifi and Registry behind Citrix ADC. > > > > > > > > Unless you’re operating the LB in TCP Mode you’ll need to configure NiFi to > > use an alternative authentication method like SAML, LDAP, OIDC, etc. You’ll > > also need to make sure that your proxy is passing the various HTTP headers > > through to NiFi and that NiFi is expecting traffic from a proxy. If you > > look in the nifi-user.log and nifi-app.log there might be some hints about > > what it didn’t like. > > > > > > > > Thanks > > > > Shawn > > > > > > > > From: Jakobsson Stefan <stefan.jakobs...@scania.com> > > Sent: Monday, October 18, 2021 2:26 PM > > To: users@nifi.apache.org > > Subject: RE: Nifi and Registry behind Citrix ADC. > > > > > > > > Ahh, no ADC as in applicationdelivery and loadbalancing 😊 > > > > > > > > Stefan Jakobsson > > > > > > Systems Manager | Scania IT, IKCA | Scania CV AB > > > > Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76 > > > > Forskargatan 20, SE-151 87 Södertälje, Sweden > > > > stefan.jakobs...@scania.com > > > > > > > > From: Lehel Boér <lehel.b...@gmail.com> > > Sent: den 18 oktober 2021 15:03 > > To: users@nifi.apache.org > > Subject: Re: Nifi and Registry behind Citrix ADC. > > > > > > > > Hi Stefan, > > > > > > > > Please disregard my prior response. The name mislead me, I discovered ADC > > is not the same as Active Directory. > > > > > > > > Kind Regards, > > > > Lehel Boér > > > > > > > > Lehel Boér <lehel.b...@gmail.com> ezt írta (időpont: 2021. okt. 18., H, > > 14:54): > > > > Hi Stefan, > > > > > > > > Have you tried setting up NiFi with an LDAP provider? Here are a few useful > > links. > > > > > > > > - > > https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.4.1.1/nifi-security/ > > content/ldap_login_identity_provider.html > > > > - https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap > > > > > > > > Kind Regards, > > > > Lehel Boér > > > > > > > > Jakobsson Stefan <stefan.jakobs...@scania.com> ezt írta (időpont: 2021. > > okt. 18., H, 13:02): > > > > Hello, > > > > > > > > I have some issues trying to run Nifi and Nifi-registry behind an ADC. > > Reason for this is that we need Nifi be accessible from aws onto our > > onprem nifi installation due demands from our IT sec department > > > > > > > > Anyhow, I can connect to Nifi-Registry on the servers ipconfig (i.e. > > x.x.x.x:9443/nifi-registry) without problems, but if I try to use the URL > > setup in the ADC with 9443 redirected to the nifiservers IP we get an error > > saying: > > > > > > > > This page isn’t working > > > > nifiprod.oururl.com didn’t send any data. > > > > ERR_EMPTY_RESPONSE > > > > > > > > Anyone has any ideas what I should start looking at? I set the https.host > > to 0.0.0.0 in nifi-registry.conf. > > > > > > > > Stefan Jakobsson > > > > > > Systems Manager | Scania IT, IKCA | Scania CV AB > > > > Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76 > > > > Forskargatan 20, SE-151 87 Södertälje, Sweden > > > > stefan.jakobs...@scania.com > > > >
