nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sam Feng"<oldbel...@gmail.com>
Subject Re: why cant nifi perform user authentication over http
Date Thu, 27 Jul 2017 07:33:32 GMT
Hello Joe
   The scene is that we want to put nifi into an iframe page in our platform. because of nifi
dosen't support multi-cavas for multi-tenants, we may use multi-nifi-instance in our platform
to suport multi-tenants. That is to say  one group of users use one instance of nifi while
another group use another instance. 
   The problem is that using https in an iframe is not as friendly as http. because a SSL
connection needs cert for authentication , and when using LDAP with https the connection will
be considered not secure by browser(our cert is generate by nifi-toolkit). For a good User
Experience we need to use http rather than https.

Thank you anyway.
YuNing


On 2017-07-26 01:04 (+0800), Joe Witt <joe.witt@gmail.com> wrote: 
> YuNing
> 
> What can we do to help you setup an HTTPS based environment?  We can
> support LDAP-based username and password authentication in that
> environment.  We've basically taken a "what is the point" approach to
> trying to add authentication/authorization in the HTTP only context so
> all is based around HTTPS as the entry point.  From there we've put in
> a lot of effort to help you choose the most effective
> authentication/authorization model for your case.  There are also some
> nice toolkit capabilities that come with the release now too to help
> with cert creation.
> 
> Thanks
> Joe
> 
> On Tue, Jul 25, 2017 at 12:54 PM, Andy LoPresto <alopresto@apache.org> wrote:
> > Modifying NiFi’s source code to provide user authentication and
> > authorization over HTTP is highly discouraged. Along with the possibility
> > for credential leak that Kevin mentioned, any plaintext HTTP request can be
> > intercepted, monitored, and modified before being relayed to the NiFi
> > application. This means that any and all actions are susceptible to
> > malicious changes, and any entity monitoring the network can perform actions
> > under the assumed identity of another user. This would be an incredible
> > amount of effort and almost definitely pointless.
> >
> >
> > Andy LoPresto
> > alopresto@apache.org
> > alopresto.apache@gmail.com
> > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> >
> > On Jul 25, 2017, at 7:09 AM, Kevin Doran <kdoran.apache@gmail.com> wrote:
> >
> > Hi YuNing,
> >
> > In your original post, you mentioned a need for multi-tenant authorization.
> > For that use case, I would not recommend transmitting passwords, even
> > encrypted/hashed passwords, over unencrypted HTTP, as the authorized
> > operations would be still be vulnerable to man-in-the-middle (MITM) attacks
> > and replay attacks.
> >
> > As you mentioned, modifying the NiFi source code to allow authorization over
> > HTTP instead of HTTPS would be a significant task, and at the end of the day
> > would have the vulnerabilities I described. My advice is that it would be a
> > better use of time and effort to configure your NiFi server(s) to use HTTPS.
> > The NiFi Toolkit [1] [2] includes TLS utilities to make this easier, and
> > there are plenty of folks on this list who can assist you if you have
> > questions while setting up HTTPS.
> >
> > If you truly do not need to worry about security for your use case and do
> > not want to use HTTPS, then using HTTP without authorization is an option.
> >
> > Regards,
> > Kevin
> >
> > [1] https://nifi.apache.org/download.html
> > [2]
> > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit
> >
> > On 7/24/17, 23:00, "Sam Feng" <oldbelvey@gmail.com> wrote:
> >
> >    Hello Kevin,
> >
> >       Your answers helps me a lot.  Now i am trying to modify nifi`s
> > sourcecode to enable http authentication, because the platform where i am
> > using nifi is not that sensitive about security, and we use ldap as
> > login-identity-providers whitch password is already encrypted by an unique
> > key.
> >        But i find it difficult to modify it`s sourceCode. there so many
> > places that limit login and authentication from http, and i have to edit all
> > of it, which will certainly take a lot of time to find them.
> >        Do you have any idea on how to modify nifi`s code more efficiently,
> > or if there are  some other way to get what i want.
> >
> >        As you can see my English is poor, thanks for you patience.
> >
> >    Thanks for your reply.
> >    Best Regards
> >    YuNing
> >
> >
> >    On 2017-07-21 19:07 (+0800), Kevin Doran <kdoran.apache@gmail.com> wrote:
> >
> > Hi,
> >
> > You are correct, NiFi requires an encrypted connection for user
> > authentication. This is because client identity is established in one of two
> > ways:
> >
> > - user name & password, which should not be sent over a non-encrypted
> > connection
> > - client certificate in a two-way TLS (HTTPS) connection
> >
> > I hope this answers your question. If HTTPS is suitable for your needs, here
> > are some resources to help you get started:
> >
> > - NiFi System Administration Guide, specifically sections on User
> > Authentication [1] and Multi-Tenant Authorization [2]
> > - Bryan Bende's blog post on NiFi Authorization and Multi-Tenancy [3]
> >
> > I hope this helps! If you have any questions you can post back to this
> > thread.
> >
> > Regards,
> > Kevin
> >
> > [1]
> > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication
> > [2]
> > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization
> > [3]
> > http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy
> >
> >
> > On 7/21/17, 02:02, "belvey@163.com" <belvey@163.com> wrote:
> >
> >
> >        Hello, I am a developer from china, i recently want to apply
> > multi-tenant authorization on nifi, but find that nifi doesn't support
> > authorization over http. can you tell me the reason, and can i enable
> > authentication over http by modify it's source code.
> >
> >    Thanks for your early reply.
> >    Best Regards
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> 

Mime
View raw message