Using LDAP authentication for NiFi

[jusch23]

Hello,
I am currently trying to configure LDAP authentication for apache nifi (using active directory as ldap directory). The basic configuration works and I can login with my personal user, who is not authorized to see anything (as expected).
However, the create-reporting-task job fails using ldap authentication, getting log output similar to this (example ldap bind user: "CN=myldapbinduser,OU=myou1,OU=my users,OU=myou2,DC=mycompany,DC=de"):

usage: create_nifi_reporting_task.py [-h] -n NIFI_API_URL -u USERNAME -p                                                                                                                      
                                     PASSWORD -v NIFI_VERSION -c CERT -m                                                                                                                      
                                     METRICS_PORT [-t TASK_NAME]                                                                                                                              
create_nifi_reporting_task.py: error: unrecognized arguments: users,OU=myou2,DC=mycompany,DC=de

The CN of the ldap bind user does contain whitespaces and I wonder if this is considered in the container command building process?

Args:                                                                                                                                                                                     
      /stackable/python/create_nifi_reporting_task.py -n https://nifi-node-default-0.nifi-node-default.default.svc.cluster.local:8443/nifi-api -u $(cat /stackable/secrets/ldap-bind-credentials/user | grep -oP '((cn|dn|uid)=\K[^,]+|.*)' | head -n 1) -p $(cat /stackable/secrets/ldap-bind-credentials/password) -v 1.18.0 -m 8081 -c /stackable/cert/ca.crt

So I need some help regarding the following two questions:

1. Is it currently supported to use a ldap bind user DN that contains whitespaces? For me it looks like the -u $(...) should be -u "$(...)" to ensure that the python script does get a single argument.
2. Which users is authorized when I configure ldap authentication? Looking inside the authorizers.xml file looks like that the ldap bind user is the default initial admin. Unfortunately, the user can login, but is no admin. How can I solve this?

Thanks a lot for any help :)

[maltesander]

Hi @jusch23,

thank you for the input.

1. That is definitely not working correctly, but should be a quick fix (Issue: Reporting tasks fails if LDAP CN contains whitespaces nifi-operator#465)
2. I just setup NiFi with LDAP and can confirm this. The LDAP user should be the admin user but it is not working as intended (you can login, but you basically cannot do anything else like e.g. use processors). We do not have any authorization mechanisms for NiFi currently (OPA / Ranger).

We will investigate and update here accordingly. Sorry for the troubles!

Cheers,
Malte

[maltesander]

Hi @jusch23,

Regarding question 2:

Your user should be the admin user. You can add other users and policies and grant yourself access to whatever you need.

Starting with an empty canvas (where you can not do alot):

Right click the canvas and select Manage access policies:

You can now create a policy for your user (e.g. view/modify component), this should support autocomplete:

And same for modify component:

Then you should be able to create processors, process groups etc.:

You can e.g. revoke your rights to view / modify a (sub) process group as well.

This should be sufficient for testing. It will get more user friendly with OPA/Ranger integrationen hopefully.

Cheers,
Malte

[jusch23]

Hi Malte,

thank you for the screenshots and the explanation. As mentioned above I can login with the ldap bind user but the user has insufficient permissions:

I am using a AuthenticationClass configuration similar to this to connect to an active directory:

---
apiVersion: v1
kind: Secret
metadata:
  name: ldap-bind-credentials
  labels:
    secrets.stackable.tech/class: ldap-bind-credentials
stringData:
  user: "CN=myldapbinduser,OU=myou1,OU=my users,OU=myou2,DC=mycompany,DC=de"
  password: "password"
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
  name: ldap-bind-credentials
spec:
  backend:
    k8sSearch:
      searchNamespace:
        pod: {}
---
apiVersion: authentication.stackable.tech/v1alpha1
kind: AuthenticationClass
metadata:
  name: ldap-nifi
spec:
  provider:
    ldap:
      hostname: mycompany.de
      port: 636
      searchBase: DC=mycompany,DC=de
      ldapFieldNames:
        group: memberOf
        uid: sAMAccountName
      bindCredentials:
        secretClass: ldap-bind-credentials
      tls:
        verification:
          server:
            caCert:
              secretClass: my-root-ca

The nifi cluster is configured as follows:

---
apiVersion: nifi.stackable.tech/v1alpha1
kind: NifiCluster
metadata:
  name: nifi
spec:
  image:
    repo: myregistry:34567/stackable
    productVersion: 1.18.0
    stackableVersion: "23.4"
  clusterConfig:
    zookeeperConfigMapName: nifi-znode
    authentication:
      method:
        # with single user (no ldap) the configured admin user has admin permissions
        #singleUser:
        #  adminCredentialsSecret: nifi-admin-credentials
        authenticationClass: ldap-nifi
    sensitiveProperties:
      keySecret: nifi-sensitive-property-key
      autoGenerate: true
  nodes:
    configOverrides:
      nifi.properties:
        nifi.web.proxy.host: nifi.k8s-dns-entry.mycompany.de # used to setup ingress
    roleGroups:
      default:
        replicas: 1
---
apiVersion: v1
kind: Secret
metadata:
  name: nifi-admin-credentials
stringData:
  username: admin
  password: adminadmin
---
apiVersion: zookeeper.stackable.tech/v1alpha1
kind: ZookeeperZnode
metadata:
  name: nifi-znode
spec:
  clusterRef:
    name: zookeeper

Do you have an idea why my ldap bind user does not have admin permissions? The authorizers.xml inside the created nifi container looks fine for me:

bash-4.4$ cat conf/authorizers.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<userGroupProvider>
    <identifier>file-user-group-provider</identifier>
    <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
    <property name="Users File">./conf/users.xml</property>

    <!-- As we currently don't have authorization (including admin user) configurable we simply paste in the ldap bind user in here -->
    <!-- In the future the whole authorization may be reworked to OPA -->
    <property name="Initial User Identity admin"><ldap admin DN></property>

    <!-- As the secret-operator provides the NiFi nodes with cert with a common name of "generated certificate for pod" we have to put that here -->
    <property name="Initial User Identity other-nifis">CN=generated certificate for pod</property>
</userGroupProvider>

<accessPolicyProvider>
    <identifier>file-access-policy-provider</identifier>
    <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
    <property name="User Group Provider">file-user-group-provider</property>
    <property name="Authorizations File">./conf/authorizations.xml</property>

    <!-- As we currently don't have authorization (including admin user) configurable we simply paste in the ldap bind user in here -->
    <!-- In the future the whole authorization may be reworked to OPA -->
    <property name="Initial Admin Identity"><ldap admin DN></property>

    <!-- As the secret-operator provides the NiFi nodes with cert with a common name of "generated certificate for pod" we have to put that here -->
    <property name="Node Identity other-nifis">CN=generated certificate for pod</property>
</accessPolicyProvider>

<authorizer>
    <identifier>authorizer</identifier>
    <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
    <property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
bash-4.4$ cat conf/users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="21e228f0-3f80-3e06-b9b7-f4158813c667" identity="CN=generated certificate for pod"/>
        <user identifier="977d9575-77b4-3950-a4ae-58eba35162cc" identity="<ldap admin DN>"/>
    </users>
</tenants>

Best regards,
Julian

[jusch23]

An additional comment regarding the configOverride inside the nifi cluster:

  nodes:
    configOverrides:
      nifi.properties:
        nifi.web.proxy.host: nifi.k8s-dns-entry.mycompany.de # used to setup ingress

When I use singleUser authentication with the admin-credentials secret the create-reporting-task job fails with the following error:

Successfully authenticated and established connection with [https://nifi.default.svc.cluster.local:8443/nifi-api]
Exception: Failed to retrieve ReportingTask[StackablePrometheusReportingTask/8081]: Invalid header value b'Bearer <h1>System Error</h1>\n<h2>The request contained an invalid host header [<code>nifi.default.svc.cluster.local:8443</code>] in the request [<code>/nifi-api/access/token</code>]. Check for request manipulation or third-party intercept.</h2>\n<h3>Valid host headers are [<code>empty</code>] or: <br/><code>\n<ul><li>127.0.0.1</li>\n<li>127.0.0.1:8443</li>\n<li>localhost</li>\n<li>localhost:8443</li>\n<li>[::1]</li>\n<li>[::1]:8443</li>\n<li>nifi-node-default-0</li>\n<li>nifi-node-default-0:8443</li>\n<li>10.244.16.162</li>\n<li>10.244.16.162:8443</li>\n<li>nifi-node-default-0.nifi-node-default.default.svc.cluster.local</li>\n<li>nifi-node-default-0.nifi-node-default.default.svc.cluster.local:8443</li>\n<li>nifi.k8s-dns-entry.mycompany.de</li>\n</ul>\n\n</code></h3>\n'

Is there a way to override nifi.web.proxy.host so that the job does not fail? Can you reproduce this behaviour?

[maltesander]

Ok ill try to reproduce the LDAP problem.

For the proxy host and reporting task. This basically overrides all proxy hosts that are set by the operator. Which works for the external access, but not for the internal ReportingTask. Can you please try as a quick fix for the reporting task to set the proxy hosts like this (will only work if your cluster is named nifi and is deployed in the default namespace):

  nodes:
    configOverrides:
      nifi.properties:
        nifi.web.proxy.host: nifi.k8s-dns-entry.mycompany.de, nifi.default.svc.cluster.local:8443

stackabletech/nifi-operator#468

[cm2pm]

I think I ran into the same issue where my ldap bind user does not have admin permissions. Was there any solution around this?