Skip to content
This repository has been archived by the owner on Feb 12, 2024. It is now read-only.

Update USERMANAGEMENT.md #251

Merged
merged 1 commit into from
Jun 13, 2022
Merged

Update USERMANAGEMENT.md #251

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 2 additions & 38 deletions doc/USERMANAGEMENT.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,44 +26,8 @@ oidc:
discoveryUrl: http://<oidc_provider_address>:<oidc_provider_port>/auth/realms/<client_realm>/.well-known/openid-configuration
clientId: <client_name_in_oidc_provider>
clientSecret: <client_secret_in_oidc_provider>
````

Then, you have to set a initial user to access Nifi for the first time. This user must be present in the OIDC provider. If you are the administrator, you can use your credentials. The initial user is added in `authorizers-empty.xml` file. In our example, the initial user is `john`:

````
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
{{- range $i := until $replicas }}
<property name="Initial User Identity {{ $i }}">john</property>
{{- end }}
{{- if .Values.auth.ldap.enabled}}
<property name="Initial User Identity admin">{{.Values.auth.ldap.admin}}</property>
{{- end}}
</userGroupProvider>
````

````
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
{{- if .Values.auth.ldap.enabled}}
<property name="Initial Admin Identity">{{.Values.auth.ldap.admin}}</property>
{{- else }}
<property name="Initial Admin Identity">john</property>
{{- end}}
<property name="Legacy Authorized Users File"></property>
{{- if .Values.auth.ldap.enabled}}
{{- range $i := until $replicas }}
<property name="Node Identity {{ $i }}">CN={{ $fullname }}-{{ $i }}.{{ $fullname }}-headless.{{ $namespace }}.svc.cluster.local, OU=NIFI</property>
{{- end }}
{{- end }}
<property name="Node Identity"></property>
</accessPolicyProvider>
claimIdentifyingUser: email
admin: nifi@example.com
````

There are a lot of ID providers that can be used to perform an OIDC authentication. In our case, we have tested that with Keycloak. You will find an example of Keycloak config on this [page](https://github.com/cetic/helm-nifi/tree/feature/nifi_1.14.0/doc/KEYCLOAK.md).
Expand Down