An identity provider for Apache NiFi 1.21.0 or later, providing authentication of users based on username/password credentials. Credentials are stored in a local file with Bcrypt-hashed passwords. This may be suitable for environments without LDAP or Kerberos, or when X.509 client certificates are impractical.
Note: it was previously developed and published on GitHub (under the APL license) by a company called BatchIQ that seems to no longer exist. An archived fork was still existing somewhere on GitHub. This project is thus a revival of this archive.
To install and use this provider you must complete the following steps:
- Build the provider NAR file
- Deploy the provider NAR file to your NiFi installation
- Configure NiFi for HTTPS
- Configure the File Authorization Provider
login-identity-providers.xml - Identity of the File Authorization Provider must be set in
nifi.properties - Users and their Bcrypt-hashed passwords must be added to
login-credentials.xml
Build this package with:
mvn clean package
You will need to deploy the resulting NAR file from the nifi-file-identity-provider-nar/target directory
(NAR file will look like nifi-file-identity-provider-nar-1.0.0.nar).
The provider NAR file should be deployed to your NiFi's lib directory.
NiFi must be configured for HTTPS, including at least the following settings in nifi.properties:
- nifi.web.https.port
- nifi.security.keystore
- nifi.security.keystoreType
- nifi.security.keystorePasswd
- nifi.security.keyPasswd
- nifi.security.truststore
- nifi.security.truststoreType
- nifi.security.truststorePasswd
Please see the NiFi Administration Guide for more information on secure access configurations.
The following Login Identity Provider configuration should be added to login-identity-providers.xml:
<provider>
<identifier>file-identity-provider</identifier>
<class>io.egm.nifi.authentication.file.FileIdentityProvider</class>
<property name="Credentials File">conf/login-credentials.xml</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
After the provider itself is configured, reference this provider in nifi.properties.
nifi.security.user.login.identity.provider=file-identity-provider
nifi.security.user.authorizer=managed-authorizer
In conf/authorizers.xml, comment out the single-user-authorizer configuration at the bottom of the file.
User credentials must be initialized in the credentials store file conf/login-credentials.xml.
This is an XML file with the following format:
<!--
This file contains users and their hashed passwords. Please see the
io.egm.nifi.authentication.file.CredentialsStore for details.
User Format:
name - must match the "identity" in authorized-users.xml
passwordHash - hashed passwords in Bcrypt 2a format / 10 rounds, looks
like "$2a$10$24wB0UAUsRbOXz4KRZ5KlenzcEddnhIyXMyPkpTnS/29Tt12jfJJW"
-->
<credentials>
<!--
<user name="admin" passwordHash="(reset to populate)" />
-->
</credentials>
Any tool capable of generating Bcyrpt type 2a hashed passwords may be used. This package includes a simple command-line
utility in the PasswordHasherCLI class (see below). Additional known compatible tools and APIs include:
- Spring Security's BCryptPasswordEncoder class
- Python package bcrypt
- Online Bcrypt Generator
This package includes a command-line tool for simple operations on users and passwords. Use of this tool is not required, it is possible to administer users with a text editor and any tool capable of generating Bcrypt 2a hashes.
The JAR file nifi-file-identity-provider-1.21.0-cli.jar is output in the nifi-file-identity-provider/target directory.
Add a user, you will be prompted for a password:
>java -jar nifi-file-identity-provider-1.21.0-cli.jar add conf/login-credentials.xml jane
Password for jane: ****
Added user jane
Reset password, you will be prompted for password:
>java -jar nifi-file-identity-provider-1.21.0-cli.jar reset conf/login-credentials.xml jane
New Password for jane:
Password reset for user jane
List users
>java -jar nifi-file-identity-provider-1.21.0-cli.jar list conf/login-credentials.xml
john
jane
frank
Delete user
>java -jar nifi-file-identity-provider-1.21.0-cli.jar remove conf/login-credentials.xml frank
Removed user frank
Apache License 2.0