Using certificates for authentication and authorization with NiFi is not recommended, but carried over from legacy NiFi and still supported. These instructions require openssl
and Java's keytool
.
- Create a cert and key for
user1
.
openssl req -x509 -newkey rsa:2048 -keyout user1-key.pem -out user1-cert.pem -days 3650 -subj "/CN=user1" -nodes
- Add
user1
cert to NiFi's truststore. This will create a truststore if it doesn't already exist.
keytool -importcert -v -trustcacerts -alias user1 -file /path/to/user1-cert.pem -keystore /path/to/truststore.jks -storepass mysupersecretpassword -noprompt
-
Stop NiFi if running.
-
Ensure the following properties are set in
nifi.properties
:
nifi.security.truststore=/path/to/truststore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=mysupersecretpassword
- Add
user1
and desired roles to NiFi'sauthorized-users.xml
. If the file doesn't exist, create it using this example. The following will grantuser1
all privileges:
<users>
...
<user dn="CN=user1">
<role name="ROLE_ADMIN"/>
<role name="ROLE_DFM"/>
<role name="ROLE_MONITOR"/>
<role name="ROLE_PROVENANCE"/>
<role name="ROLE_NIFI"/>
<role name="ROLE_PROXY"/>
</user>
...
</users>
- Ensure the following properties are set in
authorizers.xml
:
...
<userGroupProvider>
...
<property name="Legacy Authorized Users File">/path/to/authorized-users.xml</property>
...
</userGroupProvider>
...
<accessPolicyProvider>
...
<property name="Legacy Authorized Users File">/path/to/authorized-users.xml</property>
...
</accessPolicyProvider>
...
-
Delete NiFi's
authorizations.xml
andusers.xml
files if they exist. They will be recreated on startup. -
Start NiFi.
-
Create a PFX file for
user1
from the cert and key created earlier.
openssl pkcs12 -inkey /path/to/user1-key.pem -in /path/to/user1-cert.pem -export -out user1.pfx -passout pass:anothersupersecretpassword
-
Have
user1
install the cert to their browser. Here are instructions for Chrome on Windows. -
Navigate to NiFi in the browser. To login, choose the cert when prompted.