Security

TLS

NiFi sets up TLS encryption for the http endpoints that serve the UI. By default, this interface is secured using certificates generated to work with the default SecretClass tls.

Nifi can be configured to use a different SecretClass as shown below:

apiVersion: nifi.stackable.tech/v1alpha1
kind: NifiCluster
spec:
  # ...
  clusterConfig:
    tls:
      serverSecretClass: non-default-secret-class (1)
1 The name of the SecretClass that will be used for certificates for the NiFi UI.

Authentication

Every user has to authenticate themselves before using NiFI. There are multiple options to set up the authentication of users. All authentication related parameters are configured under spec.clusterConfig.authentication.

Single user

The Single user allows the creation of one admin user for NiFi. This is a simple authentication method to quickly test and login to the canvas. However, due to it being a single user with all rights, this is not recommended in production.

apiVersion: authentication.stackable.tech/v1alpha1
kind: AuthenticationClass
metadata:
  name: simple-nifi-users (1)
spec:
  provider:
    static:
      userCredentialsSecret:
        name: nifi-admin-credentials (2)
1 The name of the AuthenticationClass that will be referenced in the NiFi cluster.
2 The name of the Secret containing the admin credentials.
apiVersion: v1
kind: Secret
metadata:
  name: nifi-admin-credentials (1)
stringData:
  admin: admin (2)
  bob: bob (3)
1 The name of the Secret containing the admin user credentials.
2 The user and password combination of the admin user. The username must be "admin" and cannot be changed. The NiFi pods will not start if they cannot mount the "admin" entry from the secret. The password can be adapted.
3 The secret maybe used by other products of the Stackable Data Platform that allow more than one user. The Stackable Operator for Apache NiFi will ignore all users except for "admin".
spec:
  clusterConfig:
    authentication:
      - authenticationClass: simple-nifi-users (1)
1 The reference to an AuthenticationClass. NiFi only supports one authentication mechanism at a time.

LDAP

NiFi supports authentication of users against an LDAP server. This requires setting up an AuthenticationClass for the LDAP server. The AuthenticationClass is then referenced in the NifiCluster resource as follows:

apiVersion: nifi.stackable.tech/v1alpha1
kind: NifiCluster
metadata:
  name: test-nifi
spec:
  clusterConfig:
    authentication:
      - authenticationClass: ldap (1)
1 The reference to an AuthenticationClass called ldap

You can follow the Authentication with OpenLDAP tutorial to learn how to set up an AuthenticationClass for an LDAP server, as well as consulting the AuthenticationClass reference .

Authorization

NiFi supports multiple authorization methods documented here. The available authorization methods depend on the chosen authentication method.

Authorization is not fully implemented by the Stackable Operator for Apache NiFi.

Single user

With this authorization method, a single user has administrator capabilities.

LDAP

The operator uses the FileUserGroupProvider and FileAccessPolicyProvider to bind the LDAP user to the NiFi administrator group. This user is then able to create and modify groups and polices in the web interface. These changes local to the Pod running NiFi and are not persistent.

Encrypting sensitive properties on disk

Some flows require storing a sensitive property like a password or access token, which is then stored on disk. NiFi encrypts these properties in flow files.

The sensitive property encryption is configured using the properties keySecret, autoGenerate and algorithm in the spec.clusterConfig.sensitiveProperties configuration section of the NifiCluster resource.

The keySecret configures the name of the Secret object that holds the encryption key; it is required to specify a Secret name. The Secret needs to contain the key as a value to the nifiSensitivePropsKey key. You can either specify a key yourself - in which case the key needs to be at least 12 characters long - or just specify the name of the secret and set autoGenerate to true (the default is false). If autoGenerate is false and no Secret with the given name in keySecret is found, the operator will raise an error.

The algorithm property configures the encryption algorithm used to encrypt the sensitive properties. Consult the reference documentation for a list of supported algorithms.

Autogenerated key example

Let the operator generate a Secret with the name nifi-sensitive-property-key:

sensitiveProperties:
  keySecret: nifi-sensitive-property-key
  autoGenerate: true

Custom key and encryption algorithm example

Create the Secret yourself:

apiVersion: v1
kind: Secret
metadata:
  name: nifi-sensitive-properties-key
stringData:
  nifiSensitivePropsKey: my-encryption-key

Configure the Secret and a different encryption algrithm:

sensitiveProperties:
  keySecret: nifi-sensitive-property-key
  algorithm: nifiArgon2AesGcm256