Security
TLS
NiFi sets up TLS encryption for the http endpoints that serve the UI.
By default, this interface is secured using certificates generated to work with the default SecretClass tls
.
Nifi can be configured to use a different SecretClass as shown below:
apiVersion: nifi.stackable.tech/v1alpha1
kind: NifiCluster
spec:
# ...
clusterConfig:
tls:
serverSecretClass: non-default-secret-class (1)
1 | The name of the SecretClass that will be used for certificates for the NiFi UI. |
Authentication
Every user has to authenticate themselves before using NiFI.
There are multiple options to set up the authentication of users.
All authentication related parameters are configured under spec.clusterConfig.authentication
.
Single user
The Single user
allows the creation of one admin user for NiFi. This is a simple authentication method to quickly test and login to the canvas.
However, due to it being a single user with all rights, this is not recommended in production.
apiVersion: authentication.stackable.tech/v1alpha1
kind: AuthenticationClass
metadata:
name: simple-nifi-users (1)
spec:
provider:
static:
userCredentialsSecret:
name: nifi-admin-credentials (2)
1 | The name of the AuthenticationClass that will be referenced in the NiFi cluster. |
2 | The name of the Secret containing the admin credentials. |
apiVersion: v1
kind: Secret
metadata:
name: nifi-admin-credentials (1)
stringData:
admin: admin (2)
bob: bob (3)
1 | The name of the Secret containing the admin user credentials. |
2 | The user and password combination of the admin user. The username must be "admin" and cannot be changed. The NiFi pods will not start if they cannot mount the "admin" entry from the secret. The password can be adapted. |
3 | The secret maybe used by other products of the Stackable Data Platform that allow more than one user. The Stackable Operator for Apache NiFi will ignore all users except for "admin". |
spec:
clusterConfig:
authentication:
- authenticationClass: simple-nifi-users (1)
1 | The reference to an AuthenticationClass . NiFi only supports one authentication mechanism at a time. |
LDAP
NiFi supports authentication of users against an LDAP server. This requires setting up an AuthenticationClass for the LDAP server. The AuthenticationClass is then referenced in the NifiCluster resource as follows:
apiVersion: nifi.stackable.tech/v1alpha1
kind: NifiCluster
metadata:
name: test-nifi
spec:
clusterConfig:
authentication:
- authenticationClass: ldap (1)
1 | The reference to an AuthenticationClass called ldap |
You can follow the Authentication with OpenLDAP tutorial to learn how to set up an AuthenticationClass for an LDAP server, as well as consulting the AuthenticationClass reference .
Authorization
NiFi supports multiple authorization methods documented here. The available authorization methods depend on the chosen authentication method.
Authorization is not fully implemented by the Stackable Operator for Apache NiFi.
LDAP
The operator uses the FileUserGroupProvider
and FileAccessPolicyProvider to bind the LDAP user to the NiFi administrator group. This user is then able to create and modify groups and polices in the web interface. These changes local to the Pod
running NiFi and are not persistent.
Encrypting sensitive properties on disk
Some flows require storing a sensitive property like a password or access token, which is then stored on disk. NiFi encrypts these properties in flow files.
The sensitive property encryption is configured using the properties keySecret
, autoGenerate
and algorithm
in the spec.clusterConfig.sensitiveProperties
configuration section of the NifiCluster resource.
The keySecret
configures the name of the Secret object that holds the encryption key; it is required to specify a Secret name.
The Secret needs to contain the key as a value to the nifiSensitivePropsKey
key.
You can either specify a key yourself - in which case the key needs to be at least 12 characters long - or just specify the name of the secret and set autoGenerate
to true
(the default is false).
If autoGenerate
is false and no Secret with the given name in keySecret
is found, the operator will raise an error.
The algorithm
property configures the encryption algorithm used to encrypt the sensitive properties.
Consult the reference documentation for a list of supported algorithms.
Autogenerated key example
Let the operator generate a Secret with the name nifi-sensitive-property-key
:
sensitiveProperties:
keySecret: nifi-sensitive-property-key
autoGenerate: true
Custom key and encryption algorithm example
Create the Secret yourself:
apiVersion: v1
kind: Secret
metadata:
name: nifi-sensitive-properties-key
stringData:
nifiSensitivePropsKey: my-encryption-key
Configure the Secret and a different encryption algrithm:
sensitiveProperties:
keySecret: nifi-sensitive-property-key
algorithm: nifiArgon2AesGcm256