Thursday, 28 March 2019

How To Configure TLS & Okta Authentication for Apache NiFi

CONFIGURE TLS FOR NIFI

NiFi cannot support any authentication mechanisms unless it is configured to utilize TLS. Note that following these instructions will also change the port that NiFi runs on to TCP 9443.
  1. Back up your existing nifi.properties file on each node in the NiFi cluster.
  2. Download the NiFi Toolkit for your release of NiFi @ https://nifi.apache.org/download.html and extract it on each node.
  3. Navigate to the toolkit’s bin directory (e.g. /opt/nifi-toolkit/bin/)
  4. Run tls-toolkit.sh to generate a truststore, keystore, and updated nifi.properties file with the following syntax:
./tls-toolkit.sh standalone -f <path/to/current/nifi.properties> -n <server_fqdn>

  1. Copy the resultant keystore.jkstruststore.jks, and nifi.properties files to the NiFi instance’s conf/ directory.
  2. Restart NiFi with the following command:
bin/nifi.sh restart

CREATE THE NIFI APPLICATION IN OKTA

  1. Log in to Okta as an Application Administrator user
  2. Go to Applications -> Add Application
  3. Choose “Web” and click Next
  4. Specify a Name for the application
  5. For “Base URI” specify the URI of NiFi (e.g. https://<nifi_fqdn>:9443/)
  6. For “Login redirect URIs” specify https://<nifi_fqdn>:9443/nifi-api/access/oidc/callback
  7. Click “Done
    1. Note: The UI may hang. If so, just go to the Applications page and your application should now appear
  8. Click on your application, and go to the “General” tab
  9. Copy the “Client ID” and “Client secret” values for later use.

CONFIGURE NIFI TO USE OKTA AUTHENTICATION

  1. Identify the OIDC Discovery URL for your Okta instance
    1. This is a combination of your existing Okta Instance ID, and several static values. For example, if your Okta instance URL is https://dev-5307-admin.oktapreview.com/dev/console, your Instance ID is dev-5307-admin.oktapreview.com.

      Combine this with the following URL format to get the OIDC Discovery URL:

      https://<okta_instance_id>/.well-known/openid-configuration
  2. Edit conf/nifi.properties
    1. Find the “# OpenId Connect SSO Properties #” section
    2. Set the value of “nifi.security.user.oidc.discovery.url” to the value identified in Step 1.
    3. Set “nifi.security.user.oidc.client.id” and “nifi.security.user.oidc.client.secret” to the values obtained in the ”Create the NiFi Application in Okta” section.
    4. Save your changes, and quit, out of the editor.

      Example configuration:
# OpenId Connect SSO Properties #
nifi.security.user.oidc.discovery.url=https://dev-5307-admin.oktapreview.com/.well-known/openid-configuration
nifi.security.user.oidc.connect.timeout=5 secs
nifi.security.user.oidc.read.timeout=5 secs
nifi.security.user.oidc.client.id=0oajzq89asdf7s878FASs7
nifi.security.user.oidc.client.secret=Wfdsf2oSDf3daBfYtDd4foXs13-nTawW
nifi.security.user.oidc.preferred.jwsalgorithm=

  1. Edit conf/authorizers.xml
    1. Find the first <userGroupProvider> section, and update <property name="Initial User Identity 1"></property> to include the user ID of your desired administrator, e.g.
   <userGroupProvider>
       <identifier>file-user-group-provider</identifier>
       <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
       <property name="Users File">./conf/users.xml</property>
       <property name="Legacy Authorized Users File"></property>

       <property name="Initial User Identity 1">user1@domain.com</property>
   </userGroupProvider>

    1. Find the <accessPolicyProvider> section, and update <property name="Initial Admin Identity"></property> to include the user ID of your desired administrator, e.g.
<accessPolicyProvider>
       <identifier>file-access-policy-provider</identifier>
       <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
       <property name="User Group Provider">file-user-group-provider</property>
       <property name="Authorizations File">./conf/authorizations.xml</property>
       <property name="Initial Admin Identity">user1@domain.com</property>
       <property name="Legacy Authorized Users File"></property>

       <property name="Node Identity 1"></property>
   </accessPolicyProvider>

    1. Save your changes, and quit, out of the editor.
  1. Restart NiFi with bin/nifi.sh restart.