Using certificates for authentication and authorization with NiFi is not recommended, but carried over from legacy NiFi and still supported. These instructions require openssl and Java's keytool.
- Create a cert and key for
user1.
openssl req -x509 -newkey rsa:2048 -keyout user1-key.pem -out user1-cert.pem -days 3650 -subj "/CN=user1" -nodes- Add
user1cert to NiFi's truststore. This will create a truststore if it doesn't already exist.
keytool -importcert -v -trustcacerts -alias user1 -file /path/to/user1-cert.pem -keystore /path/to/truststore.jks -storepass mysupersecretpassword -noprompt-
Stop NiFi if running.
-
Ensure the following properties are set in
nifi.properties:
nifi.security.truststore=/path/to/truststore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=mysupersecretpassword- Add
user1and desired roles to NiFi'sauthorized-users.xml. If the file doesn't exist, create it using this example. The following will grantuser1all privileges:
<users>
...
<user dn="CN=user1">
<role name="ROLE_ADMIN"/>
<role name="ROLE_DFM"/>
<role name="ROLE_MONITOR"/>
<role name="ROLE_PROVENANCE"/>
<role name="ROLE_NIFI"/>
<role name="ROLE_PROXY"/>
</user>
...
</users>- Ensure the following properties are set in
authorizers.xml:
...
<userGroupProvider>
...
<property name="Legacy Authorized Users File">/path/to/authorized-users.xml</property>
...
</userGroupProvider>
...
<accessPolicyProvider>
...
<property name="Legacy Authorized Users File">/path/to/authorized-users.xml</property>
...
</accessPolicyProvider>
...-
Delete NiFi's
authorizations.xmlandusers.xmlfiles if they exist. They will be recreated on startup. -
Start NiFi.
-
Create a PFX file for
user1from the cert and key created earlier.
openssl pkcs12 -inkey /path/to/user1-key.pem -in /path/to/user1-cert.pem -export -out user1.pfx -passout pass:anothersupersecretpassword-
Have
user1install the cert to their browser. Here are instructions for Chrome on Windows. -
Navigate to NiFi in the browser. To login, choose the cert when prompted.