Skip to content
This repository has been archived by the owner on Feb 12, 2024. It is now read-only.

Commit

Permalink
Feature/support certificate auth (#243)
Browse files Browse the repository at this point in the history 
Addresses Client Certificate authentication limited availability in existing chart. This is a standard authentication mechanism supported by Nifi. ref: https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html#securing-nifi-with-provided-certificates
  • Loading branch information
@gforeman02
gforeman02 authored Jun 27, 2022
1 parent 4a2a129 commit 396d246
Show file tree
Hide file tree
Showing 5 changed files with 101 additions and 7 deletions.
4 changes: 3 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,9 +134,11 @@ The following table lists the configurable parameters of the nifi chart and the
| `properties.customLibPath` | Path of the custom libraries folder | `nil` |
| `properties.webProxyHost` | Proxy to access to Nifi through the cluster ip address | `Port:30236`
| **[Authentication](/doc/USERMANAGEMENT.md)** |
| **Single-user authentication** | Automatically disabled if OIDC or LDAP enabled
| **Single-user authentication** | Automatically disabled if Client Certificate, OIDC, or LDAP enabled
| `auth.singleUser.username` | Single user identity | `username` |
| `auth.singleUser.password` | Single user password | `changemechangeme` |
| **Client Certificate authentication** |
| `auth.clientAuth.enabled` | Enable User auth via Client Certificates | `false`
| **Ldap authentication** |
| `auth.admin` | Default admin identity | ` CN=admin, OU=NIFI` |
| `auth.ldap.enabled` | Enable User auth via ldap | `false` |
Expand Down
12 changes: 11 additions & 1 deletion configs/nifi.properties
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,17 @@ nifi.sensitive.props.algorithm={{ .Values.properties.algorithm }}
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=

{{if .Values.auth.ldap.enabled}}
{{if .Values.auth.clientAuth.enabled}}
nifi.security.keystore=/opt/nifi/nifi-current/config-data/certs/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd={{.Values.auth.SSL.keystorePasswd}}
nifi.security.keyPasswd={{.Values.auth.SSL.keystorePasswd}}
nifi.security.truststore=/opt/nifi/nifi-current/config-data/certs/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd={{.Values.auth.SSL.truststorePasswd}}
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=
{{else if .Values.auth.ldap.enabled}}
nifi.security.keystore=/opt/nifi/nifi-current/conf/{{.Release.Name}}-nifi-0.{{.Release.Name}}-nifi-headless.{{.Release.Namespace}}.svc.cluster.local/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd={{.Values.auth.SSL.keystorePasswd}}
Expand Down
86 changes: 81 additions & 5 deletions doc/USERMANAGEMENT.md
View file
Original file line number Diff line number Diff line change
@@ -1,24 +1,100 @@
User Authentication
=============

This helm chart provides three types of authentication: Single User, LDAP and OIDC. These three authtications can be managed essentialy from the `values.yaml` file.
This helm chart provides four types of authentication: Single User, Client Certificate, LDAP, and OIDC. These four authentication types can be managed essentialy from the `values.yaml` file.


## 1. Single User

The Single User authentication is the default authentication in this helm chart. To login like a single user, the values below must be setted in `values.yaml` file:
The Single User authentication is the default authentication in this helm chart. To login like a single user, the values below must be set in `values.yaml` file:

````
singleUser:
username: username
password: changemechangeme
````

## 2. OIDC

## 2. Client Certificate

Client Certificate authentication assumes a central Certificate Authority (CA) will issue a Client PKI Certificate and Server Certificate for the Nifi server.

Add keystore files to a Kubernetes secret:

````
kubectl create secret generic mysecrets \
--from-file=keystore.jks=/path/to/keystore.jks \
--from-file=truststore.jks=/path/to/truststore.jks
````

Make the Kubernetes secret available to the Nifi server. Update `values.yaml`:

````
secrets:
- name: mysecrets
keys:
- keystore.jks
- truststore.jks
mountPath: /opt/nifi/nifi-current/config-data/certs/
````

Enable the Nifi server to prompt for client certificates:

````
properties:
needClientAuth: true
````

Indicate Client Authentication mode configurations should be applied and set SSL values:

````
auth:
SSL:
keystorePasswd: <passwd>
truststorePasswd: <passwd>
clientAuth:
enabled: true
````

For cluster deployments, the example below illustrates how to create a 3 replica cluster with unique keystores.

Create the secret:

````
kubectl create secret generic mysecrets \
--from-file=<nifi-0 fqdn>.jks=/path/to/<nifi-0 fqdn>.jks \
--from-file=<nifi-1 fqdn>.jks=/path/to/<nifi-1 fqdn>.jks \
--from-file=<nifi-2 fqdn>.jks=/path/to/<nifi-2 fqdn>.jks \
--from-file=truststore.jks=/path/to/truststore.jks
````

Make the secret available to the replicas:

````
secrets:
- name: mysecrets
keys:
- <nifi-0 fqdn>.jks
- <nifi-1 fqdn>.jks
- <nifi-2 fqdn>.jks
- truststore.jks
mountPath: /opt/nifi/nifi-current/config-data/certs/
````

Add a safetyValve entry to align the container with the associated keystore:

````
properties:
safetyValve:
nifi.security.keystore: ${NIFI_HOME}/config-data/certs/${FQDN}.jks
````


## 3. OIDC

OpenID Connect (OIDC) is an open authentication protocol that profiles and extends OAuth 2.0 to add an identity layer. It can be used by an external identity provider to make authentication.

To enable OIDC user authentication, the values below must be setted in `values.yaml` file:
To enable OIDC user authentication, the values below must be set in `values.yaml` file:

````
oidc:
Expand All @@ -33,7 +109,7 @@ oidc:
There are a lot of ID providers that can be used to perform an OIDC authentication. In our case, we have tested that with Keycloak. You will find an example of Keycloak config on this [page](https://github.com/cetic/helm-nifi/tree/feature/nifi_1.14.0/doc/KEYCLOAK.md).


## 3. LDAP
## 4. LDAP

Like OIDC, LDAP (Lightweight Directory Access Protocol) provide an external authentication. If you have your own LDAP, you can use it. If not, set `openldap.enabled` to `true` in `values.yaml` file to deploy a local instance of OpenLDAP.

Expand Down
3 changes: 3 additions & 0 deletions templates/statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,9 @@ spec:
"${NIFI_HOME}/conf/authorizers.xml"
xmlstarlet ed --inplace --update "//authorizers/accessPolicyProvider/property[@name='Initial Admin Identity']" -v {{ .Values.auth.oidc.admin | quote }} "${NIFI_HOME}/conf/authorizers.xml"
xmlstarlet ed --inplace --update "//authorizers/accessPolicyProvider/property[@name='Authorizations File']" -v './auth-conf/authorizations.xml' "${NIFI_HOME}/conf/authorizers.xml"
{{- else if .Values.auth.clientAuth.enabled }}
cat "${NIFI_HOME}/conf/authorizers.temp" > "${NIFI_HOME}/conf/authorizers.xml"
xmlstarlet ed --inplace --delete "//authorizers/authorizer[identifier='single-user-authorizer']" "${NIFI_HOME}/conf/authorizers.xml"
{{- else if .Values.auth.singleUser.username }}
bin/nifi.sh set-single-user-credentials {{ .Values.auth.singleUser.username }} {{ .Values.auth.singleUser.password }}
{{- end }}
Expand Down
3 changes: 3 additions & 0 deletions values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,9 @@ auth:
username: username
password: changemechangeme # Must to have at least 12 characters

clientAuth:
enabled: false

ldap:
enabled: false
host: #ldap://<hostname>:<port>
Expand Down

0 comments on commit 396d246

Please sign in to comment.