Securing flows per caller

0
votes

How can I secure a flow, i.e. how to assert that only an authorized application and submit data to NiFi? Can I connect a flow to LDAP for example where I will have registered all the callers and their permissions (and policies)?

I have seen only the possibility to secure NiFi regarding the user that logs in but this is irrelevant to my question.

[Update 2/10/2017] Checking AWS IoT I see that AWSCredentialsProviderControllerService is being used. Likewise, can we develop (is it recommended actually?) our authentication/authorization service to protect our processes? Is there any such service for LDAP or DB integration?

1
apache-nifi

1 Answers

2
votes

It depends how data is entering NiFi...

If you are doing site-to-site between NiFi instances, or from MiNiFi to NiFi, then permissions can be assigned per input port.

The external NiFi's/MiNiFi's would need a certificate to authenticate to the central NiFi and they would need to be represented as users in the central NiFi and given the appropriate permissions.

This post shows an example of secure communication between two NiFi instances: https://bryanbende.com/development/2016/08/30/apache-nifi-1.0.0-secure-site-to-site

If the data is entering via a processor such as ListenHTTP, ListenTCP, or something similar, then it depends on how the processor is implemented. Most of those processors should provide two-way TLS/SSL, so that only a client that was issue a certificate from a given truststore would be able to connect.

In these cases, the callers don't need to be represented as users and given permissions because it is not the NiFi framework making the authorization decision, it is the processor.