Configuring NiFi Authentication and Proxying with Apache Knox
Also available as:
PDF

Creating an Advanced Topology

  1. As the Knox user, create flow-management.xml in /usr/hdp/current/knox-server/conf/topologies.
  2. Add the following content to flow-management.xml:

    If you have modified the ShiroProvider in the topology specified in the Advanced Topology section of the Ambari Knox configs, and want to authenticate Flow Management topology users in the same manner as Advanced Topology users, ensure that those modifications are reflected in your added content.

    <?xml version="1.0" encoding="utf-8"?>
    <!--
      Licensed to the Apache Software Foundation (ASF) under one or more
      contributor license agreements.  See the NOTICE file distributed with
      this work for additional information regarding copyright ownership.
      The ASF licenses this file to You under the Apache License, Version 2.0
      (the "License"); you may not use this file except in compliance with
      the License.  You may obtain a copy of the License at
    
          http://www.apache.org/licenses/LICENSE-2.0
    
      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      See the License for the specific language governing permissions and
      limitations under the License.
    -->
    <topology>
      <gateway>
        <provider>
          <role>authentication</role>
          <name>ShiroProvider</name>
          <enabled>true</enabled>
          <param>
            <name>sessionTimeout</name>
            <value>30</value>
          </param>
          <param>
            <name>redirectToUrl</name>
            <value>/gateway/knoxsso/knoxauth/login.html</value>
          </param>
          <param>
            <name>restrictedCookies</name>
            <value>rememberme,WWW-Authenticate</value>
          </param>
          <param>
            <name>main.ldapRealm</name>
            <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
          </param>
          <param>
            <name>main.ldapContextFactory</name>
            <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
          </param>
          <param>
            <name>main.ldapRealm.contextFactory</name>
            <value>$ldapContextFactory</value>
          </param>
          <param>
            <name>main.ldapRealm.userDnTemplate</name>
            <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
          </param>
          <param>
            <name>main.ldapRealm.contextFactory.url</name>
            <value>ldap://localhost:33389</value>
          </param>
          <param>
            <name>main.ldapRealm.authenticationCachingEnabled</name>
            <value>false</value>
          </param>
          <param>
            <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
            <value>simple</value>
          </param>
          <param>
            <name>urls./**</name>
            <value>authcBasic</value>
          </param>
        </provider>
        <provider>
          <role>identity-assertion</role>
          <name>Default</name>
          <enabled>true</enabled>
        </provider>
      </gateway>
      <service>
        <role>NIFI</role>
        <url>$NIFI_HTTP_SCHEME://$NIFI_HOST:$NIFI_HTTP_SCHEME_PORT</url>
        <param name="useTwoWaySsl" value="true"/>
      </service>
    </topology>
    

    Where:

    • $NIFI_HTTP_SCHEME specifies whether NiFi is communicating over HTTP or HTTPS.
    • $NIFI_HOST is the FQDN of the host machine on which NiFi is running.
    • $NIFI_HTTP_SCHEME_PORT specifies the port on which NiFi is running. This value varies depending on HTTP or HTTPS usage. In Advanced nifi-ambari-ssl-config, if Enable SSL? is selected, use the port specified by NiFi HTTP port (SSL), and if not, use the port specified by NiFi HTTP port (non-SSL). The port values are available in Advanced nifi-ambari-config.
  3. Save the configuration and restart Knox, or continue by configuring Knox SSO.