As part of my experimentation with MiNiFi and Secure Clusters, it became evident to me that the current authorization model (based on internally managed UUIDs and Groups) will be particularly challenging to manage in the long run. 

The main issue seems to be NiFi 1.x reliance on unique IDs for granular component access control, which, while excellent from an UI perspective, may become challenging when hundreds or thousands of MiNiFi agents are assigned with IDs in order to be able to access Remote Process Group and ports.

 

This feature proposal would introduce a new type of principal that would use the Issuer of a certificate as principal for authorizations purposes (instead of just using common name or subject alternative names).

 

The overall idea is to be able to allow N number of MiNiFi clients to securely communicate with a secure NiFi cluster without having to control access to flow components through coarse grained access control but without having to rely on sharing of digital certificates across multiple agents (something that is VERY poor practice).

 

The following Diagram shows how this would work:

Simplified MiNiFi to NiFi authorization

 

  • No labels

1 Comment

  1. Andre

    Aldrin Piri I suspect I don't have access to the MINIFI space so I ended up creating this in here