THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
| Page properties | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Goals
- Provide new authentication mechanisms inclusive of a foundational framework that allows specific authentication providers. Best in class for this situation appears from a cursory standpoint to be JAAS
- Build the needed extensions and configuration to allow for multiple providers along the likes of LDAPUsername/Password, Kerberos, OAuth/OpenID Connect, etc.
- Extend Update the UI to provide a consistent user experience for interfacing with any of the various providers support supplying username/password when configured.
Background and strategic fit
Current security mechanisms are Spring based and heavily bound to exclusively a PKI powered system. There has been wide community request for supporting of additional mechanisms as they look to provide integration of NiFi into existing enterprise facilities. Work to this end would allow the assignment of roles within NiFi instancesUsing Spring Security allows for supporting any of these options.
Assumptions
Requirements
| # | Title | User Story | Importance | Notes |
|---|---|---|---|---|
| 1 | Provide a framework for implementing Implementing multiple authentication providers | There are wide and varying authentication mechanisms in place across various enterprises. Accordingly, it is important to provide a consistent interface for integration within various environments as well as providing a basis for custom implementations. | JAAS seems to be best in class. Alternatives? | |
| 2 | LDAP Username/Password Provider | |||
| 3 | Kerberos Provider | |||
| 4 | PKI Provider | |||
| 5 | OAuth2/OpenID Connect |
User interaction and design
...
| Question | Outcome |
|---|---|
| What best addresses the problem in terms of our needs and technology? Dispelling differences between SASL and JAAS and their applicability. | By sticking with Spring Security we can offer support for both |
| What is a core set of providers that cover most needs? | PKI, Username/Password, Keberos |
| How does this affect user model in terms of groups and access? How does it affect our compliance with SCIM? | It does not affect it. This simply provides support for identifying a user. Access and groups are handled by the AuthorityProvier |
| How does this affect the authority provider? | It does not impact the AuthorityProvider |
| When using Username/Password how do we establish site to site communication? Do we support creating new users via the UI? | Will likely not support creating new users via the UI and will require the admin to provide the credentials which will be input when configuring the Remote Process Group. |
| When using OpenId Connect how do we establish site to site communication? |