How to add groups only, to be used for openid? #460
Comments
|
This was only supported starting in Apache NiFi v1.23.0: https://issues.apache.org/jira/browse/NIFI-11492 As long as the group name in keycloak exactly matches the name of the group in NiFi, the user will be granted the group's authorizations. |
|
Thank you. That's good to know. Frankly, I'm really struggling running NiFi. I've so far only managed to get it running in Single User Mode (funnily enough authentication through OpenID works regardles). If I disable that (And disable the single user authorizer) I always get the error that the data/users.xml can't be found. This also doesn't change, if I actually add NifiUser (and NifiUsergroup) ressources to k8s. |
|
Yes, I have. The issue, however, isn't the connection from Keycloak to Nifi, but having Nifi not terminate due to a file missing. Unless I've overlooked something within that sample. Edit: Hmm.. I see the singleUser Authorizer isn't disabled there. I'll have another go at that then. Just to clarify: To create a group in Nifi I just use the "NifiUserGroup" resource? |
|
Yes, to have the operator create a group in NiFi for you, use the I've never deployed a NiFi with single user configuration and tried to migrate it to use the standard You cannot use both the single user authorizer and configure users and groups. It's one or the other. |
I pretty sure it's not possible. When the single user authorizer is configured the user and group configuration aren't configurable in the NiFi UI so I'm guessing that it's not configurable. |
|
@AlexEndris My recommendation would be to deploy a fresh NiFi cluster and configure and like in NIFI-11492, as long as an authenticating user belongs to a group (coming from Keycloak) that exactly matches a group in NiFi, then that user will be authorized. See this unit test in NiFi for how the logic works. |
|
@mh013370 As it's still in evaluation, I won't migrate anything and just create a new one. That's not a problem. I will have another look. Thank you very much for your help with this. |
Not sure why, but maybe you didn't configuration authentication method at all. At least one method must be configured between singleUser, OIDC, LDAP, SAML, etc. |
|
That might be it, although I could swear I had the OIDC with Keycloak configured. I'll have another stroll down the rabbit hole on Monday. Maybe it is as easy as that and I was just too deep to see it. Thank you! |
|
@juldrixx I've tried the following values for the nifi-cluster helm chart to instantiate the cluster. It keeps starting and terminating. cluster:
nodeUserIdentityTemplate: node-%d
controllerUserIdentity: "nifi-controller"
listenersConfig:
internalListeners:
- type: "https"
name: "https"
containerPort: 8443
- type: "cluster"
name: "cluster"
containerPort: 6007
- type: "s2s"
name: "s2s"
containerPort: 10000
- type: "prometheus"
name: "prometheus"
containerPort: 9090
sslSecrets:
tlsSecretName: "test"
create: true
externalServices:
- name: "nifi-cluster-ip"
spec:
type: ClusterIP
portConfigs:
- port: 8443
internalListenerName: "https"
nifiProperties:
webProxyHosts:
- nifi.example.com
overrideConfigs: |
nifi.web.proxy.context.path=/
nifi.sensitive.props.key=changemequickly
nifi.security.user.oidc.discovery.url=https://keycloak.url.com
nifi.security.user.oidc.client.id=nifi
nifi.security.user.oidc.client.secret=myultrasecret
nifi.security.user.oidc.additional.scopes=offline_access,email
nifi.security.user.oidc.fallback.claims.identifying.user=preferred_username
zookeeper:
enabled: truethe user and usergroup: apiVersion: nifi.konpyutaika.com/v1
kind: NifiUserGroup
metadata:
name: test
namespace: nifi-cluster
spec:
clusterRef:
name: nifi-cluster
namespace: nifi-cluster
usersRef:
- name: test
accessPolicies:
# defines the kind of access policy, could be "global" or "component".
- type: global
# defines the kind of action that will be granted, could be "read" or "write"
action: read
# resource defines the kind of resource targeted by this access policies, please refer to the following page:
# https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#access-policies
resource: /counters
---
apiVersion: nifi.konpyutaika.com/v1
kind: NifiUser
metadata:
name: test
namespace: nifi-cluster
spec:
# identity field is use to define the user identity on NiFi cluster side,
# it use full when the user's name doesn't suite with Kubernetes resource name.
identity: [email protected]
# Contains the reference to the NifiCluster with the one the registry client is linked.
clusterRef:
name: nifi-cluster
namespace: nifi-cluster
# Whether or not the the operator also include a Java keystore format (JKS) with you secret
includeJKS: false
# Whether or not a certificate will be created for this user.
createCert: trueThis is what I get during start up in the logs: Am I missing something? According to what you said, this should suffice for it to run. I don't really know what I can do different here. Edit: |
|
@AlexEndris same error here |
Type of question
General Context
Support question
Hi,
I'm trying to set up nifi using nifikop with keycloak. I've been able to login through keycloak but how do I set up the groups (and thus access) for those users, without having to add every single user as another k8s resource? All I need is a group mapping that, say, a user is part of the group "admin" he gets all rights, etc. No need to have user duplicates.
Can you maybe point me into the right direction?
NiFiKop version
1.10.0
Golang version
No response
Kubernetes version
1.26.5
NiFi version
1.26.0
The text was updated successfully, but these errors were encountered: