nipyapi
nipyapi copied to clipboard
Chaffelson
Nifi Authentication using OpenID connect
- Nipyapi version: 0.13.2
- NiFi version: 1.9.2
- NiFi-Registry version: 0.4.0
- Python version: 3.7
- Operating System: Rhel 7
Description
We have automated Flow deployment process using nipyapi and it is working fine. Now, we are moving towards secured Nifi & Registry. Nifi is secured using OpenID connect (okta). So, nifi accepts user ID and password for authentication. How to use nipyapi to authenticate using OpenID connect ?
What I Did
Urgency
We have already used nipyapi for flow deployment and we have to find a way to modify the code to make it run on secured nifi instance. Please advise.
@Chaffelson : I will need your advise on the above. I am trying Nifi flow deployment using nipyapi. Now we are moving towards tls+okta(openId) for authentication. I am looking at class nipyapi.nifi.apis.access_api.AccessApi. But any quick pointers will help.
Hi, I'm traveling today but may be able to look at it tomorrow. Have you examined the functions in NiPyAPI/security.py as a baseline that could be extended?
On Wed, 7 Aug 2019, 17:00 Sunil Saggar, [email protected] wrote:
@Chaffelson https://github.com/Chaffelson : I will need your advise on the above. I am trying Nifi flow deployment using nipyapi. Now we are moving towards tls+okta(openId) for authentication. I am looking at class nipyapi.nifi.apis.access_api.AccessApi. But any quick pointers will help.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Chaffelson/nipyapi/issues/139?email_source=notifications&email_token=ACZAZOBHVA3KKXNQQYTUDL3QDLIQXA5CNFSM4IJ6JL32YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3YQA7A#issuecomment-519110780, or mute the thread https://github.com/notifications/unsubscribe-auth/ACZAZOHFBTD4T2XDIHJMOYDQDLIQXANCNFSM4IJ6JL3Q .
@Chaffelson : It has just set_service_ssl_context which we will use to do only SSL/TLS handshake. For Authentication, nothing is there yet.
Also, was trying postman for the following access APIs. It seems they don't give a full functionality to get the access token, I tried running /acces/oidc/request. It just initiates the request and send us the okta web page. I am sure i might be missing some obvious ?
@saggarsunil - we are trying the exact same thing (using KeyCloak to master all IAM / security metadata) and found that nifi really doesn’t play well with proxies and dynamic DNS environments. Still trying to figure out how to sensibly pass the tokens with ever changing K8S ports...
Happy to share any progress we make and looking forward to learn from your end as well.
@tomthebuzz : Thanks for the update.
Since we wanted to move past this, we have started using client certificates for a admin user. All other users will still authenticate using Okta.
I have seen some private work to implement good K8s Operators that handle certificates and identity behind a load balanced proxy, I believe it is expected to be published later this year. This could likely then be comfortably extended to support various SSO requirements.
Let me know if there's something specific that we could do to ease your automation with NiPy in the meantime.
I tried using
access_api = nipyapi.nifi.AccessApi()
req = access_api.oidc_request()
But this doesn't work because /acces/oidc/request redirects you to a page which needs browser interaction.
@Chaffelson How would one authenticate using OIDC here? I'd rather not force a user to paste a link in their browser, but that's not a deal breaker for me. It might be for others.
I must admit I have not tried it - these calls are derived directly from the swagger spec. If I speculate, I would look at possibly using the Chrome driver?
I'm not sure NiFi's OIDC authentication can be done programmatically (i.e., without human/browser interaction)
OIDC in general has something called a "device flow" is that something that NiFi would have to implement as well, or can it just work by writing client code?
Do you think we can get the information we need to do the OIDC flow from access_api.oidc_request() I can see in the debugger that there is an HTTP response but the swagger api discards it because it's not a json type, its HTML from whatever auth provider you choose. The request URL/header parameters and HTML response might have data you need to complete the auth cycle, but it all might be in an auth provider specific format. So that would be a no-go.
AFAIK, the device flow would require NiFi to explicitly support it.
In theory, the OIDC flow probably can be done with a custom client designed to interact with the HTML responses and imitate the browser in the the OIDC login. Once the OIDC token is exchanged for a NiFi JWT token, that should be usable from the swagger client used by NiPyAPI (those I admit I am just speculating, and I'm not sure that client as-is allows for setting a custom auth token that it did not, itself, acquire).
Any updates on this Issue? I'd simply love to use nypiapi with OIDC. I had to change all my helm chart deployment for NIFI to LDAP so that I could set it secure, but I just can't get over OIDC with all those new features to User Management.
I'm curious about any potential updates as well; I haven't tried actually implementing anything yet, but I've got this issue on my horizon as I just created OIDC integration for the official Docker container (which I'll be creating a JIRA issue and PR for in the coming weeks) and will need a way to programmatically log in. I may fall back to using 2-way SSL, but that presents an issue with getting my API client's cert trusted by NiFi in an AWS CodePipeline deployment workflow.
The best thing, long term would be for nifi to support device flow. That would take discussion there on the [email protected] list, and a jira issue
There is a channel in the nifi slack for http clients as well if you want to talk there, I can send you an invite if you want