Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-1990

Implement consistent security controls for cluster, site-to-site, and API communications

    XMLWordPrintableJSON

    Details

      Description

      As discovered in NIFI-1981, edge cases in configuration of cluster communications over TLS without client authentication caused errors in the application. We should provide a consistent experience, from documentation to configuration to execution:

      • Machine to machine communication should have two settings – plaintext or TLS with mutual authentication.
        • Cluster
        • Site to Site
      • The API / UI should allow more granular control – plaintext, TLS with server authentication only, or TLS with mutual authentication. Some clients (API consumers, users in an enterprise environment) may have client certificates, but the majority will not, and TLS authentication of the server, and data integrity and confidentiality assurances should still be available.
        • Site to site over the API (see NIFI-1857) will respect this setting for the TLS handshake negotiation, but will manually enforce the presence of a client certificate in an HTTP header on any request arriving over HTTPS.

      The nifi.security.needClientAuth setting should be removed from nifi.properties. A new setting nifi.security.api.needClientAuth will be added, and documented to explicitly apply only to the API (and, by extension, Web UI).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                alopresto Andy LoPresto
                Reporter:
                alopresto Andy LoPresto
              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: