palindromicity / dotifi

dotifi is a python package for creating graphviz dot files and images from Apache NiFi canvases
Apache License 2.0
7 stars 2 forks source link

Connect to NiFi using JWT/User Token #62

Closed ChrisSamo632 closed 4 years ago

ChrisSamo632 commented 4 years ago

Is your feature request related to a problem? Please describe. We have NiFi running in Kubernetes with an Ingress protected by a Let's Encrypt certificate, then NiFi is using an Open ID Connect provider for Authentication of user credentials (ultimately resulting in a user auth token being issued by NiFi to the user's browser once it's received the JWT from the OIDC provider).

Describe the solution you'd like dotifi to allow specification of a user's token via a command line parameter/environment variable (and/or in the config.yaml, although that's likely to be less secure).

While it would be nice for the full OIDC code flow to be available in the tool, I suspect that's not realistic.

Describe alternatives you've considered Certificate authentication is possible when running the dotifi process within the Kubernetes namespace (our NiFi cluster is protected using nifi-toolkit produced certificates), but that makes it more difficult to obtain the diagram files from within the Pod.

Additional context NiPyApi allows setting of a security token via nipyapi.security.set_service_auth_token(token=jwt, service=service), then subsequent calls to NiPyApi methods work as normal.

May need to be able to specify SSL certificates along with the token. In my case I'd generally expect the Let's Encrypt ingress to be trusted by the user's O/S, but if bespoke certs are used to protect the NiFi endpoint then a CA would need to be provided to allow trust.

The user's JWT can be obtained via their browser's Dev Tools (e.g. F12 in Chrome) and looking for the jwt entry from their NiFi website domain within their Local Storage.

ottobackwards commented 4 years ago

@ChrisSamo632 I have a PR up, If I land it, can you try this out before I do a release?

ChrisSamo632 commented 4 years ago

@ChrisSamo632 I have a PR up, If I land it, can you try this out before I do a release?

Should be able to I think (just need to figure how to build and run from non released source, but assume that's not too difficult)

ottobackwards commented 4 years ago

let me mark as experimental and do the release

ottobackwards commented 4 years ago

0.2.0 has been published @ChrisSamo632 Please let me know if it works, I'll do 0.2.1 to take out the experimental doc