diff --git a/README.MD b/README.MD new file mode 100644 index 0000000..d1c152a --- /dev/null +++ b/README.MD @@ -0,0 +1,116 @@ +# Setting up AAD Auth with NiFi + +## Pre-recks + +- Admin access to Azure Active Directory Tenant. + - Abilities require to proform: + - Create Registart Applications. + - Create User Security Groups. + - Grant AAD Group Read roles to Service principle. + +## Steps for a simple example AAD setup using Group Access policy + +### Create Registered Application in Azure Active Directory portal + +1. Create Registered Application in Azure Active Directory portal located at [portal.azure.com](http://portal.azure.com/), and navigate to **Azure Active Directory**, and select **App registrations**. + +2. Once there select **`+` New Registration** and enter the name of your Nifi-AAD Application and also the Redirect URL to Be used by AAD to return to NiFi with the Users Authentication token. This will be your NiFi's domain followed by `/nifi-api/access/oidc/callback`, so for example a test Nifi on localhost with TLS enabled will be `https://localhost:9443/nifi-api/access/oidc/callback` + ![alt](images/aad_new_app_reg.png) + +3. Once the Registered Application is created, note the **Application (client) ID** value referenced in the **Overview** property for the Application. This will be the `APP_REG_CLIENT_ID` in the `conf/authorizers.xml` and the `nifi.security.user.oidc.client.id` in `conf/nifi.properties` +4. Now to create a Client sectet, navigate within its properties to **Certificates & secrets** and create a new **Client secrets** this will be used for the `APP_REG_CLIENT_SECRET` in the `conf/authorizers.xml` and the `nifi.security.user.oidc.client.secret` in `conf/nifi.properties`. +5. Now Grant this App the following roles `Group.Read.All` and `User.Read.All` in the **API permissions** property. Remembering to apply the ✅ **Grant Consent for YOUR_TENANT** + ![alt](images/aad_grant_group_read_roles.png) +6. Now an Extra token is required for OpenID to authenticate successfully from the User Principal Name (UPN) which can be done by navigate within its properties to **Token configuration** and create a new token by selecting **Add optional claim**. For **Token type** choose **ID** and then tick the box to **Clam** only **UPN**, create then click edit on the newly created claim and enable **Externally authenticated** ![alt](images/aad_app_upn_claim.png) ![alt](images/aad_app_upn.png) ![alt](images/aad_app_upn_external.png) + + +### Create AAD Groups in Azure Active Directory portal + +1. Now Create the NiFi Groups access and polices NiFi will enforce. +2. in the [portal.azure.com](http://portal.azure.com/), navigate to **Azure Active Directory**, and select **Groups**. +3. To create a group select **`+` New group** and create your group and add users to it as members or owners. + > __NOTE__ the Prex you give you groups is important for the NiFi AAD Group sync module to function correctly. + >
i.e. label your user and admin group `Nifi-AAD-{admin OR user}`

Allowing the configuration of`"GROUP_FILTER_PREFIX"=Nifi-AAD` in `conf/authorizers.xml` to process both user lists and attach different policies on each independent group within NiFi. + ![alt](images/aad_nifi_user_groups.png) + +### Configuring NiFi for AAD Auth + +1. Set up NiFi to run over TLS as required for User-based Authentication to be enabled. For more information see the Nifi-toolkit [walkthrough](https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html) about enabling TLS for a local instance. + +2. Set up you OpenId properties to point to the created prevously. These are located in `conf/nifi.properties`. + +```properties +# OpenId Connect SSO Properties # +nifi.security.user.oidc.discovery.url=https://login.microsoftonline.com//v2.0/.well-known/openid-configuration +nifi.security.user.oidc.connect.timeout=5 secs +nifi.security.user.oidc.read.timeout=5 secs +nifi.security.user.oidc.client.id= +nifi.security.user.oidc.client.secret= +nifi.security.user.oidc.preferred.jwsalgorithm= +nifi.security.user.oidc.additional.scopes=profile +nifi.security.user.oidc.claim.identifying.user=upn +``` + +3. Next, configure `conf/authorizers.xml` to enable a `file-user-group-provider` provider for initial SystemAdminastration and the `aad-user-group-provider` for Group Sync. + +Example `authorizers.xml`: +```xml + + + file-user-group-provider + org.apache.nifi.authorization.FileUserGroupProvider + ./conf/users.xml + + SYS_ADMIN_AAD_UPN + + + + aad-user-group-provider + org.apache.nifi.authorization.azure.AzureGraphUserGroupProvider + 1 mins + https://login.microsoftonline.com + YOUR_TENANT_ID + YOUR_APPLICATION_CLIENT_ID + YOUR_APPLICATION_CLIENT_SECRET + Nifi-AAD + 100 + + + + composite-configurable-user-group-provider + org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider + file-user-group-provider + aad-user-group-provider + + + + file-access-policy-provider + org.apache.nifi.authorization.FileAccessPolicyProvider + composite-configurable-user-group-provider + ./conf/authorizations.xml + SYS_ADMIN_AAD_UPN + + + + + + managed-authorizer + org.apache.nifi.authorization.StandardManagedAuthorizer + file-access-policy-provider + + +``` + +> __NOTE__ To obtain the `SYS_ADMIN_AAD_UPN` value can be done by going to [portal.azure.com](http://portal.azure.com/), navigate to **Azure Active Directory**, and select **User**, Search for the user wished to be used for the Initial System Administration and fetching their `User Principal Name` value from the properties. ![alt](images/aad_geting_user_upn.png) + +### Configuring NiFi Group Access Policy + +1. Now run you NiFi instance with the Configuration, logging onto the NiFi web appl now should re-direct you to a Microsoft Branded Login portal. +2. Login with the User that the `SYS_ADMIN_AAD_UPN` was specified for. + > __NOTE__ You may need to accept logging into a Non-Microsoft Application for the First time.
As AAD Admin; selecting `Consent on behalf of your organization` should avoid this from happening again. ![alt](images/aad_login_permission.png) + +3. You should now have been successfully authenticated and redirected into the NiFi Canvas. +4. To verify the AAD Group Sync Provider is working and picking the created Groups, select the **hamburger menu** (top-right) and select **Users**, their should be User Principal Name (UPN) references for all the users within the AAD Groups and also the Groups listed also. ![alt](images/aad_nifi_users_list.png) +5. To Enforce Groups to certain abilities and pollicies, select again the **hamburger menu** (top-right) and select **Policies**. +6. Now select each policy you wish to enforce, then select the add button the right of the table, and type in the group you wish to have entitlement to that policy. ![alt](images/aad_nifi_access_policies.png) +7. Now Users in that AAD group will have access to that policy when they login. diff --git a/images/aad_app_upn.png b/images/aad_app_upn.png new file mode 100644 index 0000000..de0d5b8 Binary files /dev/null and b/images/aad_app_upn.png differ diff --git a/images/aad_app_upn_claim.png b/images/aad_app_upn_claim.png new file mode 100644 index 0000000..ca2f9e8 Binary files /dev/null and b/images/aad_app_upn_claim.png differ diff --git a/images/aad_app_upn_external.png b/images/aad_app_upn_external.png new file mode 100644 index 0000000..c2bc9e8 Binary files /dev/null and b/images/aad_app_upn_external.png differ diff --git a/images/aad_geting_user_upn.png b/images/aad_geting_user_upn.png new file mode 100644 index 0000000..1d3e642 Binary files /dev/null and b/images/aad_geting_user_upn.png differ diff --git a/images/aad_grant_group_read_roles.png b/images/aad_grant_group_read_roles.png new file mode 100644 index 0000000..f5f6896 Binary files /dev/null and b/images/aad_grant_group_read_roles.png differ diff --git a/images/aad_login_permission.png b/images/aad_login_permission.png new file mode 100644 index 0000000..2399484 Binary files /dev/null and b/images/aad_login_permission.png differ diff --git a/images/aad_new_app_reg.png b/images/aad_new_app_reg.png new file mode 100644 index 0000000..6839700 Binary files /dev/null and b/images/aad_new_app_reg.png differ diff --git a/images/aad_nifi_access_policies.png b/images/aad_nifi_access_policies.png new file mode 100644 index 0000000..2036b33 Binary files /dev/null and b/images/aad_nifi_access_policies.png differ diff --git a/images/aad_nifi_user_groups.png b/images/aad_nifi_user_groups.png new file mode 100644 index 0000000..2c47ccd Binary files /dev/null and b/images/aad_nifi_user_groups.png differ diff --git a/images/aad_nifi_users_list.png b/images/aad_nifi_users_list.png new file mode 100644 index 0000000..dd3f416 Binary files /dev/null and b/images/aad_nifi_users_list.png differ