Security
Authentication
Every user has to authenticate themselves before using NiFI.
There are multiple options to set up the authentication of users.
All authentication related parameters are configured under spec.clusterConfig.authentication.
Single user
Currently, the only supported authentication method is "SingleUser", which allows the definition of one admin user which can then access the cluster.
Specification of these users credentials happens via referring to a Secret in Kubernetes, this secret will need to contain at least the two keys username and password.
Extra keys may be present, but will be ignored by the operator.
apiVersion: v1
kind: Secret
metadata:
  name: nifi-admin-credentials-simple
stringData:
  username: admin
  password: adminspec:
  clusterConfig:
    authentication:
      method:
        singleUser:
          adminCredentialsSecret: nifi-admin-credentials-simple (1)
          autoGenerate: true| 1 | Administrator credentials for logging into the NiFi web interface. This is the name of a Secretresource with two fields:usernameandpassword. ThisSecretmust exist but it’s entries can be populated by the operator whenautoGenerateistrue. | 
Additional users can not be added.
Anonymous Access
NiFi can be configured to allow anonymous access to the web UI, this is turned off by default, but can be enabled via the parameter allowAnonymousAccess.
This setting is independent of the configured authentication method and will override anything specified for the authentication provider.
LDAP
NiFi supports authentication of users against an LDAP server. This requires setting up an AuthenticationClass for the LDAP server. The AuthenticationClass is then referenced in the NifiCluster resource as follows:
apiVersion: nifi.stackable.tech/v1alpha1
kind: NifiCluster
metadata:
  name: test-nifi
spec:
  clusterConfig:
    authentication:
      method:
        authenticationClass: ldap (1)| 1 | The reference to an AuthenticationClass called ldap | 
You can follow the Authentication with OpenLDAP tutorial to learn how to set up an AuthenticationClass for an LDAP server, as well as consulting the AuthenticationClass reference.
Authorization
NiFi supports multiple authorization methods documented here. The available authorization methods depend on the chosen authentication method.
Authorization is not fully implemented by the Stackable Operator for Apache NiFi.
LDAP
The operator uses the FileUserGroupProvider and FileAccessPolicyProvider to bind the LDAP user to the NiFi administrator group. This user is then able to create and modify groups and polices in the web interface. These changes local to the Pod running NiFi and are not persistent.