Hortonworks.com
  • Explore
    • All Tags
    • All Questions
    • All Repos
    • All Repos
    • All SKB
    • All SKB
    • All Articles
    • All Ideas
    • All Articles
    • All Ideas
    • All Users
    • All Badges
    • Leaderboard
  • Create
    • Ask a question
    • Add Repo
    • Add Repo
    • Create Article
    • Post Idea
    • Create Article
    • Post Idea
  • Tracks
    • All Tracks
    • Community Help
    • Cloud & Operations
    • CyberSecurity
    • Data Ingestion & Streaming
    • Data Processing
    • Data Science & Advanced Analytics
    • Design & Architecture
    • Governance & Lifecycle
    • Hadoop Core
    • Sandbox & Learning
    • Security
    • Solutions
  • Login
HCC Hortonworks Community Connection
  • Home /
  • Solutions /
  • Home /
  • Solutions /
avatar image

FAQs about security implementation of NiFi Web UI

Shashank Chandhok created · Dec 05, 2017 at 10:42 AM
0

SupportKB

How does NiFi use cookies? Does NiFi use HttpSession(s)? How are they secured and encrypted?

  • NiFi is a stateless web application. Hence, it does not have the concept of sessions. Therefore, there are no session IDs and no cookies.
  • Rather, NiFi uses an encrypted token which is provided to the client's local storage and is used to authenticate incoming requests.
When a user logs into NiFi, when will their session be invalidated due to inactivity? 

  • JWT (encrypted per user with a unique key): 
    • Serves as authentication token after initial authentication process (LDAP, Kerberos).
    • Expires based on configuration in LIP for LDAP / Kerberos form login (proxy ticket acquisition).
    • Expires based on nifi.kerberos.spnego.authentication.expiration for Kerberos SPNEGO
  • An OTP for content download / custom UI view is provided if user is authenticated and uses a HMAC/SHA-256 based hash of a random value 
  • Because they are transmitted in plaintext in request URI, no reuse.
  • User "logged in" is invalidated due to inactivity when the JWT expires. 
  • Password strength and rotation policies should be enforced by user management tools (LDAP/AD, etc.). NiFi does not handle user credential management, and integrates with external tools to provide these services.
What precautions, if any exist in the NiFi UI code to prevent cross site scripting attacks?

  • All presentation layer code has escape logic for preventing XSS
    • Server-side escaping for JSP presentation.
    • Client-side escaping for filtering user-provided data.


About:
This article created by Hortonworks Support (Article: 000006049) on 2017-07-24 15:31
OS: Linux
Type: Cluster_Administration
Version: n/a

Support ID: 000006049
thub.nodes.view.add-new-comment
faqhwsupportNifi
Add comment
10 |6000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Follow

Follow

avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image

Related posts

Can the ListFile/ListSFTP/ListFTP Processor be used to fetch files from the directories without storing the state management?

What is QoS and what are the recommendations for QoS in ConsumeMQTT processor?

Does NiFi Support Fetching Data from FTPS server?

How to create Multihoming setup on NiFi UI?

How to enable debug on a NiFi Processor?

Does the Putkafka and PublishKafka processors in NiFi support multi-tenancy?

Can NiFi write to Amazon S3 using Amazon Server-Side KMS encryption?

How to get a Nifi counter value using ExecuteScript Processor and Groovy?

Error:"java.io.IOException: Expected to read a Sentinel Byte of '1' but got a value of '0' instead" when starting a NiFi service

ERROR:"org.apache.hadoop.hbase.MasterNotRunningException: Can't get connection to ZooKeeper: KeeperErrorCode = AuthFailed for /hbase-unsecure" when connecting to an unsecure or non-kerberized HBase cluster through NiFi HBase Client Services

HCC Guidelines | HCC FAQs | HCC Privacy Policy

Hortonworks - Develops, Distributes and Supports Open Enterprise Hadoop.

© 2011-2017 Hortonworks Inc. All Rights Reserved.
Hadoop, Falcon, Atlas, Sqoop, Flume, Kafka, Pig, Hive, HBase, Accumulo, Storm, Solr, Spark, Ranger, Knox, Ambari, ZooKeeper, Oozie and the Hadoop elephant logo are trademarks of the Apache Software Foundation.
Privacy Policy | Terms of Service

HCC Guidelines | HCC FAQs | HCC Privacy Policy | Privacy Policy | Terms of Service

© 2011-2018 Hortonworks Inc. All Rights Reserved.

Hadoop, Falcon, Atlas, Sqoop, Flume, Kafka, Pig, Hive, HBase, Accumulo, Storm, Solr, Spark, Ranger, Knox, Ambari, ZooKeeper, Oozie and the Hadoop elephant logo are trademarks of the Apache Software Foundation.

  • Anonymous
  • Login
  • Create
  • Ask a question
  • Add Repo
  • Add Repo
  • Create SupportKB
  • Create SupportKB
  • Create Article
  • Post Idea
  • Create Article
  • Post Idea
  • Tracks
  • Community Help
  • Cloud & Operations
  • CyberSecurity
  • Data Ingestion & Streaming
  • Data Processing
  • Data Science & Advanced Analytics
  • Design & Architecture
  • Governance & Lifecycle
  • Hadoop Core
  • Sandbox & Learning
  • Security
  • Solutions
  • Explore
  • All Tags
  • All Questions
  • All Repos
  • All Repos
  • All SKB
  • All SKB
  • All Articles
  • All Ideas
  • All Articles
  • All Ideas
  • All Users
  • Leaderboard
  • All Badges