Skip to content
/ nifi-opa-plugin Public

A plugin for Apache NiFi to authorize access via an external policy engine such as OPA.

License

MIT license
2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

DavidGitter/nifi-opa-plugin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

48 Commits
.github/workflows
.github/workflows
 
 
authorizer
authorizer
 
 
docs/readme
docs/readme
 
 
rego
rego
 
 
test-env
test-env
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

OPA-Authorizer for Apache NiFi


Important

This plugin is currently under development. The use in a productive environment should be treated with caution.

Table of Contents

Introduction

License: MIT This repository contains a plugin for Apache NiFi in order to add support for the authorization of access in NiFi using the Open Policy Agent. It also includes suitable Rego Rules with abstraction layers aswell as a test environment to test the authorizer.

Features

  • supports authorization for global access policies
  • supports authorization for componenten access policies
  • includes a cache which can be used optionally

Requirements

Plugin

For building the plugin in /authorizer.

Docker

For using the test environment in /test-env.

Quick Start

Building the plugin

To build the plugin go into the /authorizer folder and execute: mvn install This builds the .nar-plugin in the /target folder.

Using the plugin

In order to use the plugin in Apache NiFi the following steps must be performed:

  1. Go to the /opt/nifi/nifi-current/conf/authorizers.xml in your Apache NiFi Instance / Container
  2. Place the the following opa-authorizer-snippet in the file (for example beneath the managed-authorizer):
<!-- example snippet -->
<authorizer>
    <identifier>opa-authorizer</identifier>
    <class>org.nifiopa.nifiopa.OpaAuthorizer</class>
    <property name="CACHE_TIME_SECS">30</property>
    <property name="CACHE_MAX_ENTRY_COUNT">100</property>
    <property name="OPA_URI">http://opa:8181/</property> <!--required-->
    <property name="OPA_RULE_HEAD">nifi/allow</property> <!--required-->
</authorizer>

Alternatively, the properties fields can also be set as environment variables. 3. Set the env-variable NIFI_SECURITY_USER_AUTHORIZER of Apache NiFi or the nifi.security.user.authorizer in Apache NiFis nifi.properties-file to opa-authorizer. 4. Place the nar-plugin you build aboth in the /opt/nifi/nifi-current/extensions/ folder of your Apache NiFi Instance / Container 5. Restart Apache NiFi 6. Load the Rego files of the /rego folder to the OPA and change them according to your needs. Read Chapter Rego Rules for more.

Properties

The following properties can be configurated in the authorizers.xml or using the environment variables:

Property Key Example Default Description
OPA_URI http://opa:8181/ Endpoint of the OPA policy to query. required
OPA_RULE_HEAD nifi/allow Rule head against which the query is made (package/rule). required
CACHE_TIME_SECS 30 30 Maximum time in seconds an entry in the decision cache exists.
CACHE_MAX_ENTRY_COUNT 100 0 Maximum entries of the decision cache.

Testing

Setup

In order to use the docker test environment you need open the /test-env folder and execute the start script.

$ ./start.sh

After Apache NiFi is completly up, open the Apache NiFi UI: https://localhost:8443/nifi/.

You might login using one of those credentials:

  • Usernmane: User1, Password: password01
  • Usernmane: User2, Password: password02
  • Usernmane: User3, Password: password03

Note

To load a rebuild plugin you need to restart Apache NiFi.

Rego Rules

Input

The following structure shows an example of the JSON-input the opa receives.

{
  "action": { 
    "name": "write" 
  },
  "properties": { 
    "isAccessAttempt": "false", 
    "isAnonymous": "false" 
  },
  "requestedResource": {
    "id": "/process-groups/5c3bea0a-0195-1000-720c-29d246009c2f",
    "name": "NiFi Flow",
    "safeDescription": "Process Group with ID 5c3bea0a-0195-1000-720c-29d246009c2f"
  },
  "resource": {
    "id": "/process-groups/5c3bea0a-0195-1000-720c-29d246009c2f",
    "name": "NiFi Flow",
    "safeDescription": "Process Group with ID 5c3bea0a-0195-1000-720c-29d246009c2f"
  },
  "user": { 
    "groups": "", 
    "name": "User1" 
  },
  "resourceContext": { "": "" },
  "userContext": { "": "" }
}

Note that this is only one of many authorization requests that are sent by Apache NiFi when accessing the Web-UI.

All requests that are sent can be seen in the OPA-Container Decision Logs when using the test environment.

Abstraction Rules

In the /rego folder different rego-rules can be found which already contain abstraction layers. Apache NiFi has two different types of access rules which can be also found in the Administrator Guide:

  • Global Access Policies (example: "is User1 allowed to read the UI)
  • Component Access Policies (e.g. "is User1 allowed to write on Processor xyz)

The global permissions can be set in the /nifi_global_policies.rego.

The component permissions can be set in the

  • /nifi_root_policies.rego for the first two component levels using the name of a component
  • /nifi_node_policies.rego for all components from level 3 and higher using the UUID of a component

The following image is intended to illustrate the previously explained component authorizations alt

About

A plugin for Apache NiFi to authorize access via an external policy engine such as OPA.

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 1

Release v0.0.1 Latest
Mar 7, 2025

Packages

No packages published

Contributors 2

  •  
  •  

Languages