Security — NiFi
The tdp-nifi chart supports three security operating modes, controlled by the nifiCluster.security and nifiCluster.authorizersSecret blocks. The mode determines whether NiFi operates over HTTP or HTTPS, whether LDAP login is required, and who manages access policies.
Security modes
| Mode | When to use | Authentication | Authorization |
|---|---|---|---|
| Mode 1 | Local labs and temporary functional tests | No login | No per-user control |
| Mode 2 | Environments with LDAP users and local NiFi policies | LDAP | NiFi local file (file) |
| Mode 3 | Environments with LDAP and centralized policies in Ranger | LDAP | Apache Ranger (ranger) |
Mode 1: No authentication and no policy control
Use this mode for local labs or temporary functional tests.
- NiFi runs in HTTP
- LDAP is disabled
- there is no login screen
- access is not segmented by user/profile
nifiCluster:
security:
enabled: false
protocol: "http"
port: 8080
ldap:
enabled: false
authorization:
mode: "file"
If Ingress is enabled, use HTTP as the backend protocol:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
rules:
- host: nifi.local
paths:
- path: /
pathType: Prefix
backend:
service:
name: tdp-nifi-service
port:
number: 8080
Mode 2: LDAP with policies managed by NiFi
Use this mode when users authenticate via LDAP and access policies are managed by NiFi itself (local authorizer).
- NiFi runs in HTTPS
- login via LDAP
- policies controlled by NiFi using the local file authorizer (
file)
nifiCluster:
security:
enabled: true
protocol: "https"
port: 8443
ldap:
enabled: true
url: "ldap://<LDAP_HOST>:389"
searchBase: "<LDAP_USER_BASE_DN>"
searchFilter: "(&(uid={0})(objectClass=inetOrgPerson))"
managerDn: "<LDAP_BIND_DN>"
managerPassword: "<LDAP_BIND_PASSWORD>"
referralStrategy: "FOLLOW"
identityStrategy: "USE_USERNAME"
authorization:
mode: "file"
For first access, define the initial identities via nifiCluster.authorizersSecret:
nifiCluster:
authorizersSecret:
enabled: true
initialUserIdentities:
- fry
- leela
initialAdminIdentity: fry
initialAdminIdentityis the first NiFi admin.- The identity must match what LDAP returns after the configured mapping strategy.
- With
identityStrategy: USE_USERNAME, use identities likefry,leela,admin.
If Ingress is enabled, use HTTPS as the backend protocol:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
rules:
- host: nifi.local
paths:
- path: /
pathType: Prefix
backend:
service:
name: tdp-nifi-service
port:
number: 8443
Declarative user management (optional)
After bootstrap, users and groups can be managed declaratively via NiFiKop:
nifiCluster:
authorization:
enabled: true
managedAdminUsers:
- name: fry-admin
identity: fry
managedReaderUsers:
- name: hermes-reader
identity: hermes
Use when you want repeatability through Helm. Alternatively, bootstrap with authorizersSecret and manage policies later in the NiFi UI.
Mode 3: LDAP with policies managed by Ranger
Use this mode when users authenticate via LDAP and access policies are controlled by Apache Ranger.
Requirements:
- NiFi image with the Ranger plugin already embedded
tdp-rangeroverlay for the NiFi authorizer flow- Secret
ranger-nifi-client-tls-password
nifiCluster:
clusterImage: "registry.tecnisys.com.br/tdp/images/nifi:1.28.0-0"
security:
enabled: true
protocol: "https"
port: 8443
additionalProxyHosts:
- "nifi-headless.<NAMESPACE>.svc.cluster.local"
- "nifi-headless.<NAMESPACE>.svc.cluster.local:8443"
ldap:
enabled: true
url: "ldap://<LDAP_HOST>:389"
searchBase: "<LDAP_USER_BASE_DN>"
searchFilter: "(&(uid={0})(objectClass=inetOrgPerson))"
managerDn: "<LDAP_BIND_DN>"
managerPassword: "<LDAP_BIND_PASSWORD>"
referralStrategy: "FOLLOW"
identityStrategy: "USE_USERNAME"
authorization:
mode: "ranger"
Create the Secret with the Ranger JKS password before deploying:
kubectl -n <NAMESPACE> create secret generic ranger-nifi-client-tls-password \
--from-literal=password='<KEYSTORE_PASSWORD>' \
--dry-run=client -o yaml | kubectl apply -f -
Apply the corresponding overlays:
helm upgrade --install tdp-ranger oci://registry.tecnisys.com.br/tdp/charts/tdp-ranger \
-n <NAMESPACE> \
-f <VALUES_FILE>
helm upgrade --install tdp-nifi oci://registry.tecnisys.com.br/tdp/charts/tdp-nifi \
-n <NAMESPACE> \
-f <VALUES_FILE>
- Use the custom NiFi image with the Ranger plugin already included.
nifiCluster.security.authorization.ranger.adminIdentitymust match the Ranger client certificate identity (default in the TDP repo:CN=ranger-nifi-client).- The Ranger service must point to
https://<NIFI_SERVICE>/nifi-api/resources. - For clustered NiFi, Ranger needs technical policies for
/resources,/controller,/system, and/proxy.
Summary: keys per mode
| Setting | Mode 1 | Mode 2 | Mode 3 |
|---|---|---|---|
nifiCluster.security.enabled | false | true | true |
nifiCluster.security.protocol | http | https | https |
nifiCluster.security.ldap.enabled | false | true | true |
nifiCluster.security.authorization.mode | file | file | ranger |
nifiCluster.authorizersSecret | not relevant | required for bootstrap | not the source of policies |
nifiCluster.authorization | optional | optional | not the main policy source |
| Ranger authorization config required | no | no | yes |
| custom NiFi image with Ranger plugin | no | no | yes |
Practical rules
- For no login: disable
security.enabledandldap.enabled. - For login via LDAP with local NiFi policies: keep
authorization.mode: file. - For login via LDAP with policies in Ranger: use
authorization.mode: ranger.
Detailed LDAP configuration
The nifiCluster.security.ldap block controls all LDAP search and authentication parameters:
| Field | Description |
|---|---|
url | LDAP server address |
searchBase | Base DN where users are located |
searchFilter | Search filter — {0} is replaced by the provided username |
authenticationStrategy | Bind type: SIMPLE for direct authentication |
managerDn | Bind user DN (read-only in the directory) |
managerPassword | Bind user password — do not version in public repositories |
referralStrategy | How to follow LDAP referrals: FOLLOW or IGNORE |
identityStrategy | USE_USERNAME uses the login as the NiFi identity |
Do not store managerPassword in a Git repository. Use a private values file (outside version control) or a secrets management mechanism to inject this credential at deploy time.
For LDAPS (TLS), replace ldap:// with ldaps:// and use port 636.
TLS certificates (cert-manager)
NiFi operates in HTTPS with certificates automatically generated by cert-manager. The SSL configuration is under nifiCluster.security.ssl:
nifiCluster:
security:
ssl:
enabled: true
secrets:
create: true
tlsSecretName: "nifi-cluster-ca"
pkiBackend: cert-manager
issuerRef:
name: selfsigned-issuer
kind: Issuer
| Field | Description |
|---|---|
ssl.enabled | Enables TLS (automatically derived from protocol: https) |
ssl.secrets.create | Automatically creates the TLS Secret |
ssl.secrets.pkiBackend | cert-manager delegates issuance to cert-manager |
ssl.secrets.issuerRef.name | Name of the Issuer or ClusterIssuer in the cluster |
Prerequisite: cert-manager via tdp-crds
In TDP, the tdp-crds chart installs the required CRDs, including cert-manager CRDs. Install tdp-crds before tdp-nifi:
helm upgrade --install tdp-crds \
oci://registry.tecnisys.com.br/tdp/charts/tdp-crds \
--namespace tdp --create-namespace
When nifikop.webhook.enabled=true, the cert-manager controllers (cert-manager, cainjector, and webhook) must also be running in the cluster.
Best practices
| Aspect | Recommendation |
|---|---|
| Development environment | Mode 1 (no authentication), access via port-forward |
| Shared environment / production | Mode 2 with LDAPS (port 636) and HTTPS enabled |
| Credentials | Never version managerPassword in public values |
| Certificates | Use cert-manager via tdp-crds in production |
| Centralized policies | Mode 3 with Ranger when audit and centralized access control are required |
Troubleshooting
| Problem | Likely cause | Solution |
|---|---|---|
| NiFi Pod does not start with HTTPS | cert-manager absent or Issuer not found | Check cert-manager installation and Issuer name |
| LDAP login fails | Incorrect bind DN or password | Test bind with ldapsearch before configuring |
| Invalid certificate in browser | Using selfsigned-issuer | Expected in development; use a valid CA in production |
| Ranger plugin does not connect | Incorrect adminIdentity or missing JKS Secret | Check nifiCluster.security.authorization.ranger.adminIdentity and Secret ranger-nifi-client-tls-password |
| NifiCluster stuck in intermediate state | NiFiKop webhook without cert-manager | Check nifikop.webhook.enabled and whether cert-manager controllers are ready |