Skip to main content
Version 3.0

Security — NiFi

ChartVersion3.0.1TypeapplicationAppVersion1.28.0
CompatibilityKubernetes1.32+OpenShift4.19+Rancher2.10.x+

The tdp-nifi chart supports three security operating modes, controlled by the nifiCluster.security and nifiCluster.authorizersSecret blocks. The mode determines whether NiFi operates over HTTP or HTTPS, whether LDAP login is required, and who manages access policies.

Security modes

ModeWhen to useAuthenticationAuthorization
Mode 1Local labs and temporary functional testsNo loginNo per-user control
Mode 2Environments with LDAP users and local NiFi policiesLDAPNiFi local file (file)
Mode 3Environments with LDAP and centralized policies in RangerLDAPApache Ranger (ranger)

Mode 1: No authentication and no policy control

Use this mode for local labs or temporary functional tests.

  • NiFi runs in HTTP
  • LDAP is disabled
  • there is no login screen
  • access is not segmented by user/profile
nifiCluster:
security:
enabled: false
protocol: "http"
port: 8080

ldap:
enabled: false

authorization:
mode: "file"

If Ingress is enabled, use HTTP as the backend protocol:

ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
rules:
- host: nifi.local
paths:
- path: /
pathType: Prefix
backend:
service:
name: tdp-nifi-service
port:
number: 8080

Mode 2: LDAP with policies managed by NiFi

Use this mode when users authenticate via LDAP and access policies are managed by NiFi itself (local authorizer).

  • NiFi runs in HTTPS
  • login via LDAP
  • policies controlled by NiFi using the local file authorizer (file)
nifiCluster:
security:
enabled: true
protocol: "https"
port: 8443

ldap:
enabled: true
url: "ldap://<LDAP_HOST>:389"
searchBase: "<LDAP_USER_BASE_DN>"
searchFilter: "(&(uid={0})(objectClass=inetOrgPerson))"
managerDn: "<LDAP_BIND_DN>"
managerPassword: "<LDAP_BIND_PASSWORD>"
referralStrategy: "FOLLOW"
identityStrategy: "USE_USERNAME"

authorization:
mode: "file"

For first access, define the initial identities via nifiCluster.authorizersSecret:

nifiCluster:
authorizersSecret:
enabled: true
initialUserIdentities:
- fry
- leela
initialAdminIdentity: fry
Identities in authorizersSecret
  • initialAdminIdentity is the first NiFi admin.
  • The identity must match what LDAP returns after the configured mapping strategy.
  • With identityStrategy: USE_USERNAME, use identities like fry, leela, admin.

If Ingress is enabled, use HTTPS as the backend protocol:

ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
rules:
- host: nifi.local
paths:
- path: /
pathType: Prefix
backend:
service:
name: tdp-nifi-service
port:
number: 8443

Declarative user management (optional)

After bootstrap, users and groups can be managed declaratively via NiFiKop:

nifiCluster:
authorization:
enabled: true
managedAdminUsers:
- name: fry-admin
identity: fry
managedReaderUsers:
- name: hermes-reader
identity: hermes

Use when you want repeatability through Helm. Alternatively, bootstrap with authorizersSecret and manage policies later in the NiFi UI.

Mode 3: LDAP with policies managed by Ranger

Use this mode when users authenticate via LDAP and access policies are controlled by Apache Ranger.

Requirements:

  • NiFi image with the Ranger plugin already embedded
  • tdp-ranger overlay for the NiFi authorizer flow
  • Secret ranger-nifi-client-tls-password
nifiCluster:
clusterImage: "registry.tecnisys.com.br/tdp/images/nifi:1.28.0-0"

security:
enabled: true
protocol: "https"
port: 8443
additionalProxyHosts:
- "nifi-headless.<NAMESPACE>.svc.cluster.local"
- "nifi-headless.<NAMESPACE>.svc.cluster.local:8443"

ldap:
enabled: true
url: "ldap://<LDAP_HOST>:389"
searchBase: "<LDAP_USER_BASE_DN>"
searchFilter: "(&(uid={0})(objectClass=inetOrgPerson))"
managerDn: "<LDAP_BIND_DN>"
managerPassword: "<LDAP_BIND_PASSWORD>"
referralStrategy: "FOLLOW"
identityStrategy: "USE_USERNAME"

authorization:
mode: "ranger"

Create the Secret with the Ranger JKS password before deploying:

Terminal input
kubectl -n <NAMESPACE> create secret generic ranger-nifi-client-tls-password \
--from-literal=password='<KEYSTORE_PASSWORD>' \
--dry-run=client -o yaml | kubectl apply -f -

Apply the corresponding overlays:

Terminal input
helm upgrade --install tdp-ranger oci://registry.tecnisys.com.br/tdp/charts/tdp-ranger \
-n <NAMESPACE> \
-f <VALUES_FILE>
Terminal input
helm upgrade --install tdp-nifi oci://registry.tecnisys.com.br/tdp/charts/tdp-nifi \
-n <NAMESPACE> \
-f <VALUES_FILE>
Mode 3 operational rules
  • Use the custom NiFi image with the Ranger plugin already included.
  • nifiCluster.security.authorization.ranger.adminIdentity must match the Ranger client certificate identity (default in the TDP repo: CN=ranger-nifi-client).
  • The Ranger service must point to https://<NIFI_SERVICE>/nifi-api/resources.
  • For clustered NiFi, Ranger needs technical policies for /resources, /controller, /system, and /proxy.

Summary: keys per mode

SettingMode 1Mode 2Mode 3
nifiCluster.security.enabledfalsetruetrue
nifiCluster.security.protocolhttphttpshttps
nifiCluster.security.ldap.enabledfalsetruetrue
nifiCluster.security.authorization.modefilefileranger
nifiCluster.authorizersSecretnot relevantrequired for bootstrapnot the source of policies
nifiCluster.authorizationoptionaloptionalnot the main policy source
Ranger authorization config requirednonoyes
custom NiFi image with Ranger pluginnonoyes

Practical rules

  • For no login: disable security.enabled and ldap.enabled.
  • For login via LDAP with local NiFi policies: keep authorization.mode: file.
  • For login via LDAP with policies in Ranger: use authorization.mode: ranger.

Detailed LDAP configuration

The nifiCluster.security.ldap block controls all LDAP search and authentication parameters:

FieldDescription
urlLDAP server address
searchBaseBase DN where users are located
searchFilterSearch filter — {0} is replaced by the provided username
authenticationStrategyBind type: SIMPLE for direct authentication
managerDnBind user DN (read-only in the directory)
managerPasswordBind user password — do not version in public repositories
referralStrategyHow to follow LDAP referrals: FOLLOW or IGNORE
identityStrategyUSE_USERNAME uses the login as the NiFi identity
Bind credentials

Do not store managerPassword in a Git repository. Use a private values file (outside version control) or a secrets management mechanism to inject this credential at deploy time.

For LDAPS (TLS), replace ldap:// with ldaps:// and use port 636.

TLS certificates (cert-manager)

NiFi operates in HTTPS with certificates automatically generated by cert-manager. The SSL configuration is under nifiCluster.security.ssl:

nifiCluster:
security:
ssl:
enabled: true
secrets:
create: true
tlsSecretName: "nifi-cluster-ca"
pkiBackend: cert-manager
issuerRef:
name: selfsigned-issuer
kind: Issuer
FieldDescription
ssl.enabledEnables TLS (automatically derived from protocol: https)
ssl.secrets.createAutomatically creates the TLS Secret
ssl.secrets.pkiBackendcert-manager delegates issuance to cert-manager
ssl.secrets.issuerRef.nameName of the Issuer or ClusterIssuer in the cluster

Prerequisite: cert-manager via tdp-crds

In TDP, the tdp-crds chart installs the required CRDs, including cert-manager CRDs. Install tdp-crds before tdp-nifi:

Terminal input
helm upgrade --install tdp-crds \
oci://registry.tecnisys.com.br/tdp/charts/tdp-crds \
--namespace tdp --create-namespace

When nifikop.webhook.enabled=true, the cert-manager controllers (cert-manager, cainjector, and webhook) must also be running in the cluster.

Best practices

AspectRecommendation
Development environmentMode 1 (no authentication), access via port-forward
Shared environment / productionMode 2 with LDAPS (port 636) and HTTPS enabled
CredentialsNever version managerPassword in public values
CertificatesUse cert-manager via tdp-crds in production
Centralized policiesMode 3 with Ranger when audit and centralized access control are required

Troubleshooting

ProblemLikely causeSolution
NiFi Pod does not start with HTTPScert-manager absent or Issuer not foundCheck cert-manager installation and Issuer name
LDAP login failsIncorrect bind DN or passwordTest bind with ldapsearch before configuring
Invalid certificate in browserUsing selfsigned-issuerExpected in development; use a valid CA in production
Ranger plugin does not connectIncorrect adminIdentity or missing JKS SecretCheck nifiCluster.security.authorization.ranger.adminIdentity and Secret ranger-nifi-client-tls-password
NifiCluster stuck in intermediate stateNiFiKop webhook without cert-managerCheck nifikop.webhook.enabled and whether cert-manager controllers are ready