Why is there no "single-user" login identity provider in NiFi registry like in NiFi itself?

We're thinking about using the "single-user" identity provider for both our NiFi cluster and registry.

However, we noticed that the administration guide for NiFi registry does not contain this option, unlike the one for NiFi.

Is there any particular reason (other than noone had the need / time to implement it) why the NiFi registry does not support a "single-user" identity provider like NiFi itself does?

Thanks for raising the question. The single-user provider for NiFi is a convenience for standalone development and test instances, but it is not suitable for a clustered deployment.

For Registry, a single-user provider doesn’t make as much sense because one or more NiFi nodes need to access it, as well as a user coming from a browser.

So for any secured deployment of Registry, there will always be at least two “users”.

NiFi can act as a proxy, passing the authenticated user through a header, but NiFi itself still has be authorized as a proxy. The two users are the NiFi server, and the human user coming through the browser.

The single user authentication can theoretically be used in a clustered deployment, but it is not designed for that, and it is not supported in that scenario.

The single user authentication should never be used in production for a clustered deployment.

The single user mode is certainly convenient, but it is narrowly scoped with the purpose of encouraging use of external authentication strategies, of which there are several. Have you evaluated any of the available options, such as LDAP, OIDC, or SAML?

Alternatively, using client certificate authentication for all access avoids the need for an active external authentication system, but of course it requires a functional certificate authority.

All of the authentication strategies delegate to an external system so that NiFi does not store credentials, which would in turn raise other security challenges. That’s another reason single user mode is so narrowly scoped.

Disclaimer: This question was asked (and answered) in the NiFi community Slack and this answer is posted here to make the information readily available. Special thanks to David Handermann for providing an authoritative answer.