You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by mc...@apache.org on 2015/04/17 23:11:16 UTC
incubator-nifi git commit: NIFI-521: - Starting to add support for
limiting anonymous user access. - Cannot complete the task at this time
because web access, clustering,
and site to site all piggy back on the same sslcontext configuration. Need
support
Repository: incubator-nifi
Updated Branches:
refs/heads/NIFI-521 [created] 548418da2
NIFI-521:
- Starting to add support for limiting anonymous user access.
- Cannot complete the task at this time because web access, clustering, and site to site all piggy back on the same sslcontext configuration. Need support for more granular configuration.
Project: http://git-wip-us.apache.org/repos/asf/incubator-nifi/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-nifi/commit/548418da
Tree: http://git-wip-us.apache.org/repos/asf/incubator-nifi/tree/548418da
Diff: http://git-wip-us.apache.org/repos/asf/incubator-nifi/diff/548418da
Branch: refs/heads/NIFI-521
Commit: 548418da26db11ff51553e9b3793bce4e06c4e75
Parents: 8270791
Author: Matt Gilman <ma...@gmail.com>
Authored: Fri Apr 17 17:09:50 2015 -0400
Committer: Matt Gilman <ma...@gmail.com>
Committed: Fri Apr 17 17:09:50 2015 -0400
----------------------------------------------------------------------
nifi/nifi-assembly/pom.xml | 6 +
.../org/apache/nifi/util/NiFiProperties.java | 63 ++++++++-
.../nifi/admin/UserDataSourceFactoryBean.java | 139 ++++++++++++++++++-
.../nifi/admin/dao/impl/StandardUserDAO.java | 8 +-
.../java/org/apache/nifi/user/NiFiUser.java | 6 +
.../ServerSocketConfigurationFactoryBean.java | 9 +-
.../src/main/resources/conf/nifi.properties | 7 +
.../org/apache/nifi/web/server/JettyServer.java | 1 +
.../anonymous/NiFiAnonymousUserFilter.java | 9 +-
9 files changed, 237 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-nifi/blob/548418da/nifi/nifi-assembly/pom.xml
----------------------------------------------------------------------
diff --git a/nifi/nifi-assembly/pom.xml b/nifi/nifi-assembly/pom.xml
index 13ffba8..c2b74a6 100644
--- a/nifi/nifi-assembly/pom.xml
+++ b/nifi/nifi-assembly/pom.xml
@@ -289,6 +289,7 @@
<nifi.security.truststoreType />
<nifi.security.truststorePasswd />
<nifi.security.needClientAuth />
+ <nifi.security.wantClientAuth />
<nifi.security.authorizedUsers.file>./conf/authorized-users.xml</nifi.security.authorizedUsers.file>
<nifi.security.user.credential.cache.duration>24 hours</nifi.security.user.credential.cache.duration>
<nifi.security.user.authority.provider>file-provider</nifi.security.user.authority.provider>
@@ -296,6 +297,11 @@
<nifi.security.support.new.account.requests />
<nifi.security.ocsp.responder.url />
<nifi.security.ocsp.responder.certificate />
+
+ <!-- nifi.properties: anonymous access (http and one way ssl -->
+ <nifi.security.limit.anonymous.access>false</nifi.security.limit.anonymous.access>
+ <nifi.security.allow.anonymous.readonly.access>true</nifi.security.allow.anonymous.readonly.access>
+ <nifi.security.allow.anonymous.provenance.access>true</nifi.security.allow.anonymous.provenance.access>
<!-- nifi.properties: cluster common properties (cluster manager and nodes
must have same values) -->
http://git-wip-us.apache.org/repos/asf/incubator-nifi/blob/548418da/nifi/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
----------------------------------------------------------------------
diff --git a/nifi/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java b/nifi/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
index 3b427a7..5d5b9c9 100644
--- a/nifi/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
+++ b/nifi/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
@@ -120,6 +120,10 @@ public class NiFiProperties extends Properties {
public static final String SECURITY_TRUSTSTORE_TYPE = "nifi.security.truststoreType";
public static final String SECURITY_TRUSTSTORE_PASSWD = "nifi.security.truststorePasswd";
public static final String SECURITY_NEED_CLIENT_AUTH = "nifi.security.needClientAuth";
+ public static final String SECURITY_WANT_CLIENT_AUTH = "nifi.security.wantClientAuth";
+ public static final String SECURITY_LIMIT_ANONYMOUS_ACCESS = "nifi.security.limit.anonymous.access";
+ public static final String SECURITY_ALLOW_ANONYMOUS_READONLY_ACCESS = "nifi.security.allow.anonymous.readonly.access";
+ public static final String SECURITY_ALLOW_ANONYMOUS_PROVENANCE_ACCESS = "nifi.security.allow.anonymous.provenance.access";
public static final String SECURITY_USER_AUTHORITY_PROVIDER = "nifi.security.user.authority.provider";
public static final String SECURITY_CLUSTER_AUTHORITY_PROVIDER_PORT = "nifi.security.cluster.authority.provider.port";
public static final String SECURITY_CLUSTER_AUTHORITY_PROVIDER_THREADS = "nifi.security.cluster.authority.provider.threads";
@@ -468,7 +472,64 @@ public class NiFiProperties extends Properties {
}
return needClientAuth;
}
-
+
+ /**
+ * Will default to true unless the value is explicitly set to false.
+ *
+ * @return Whether client auth is wanted
+ */
+ public boolean getWantClientAuth() {
+ boolean wantClientAuth = true;
+ String rawWantClientAuth = getProperty(SECURITY_WANT_CLIENT_AUTH);
+ if ("false".equalsIgnoreCase(rawWantClientAuth)) {
+ wantClientAuth = false;
+ }
+ return wantClientAuth;
+ }
+
+ /**
+ * Returns whether anonymous access should be limited. Will default to false
+ * unless explictly set to true.
+ *
+ * @return Whether to limit anonymous access
+ */
+ public boolean getLimitAnonymousAccess() {
+ boolean limitAnonymousAccess = false;
+ String rawlimitAnonymousAccess = getProperty(SECURITY_LIMIT_ANONYMOUS_ACCESS);
+ if ("true".equalsIgnoreCase(rawlimitAnonymousAccess)) {
+ limitAnonymousAccess = true;
+ }
+ return limitAnonymousAccess;
+ }
+
+ /**
+ * Will default to true unless the value is explicity set to false.
+ *
+ * @return Whether anonymous read only access is allowed
+ */
+ public boolean getAllowAnonymousReadOnlyAccess() {
+ boolean supportsReadOnlyClientAuth = true;
+ String rawSupportsReadOnlyClientAuth = getProperty(SECURITY_ALLOW_ANONYMOUS_READONLY_ACCESS);
+ if ("false".equalsIgnoreCase(rawSupportsReadOnlyClientAuth)) {
+ supportsReadOnlyClientAuth = false;
+ }
+ return supportsReadOnlyClientAuth;
+ }
+
+ /**
+ * Will default to true unless the value is explicity set to false.
+ *
+ * @return Whether anonymous read only access is allowed
+ */
+ public boolean getAllowAnonymousProvenanceAccess() {
+ boolean supportsReadOnlyClientAuth = true;
+ String rawSupportsReadOnlyClientAuth = getProperty(SECURITY_ALLOW_ANONYMOUS_PROVENANCE_ACCESS);
+ if ("false".equalsIgnoreCase(rawSupportsReadOnlyClientAuth)) {
+ supportsReadOnlyClientAuth = false;
+ }
+ return supportsReadOnlyClientAuth;
+ }
+
public String getUserCredentialCacheDuration() {
return getProperty(SECURITY_USER_CREDENTIAL_CACHE_DURATION, DEFAULT_USER_CREDENTIAL_CACHE_DURATION);
}
http://git-wip-us.apache.org/repos/asf/incubator-nifi/blob/548418da/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/UserDataSourceFactoryBean.java
----------------------------------------------------------------------
diff --git a/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/UserDataSourceFactoryBean.java b/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/UserDataSourceFactoryBean.java
index 1f64f6e..a19181b 100644
--- a/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/UserDataSourceFactoryBean.java
+++ b/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/UserDataSourceFactoryBean.java
@@ -62,6 +62,10 @@ public class UserDataSourceFactoryBean implements FactoryBean {
+ "CONSTRAINT USER_ROLE_UNIQUE_CONSTRAINT UNIQUE (USER_ID, ROLE)"
+ ")";
+ // --------------
+ // anonymous user
+ // --------------
+
private static final String INSERT_ANONYMOUS_USER = "INSERT INTO USER ("
+ "ID, DN, USER_NAME, CREATION, LAST_VERIFIED, JUSTIFICATION, STATUS"
+ ") VALUES ("
@@ -73,7 +77,7 @@ public class UserDataSourceFactoryBean implements FactoryBean {
+ "'Anonymous user needs no justification', "
+ "'ACTIVE'"
+ ")";
-
+
private static final String INSERT_ANONYMOUS_MONITOR_AUTHORITY = "INSERT INTO AUTHORITY ("
+ "USER_ID, ROLE"
+ ") VALUES ("
@@ -102,6 +106,10 @@ public class UserDataSourceFactoryBean implements FactoryBean {
+ "'ROLE_NIFI'"
+ ")";
+ // ---------------------------------
+ // anonymouse user provenance access
+ // ---------------------------------
+
private static final String INSERT_ANONYMOUS_PROVENANCE_AUTHORITY = "INSERT INTO AUTHORITY ("
+ "USER_ID, ROLE"
+ ") VALUES ("
@@ -114,6 +122,58 @@ public class UserDataSourceFactoryBean implements FactoryBean {
+ "USER_ID = (SELECT ID FROM USER WHERE DN = '" + NiFiUser.ANONYMOUS_USER_DN + "') "
+ "AND "
+ "ROLE = 'ROLE_PROVENANCE'";
+
+ // ----------------------
+ // limited anonymous user
+ // ----------------------
+
+ private static final String SELECT_LIMITED_ANONYMOUS_USER = "SELECT ID FROM USER WHERE DN = '" + NiFiUser.LIMITED_ANONYMOUS_USER_DN + "'";
+
+ private static final String INSERT_LIMITED_ANONYMOUS_USER = "INSERT INTO USER ("
+ + "ID, DN, USER_NAME, CREATION, LAST_VERIFIED, JUSTIFICATION, STATUS"
+ + ") VALUES ("
+ + "'" + UUID.randomUUID().toString() + "', "
+ + "'" + NiFiUser.LIMITED_ANONYMOUS_USER_DN + "', "
+ + "'" + NiFiUser.LIMITED_ANONYMOUS_USER_DN + "', "
+ + "NOW(), "
+ + "NOW(), "
+ + "'Restricted anonymous user needs no justification', "
+ + "'ACTIVE'"
+ + ")";
+
+ // ---------------------------------------
+ // limited anonymous user read only access
+ // ---------------------------------------
+
+ private static final String SELECT_LIMITED_ANONYMOUS_MONITOR_AUTHORITY = "SELECT USER_ID FROM AUTHORITY "
+ + "WHERE USER_ID = (SELECT ID FROM USER WHERE DN = '" + NiFiUser.LIMITED_ANONYMOUS_USER_DN + "') AND ROLE = 'ROLE_MONITOR'";
+
+ private static final String DELETE_LIMITED_ANONYMOUS_MONITOR_AUTHORITY = "DELETE FROM AUTHORITY "
+ + "WHERE USER_ID = (SELECT ID FROM USER WHERE DN = '" + NiFiUser.LIMITED_ANONYMOUS_USER_DN + "') AND ROLE = 'ROLE_MONITOR'";
+
+ private static final String INSERT_LIMITED_ANONYMOUS_MONITOR_AUTHORITY = "INSERT INTO AUTHORITY ("
+ + "USER_ID, ROLE"
+ + ") VALUES ("
+ + "(SELECT ID FROM USER WHERE DN = '" + NiFiUser.LIMITED_ANONYMOUS_USER_DN + "'), "
+ + "'ROLE_MONITOR'"
+ + ")";
+
+ // ----------------------------------------
+ // limited anonymous user provenance access
+ // ----------------------------------------
+
+ private static final String SELECT_LIMITED_ANONYMOUS_PROVENANCE_AUTHORITY = "SELECT USER_ID FROM AUTHORITY "
+ + "WHERE USER_ID = (SELECT ID FROM USER WHERE DN = '" + NiFiUser.LIMITED_ANONYMOUS_USER_DN + "') AND ROLE = 'ROLE_PROVENANCE'";
+
+ private static final String DELETE_LIMITED_ANONYMOUS_PROVENANCE_AUTHORITY = "DELETE FROM AUTHORITY "
+ + "WHERE USER_ID = (SELECT ID FROM USER WHERE DN = '" + NiFiUser.LIMITED_ANONYMOUS_USER_DN + "') AND ROLE = 'ROLE_PROVENANCE'";
+
+ private static final String INSERT_LIMITED_ANONYMOUS_PROVENANCE_AUTHORITY = "INSERT INTO AUTHORITY ("
+ + "USER_ID, ROLE"
+ + ") VALUES ("
+ + "(SELECT ID FROM USER WHERE DN = '" + NiFiUser.LIMITED_ANONYMOUS_USER_DN + "'), "
+ + "'ROLE_PROVENANCE'"
+ + ")";
private JdbcConnectionPool connectionPool;
@@ -168,11 +228,66 @@ public class UserDataSourceFactoryBean implements FactoryBean {
statement.execute(INSERT_ANONYMOUS_DFM_AUTHORITY);
statement.execute(INSERT_ANONYMOUS_ADMIN_AUTHORITY);
statement.execute(INSERT_ANONYMOUS_NIFI_AUTHORITY);
+
+ // if its configured to limit anonymous
+ if (properties.getLimitAnonymousAccess()) {
+ // seed the restricted anonymous user
+ statement.execute(INSERT_LIMITED_ANONYMOUS_USER);
+
+ if (properties.getAllowAnonymousReadOnlyAccess()) {
+ statement.execute(INSERT_LIMITED_ANONYMOUS_MONITOR_AUTHORITY);
+ }
+ if (properties.getAllowAnonymousProvenanceAccess()) {
+ statement.execute(INSERT_LIMITED_ANONYMOUS_PROVENANCE_AUTHORITY);
+ }
+ }
} else {
logger.info("Existing database found and connected to at: " + databaseUrl);
+
+ // if its configured to limit anonymous access
+ if (properties.getLimitAnonymousAccess()) {
+
+ // close the previous result set if necessary
+ RepositoryUtils.closeQuietly(rs);
+
+ // create the user if necessary
+ rs = statement.executeQuery(SELECT_LIMITED_ANONYMOUS_USER);
+ if (!rs.next()) {
+ statement.execute(INSERT_LIMITED_ANONYMOUS_USER);
+
+ // conditionally allow anonymous read only access
+ if (properties.getAllowAnonymousReadOnlyAccess()) {
+ statement.execute(INSERT_LIMITED_ANONYMOUS_MONITOR_AUTHORITY);
+ }
+
+ // conditionally allow anonymouse provenance access
+ if (properties.getAllowAnonymousProvenanceAccess()) {
+ statement.execute(INSERT_LIMITED_ANONYMOUS_PROVENANCE_AUTHORITY);
+ }
+ } else {
+ // conditionally add/remove anonymous read only
+ if (properties.getAllowAnonymousReadOnlyAccess()) {
+ if (!allowsAnonymousReadOnlyAccess(statement)) {
+ statement.execute(INSERT_LIMITED_ANONYMOUS_MONITOR_AUTHORITY);
+ }
+ } else {
+ statement.executeUpdate(DELETE_LIMITED_ANONYMOUS_MONITOR_AUTHORITY);
+ }
+
+ // conditionally add/remove anonymous provenance
+ if (properties.getAllowAnonymousProvenanceAccess()) {
+ if (!allowsAnonymousProvenanceAccess(statement)) {
+ statement.execute(INSERT_LIMITED_ANONYMOUS_PROVENANCE_AUTHORITY);
+ }
+ } else {
+ // remove provenance access
+ statement.execute(DELETE_LIMITED_ANONYMOUS_PROVENANCE_AUTHORITY);
+ }
+ }
+ }
}
- // close the previous result set
+ // close the previous result set if necessary
RepositoryUtils.closeQuietly(rs);
// merge in the provenance role to handle existing databases
@@ -196,6 +311,26 @@ public class UserDataSourceFactoryBean implements FactoryBean {
return connectionPool;
}
+ private boolean allowsAnonymousReadOnlyAccess(final Statement statement) throws SQLException {
+ ResultSet rs = null;
+ try {
+ rs = statement.executeQuery(SELECT_LIMITED_ANONYMOUS_MONITOR_AUTHORITY);
+ return rs.next();
+ } finally {
+ RepositoryUtils.closeQuietly(rs);
+ }
+ }
+
+ private boolean allowsAnonymousProvenanceAccess(final Statement statement) throws SQLException {
+ ResultSet rs = null;
+ try {
+ rs = statement.executeQuery(SELECT_LIMITED_ANONYMOUS_PROVENANCE_AUTHORITY);
+ return rs.next();
+ } finally {
+ RepositoryUtils.closeQuietly(rs);
+ }
+ }
+
/**
* Get the database url for the specified database file.
*
http://git-wip-us.apache.org/repos/asf/incubator-nifi/blob/548418da/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/impl/StandardUserDAO.java
----------------------------------------------------------------------
diff --git a/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/impl/StandardUserDAO.java b/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/impl/StandardUserDAO.java
index ea7c1a1..4817410 100644
--- a/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/impl/StandardUserDAO.java
+++ b/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/impl/StandardUserDAO.java
@@ -91,7 +91,7 @@ public class StandardUserDAO implements UserDAO {
+ "FROM USER U "
+ "LEFT JOIN AUTHORITY A " // ensures that users without authorities are still matched
+ "ON U.ID = A.USER_ID "
- + "WHERE U.DN <> ?";
+ + "WHERE U.DN NOT IN (?, ?)";
private static final String SELECT_USER_GROUPS = "SELECT DISTINCT "
+ "U.USER_GROUP "
@@ -111,7 +111,7 @@ public class StandardUserDAO implements UserDAO {
+ "FROM USER U "
+ "LEFT JOIN AUTHORITY A " // ensures that users without authorities are still matched
+ "ON U.ID = A.USER_ID "
- + "WHERE U.DN <> ? AND U.USER_GROUP = ?";
+ + "WHERE U.DN NOT IN (?, ?) AND U.USER_GROUP = ?";
private static final String INSERT_USER = "INSERT INTO USER ("
+ "ID, DN, USER_NAME, USER_GROUP, CREATION, LAST_VERIFIED, JUSTIFICATION, STATUS"
@@ -195,6 +195,7 @@ public class StandardUserDAO implements UserDAO {
// create the connection and obtain a statement
statement = connection.prepareStatement(SELECT_USERS);
statement.setString(1, NiFiUser.ANONYMOUS_USER_DN);
+ statement.setString(2, NiFiUser.LIMITED_ANONYMOUS_USER_DN);
// execute the query
rs = statement.executeQuery();
@@ -288,7 +289,8 @@ public class StandardUserDAO implements UserDAO {
// create the connection and obtain a statement
statement = connection.prepareStatement(SELECT_USER_GROUP);
statement.setString(1, NiFiUser.ANONYMOUS_USER_DN);
- statement.setString(2, group);
+ statement.setString(2, NiFiUser.LIMITED_ANONYMOUS_USER_DN);
+ statement.setString(3, group);
// execute the query
rs = statement.executeQuery();
http://git-wip-us.apache.org/repos/asf/incubator-nifi/blob/548418da/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/user/NiFiUser.java
----------------------------------------------------------------------
diff --git a/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/user/NiFiUser.java b/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/user/NiFiUser.java
index 415160a..62e8b07 100644
--- a/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/user/NiFiUser.java
+++ b/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/user/NiFiUser.java
@@ -29,7 +29,13 @@ import org.apache.commons.lang3.StringUtils;
*/
public class NiFiUser implements Serializable {
+ // DN for the anonymous user that is used during http and one way ssl - this
+ // anonymous user has full permission
public static final String ANONYMOUS_USER_DN = "anonymous";
+
+ // DN for the anonymous user that is when the application is configured for
+ // limited anonymous access
+ public static final String LIMITED_ANONYMOUS_USER_DN = "limited-anonymous";
private String id;
private String dn;
http://git-wip-us.apache.org/repos/asf/incubator-nifi/blob/548418da/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/src/main/java/org/apache/nifi/cluster/protocol/spring/ServerSocketConfigurationFactoryBean.java
----------------------------------------------------------------------
diff --git a/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/src/main/java/org/apache/nifi/cluster/protocol/spring/ServerSocketConfigurationFactoryBean.java b/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/src/main/java/org/apache/nifi/cluster/protocol/spring/ServerSocketConfigurationFactoryBean.java
index 5b5816d..033f8ba 100644
--- a/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/src/main/java/org/apache/nifi/cluster/protocol/spring/ServerSocketConfigurationFactoryBean.java
+++ b/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/src/main/java/org/apache/nifi/cluster/protocol/spring/ServerSocketConfigurationFactoryBean.java
@@ -35,13 +35,14 @@ public class ServerSocketConfigurationFactoryBean implements FactoryBean<ServerS
@Override
public ServerSocketConfiguration getObject() throws Exception {
if(configuration == null) {
- configuration = new ServerSocketConfiguration();
- configuration.setNeedClientAuth(properties.getNeedClientAuth());
-
+ final boolean isClusterSecure = Boolean.valueOf(properties.getProperty(NiFiProperties.CLUSTER_PROTOCOL_IS_SECURE));
final int timeout = (int) FormatUtils.getTimeDuration(properties.getClusterProtocolSocketTimeout(), TimeUnit.MILLISECONDS);
+
+ configuration = new ServerSocketConfiguration();
configuration.setSocketTimeout(timeout);
configuration.setReuseAddress(true);
- if(Boolean.valueOf(properties.getProperty(NiFiProperties.CLUSTER_PROTOCOL_IS_SECURE))) {
+ configuration.setNeedClientAuth(isClusterSecure);
+ if(isClusterSecure) {
configuration.setSSLContextFactory(new SSLContextFactory(properties));
}
}
http://git-wip-us.apache.org/repos/asf/incubator-nifi/blob/548418da/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties
----------------------------------------------------------------------
diff --git a/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties b/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties
index 90b3cdd..a946ac1 100644
--- a/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties
+++ b/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties
@@ -117,12 +117,19 @@ nifi.security.truststore=${nifi.security.truststore}
nifi.security.truststoreType=${nifi.security.truststoreType}
nifi.security.truststorePasswd=${nifi.security.truststorePasswd}
nifi.security.needClientAuth=${nifi.security.needClientAuth}
+nifi.security.wantClientAuth=${nifi.security.wantClientAuth}
nifi.security.user.credential.cache.duration=${nifi.security.user.credential.cache.duration}
nifi.security.user.authority.provider=${nifi.security.user.authority.provider}
nifi.security.support.new.account.requests=${nifi.security.support.new.account.requests}
nifi.security.ocsp.responder.url=${nifi.security.ocsp.responder.url}
nifi.security.ocsp.responder.certificate=${nifi.security.ocsp.responder.certificate}
+# whether to limit what anonymous users can access - this applies for both http and https when need client auth is false (one way ssl)
+nifi.security.limit.anonymous.access=${nifi.security.limit.anonymous.access}
+# if anonymous access is limited, the following two properties specify what is accessible
+nifi.security.allow.anonymous.readonly.access=${nifi.security.allow.anonymous.readonly.access}
+nifi.security.allow.anonymous.provenance.access=${nifi.security.allow.anonymous.provenance.access}
+
# cluster common properties (cluster manager and nodes must have same values) #
nifi.cluster.protocol.heartbeat.interval=${nifi.cluster.protocol.heartbeat.interval}
nifi.cluster.protocol.is.secure=${nifi.cluster.protocol.is.secure}
http://git-wip-us.apache.org/repos/asf/incubator-nifi/blob/548418da/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java
----------------------------------------------------------------------
diff --git a/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java b/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java
index 1134c77..1c1cb5c 100644
--- a/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java
+++ b/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java
@@ -625,6 +625,7 @@ public class JettyServer implements NiFiServer {
// need client auth
contextFactory.setNeedClientAuth(props.getNeedClientAuth());
+ contextFactory.setWantClientAuth(props.getWantClientAuth());
/* below code sets JSSE system properties when values are provided */
// keystore properties
http://git-wip-us.apache.org/repos/asf/incubator-nifi/blob/548418da/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java
----------------------------------------------------------------------
diff --git a/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java b/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java
index a82787b..1d3b5da 100644
--- a/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java
+++ b/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java
@@ -54,7 +54,14 @@ public class NiFiAnonymousUserFilter extends AnonymousAuthenticationFilter {
Authentication authentication;
try {
// load the anonymous user from the database
- NiFiUser user = userService.getUserByDn(NiFiUser.ANONYMOUS_USER_DN);
+ NiFiUser user;
+ if (properties.getLimitAnonymousAccess()) {
+ user = userService.getUserByDn(NiFiUser.LIMITED_ANONYMOUS_USER_DN);
+ } else {
+ user = userService.getUserByDn(NiFiUser.ANONYMOUS_USER_DN);
+ }
+
+ // get the user details
NiFiUserDetails userDetails = new NiFiUserDetails(user);
// get the granted authorities