You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by oz...@apache.org on 2016/11/19 13:39:45 UTC
nifi git commit: NIFI-3020: - Introducing a strategy for identifying
users. - Fixing issue with the referral strategy error message. - Adding code
to shutdown the application when the authorizer or login identity provider
are not initialized successfully
Repository: nifi
Updated Branches:
refs/heads/master 1be087147 -> c8830742e
NIFI-3020:
- Introducing a strategy for identifying users.
- Fixing issue with the referral strategy error message.
- Adding code to shutdown the application when the authorizer or login identity provider are not initialized successfully.
NIFI-3020:
- Updating the admin guide to document the identity strategy.
NIFI-3020:
- Ensuring the request replicator attempts to shutdown regardless of whether the flow service properly terminates.
This closes #1236
Project: http://git-wip-us.apache.org/repos/asf/nifi/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/c8830742
Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/c8830742
Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/c8830742
Branch: refs/heads/master
Commit: c8830742eee4470b371246ec9bf14d2fea5fa522
Parents: 1be0871
Author: Matt Gilman <ma...@gmail.com>
Authored: Wed Nov 16 16:29:14 2016 -0500
Committer: Oleg Zhurakousky <ol...@suitcase.io>
Committed: Sat Nov 19 08:38:41 2016 -0500
----------------------------------------------------------------------
.../src/main/asciidoc/administration-guide.adoc | 3 +
.../resources/conf/login-identity-providers.xml | 7 ++-
.../ApplicationStartupContextListener.java | 58 ++++++++++++--------
.../org/apache/nifi/ldap/IdentityStrategy.java | 26 +++++++++
.../java/org/apache/nifi/ldap/LdapProvider.java | 36 ++++++++++--
.../org/apache/nifi/ldap/ReferralStrategy.java | 3 +-
6 files changed, 102 insertions(+), 31 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/nifi/blob/c8830742/nifi-docs/src/main/asciidoc/administration-guide.adoc
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index 5322d86..14587f2 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -295,6 +295,7 @@ Below is an example and description of configuring a Login Identity Provider tha
<property name="User Search Base"></property>
<property name="User Search Filter"></property>
+ <property name="Identity Strategy">USE_DN</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
----
@@ -326,6 +327,8 @@ nifi.security.user.login.identity.provider=ldap-provider
|`Url` | Url of the LDAP servier (i.e. ldap://<hostname>:<port>).
|`User Search Base` | Base DN for searching for users (i.e. CN=Users,DC=example,DC=com).
|`User Search Filter` | Filter for searching for users against the 'User Search Base'. (i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'.
+|`Identity Strategy` | Strategy to identify users. Possible values are USE_DN and USE_USERNAME. The default functionality if this property is missing is USE_DN in order to retain backward
+compatibility. USE_DN will use the full DN of the user entry if possible. USE_USERNAME will use the username the user logged in with.
|`Authentication Expiration` | The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration.
|==================================================================================================================================================
http://git-wip-us.apache.org/repos/asf/nifi/blob/c8830742/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/login-identity-providers.xml
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/login-identity-providers.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/login-identity-providers.xml
index a2beb4c..828868a 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/login-identity-providers.xml
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/login-identity-providers.xml
@@ -54,7 +54,11 @@
'User Search Base' - Base DN for searching for users (i.e. CN=Users,DC=example,DC=com).
'User Search Filter' - Filter for searching for users against the 'User Search Base'.
(i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'.
-
+
+ 'Identity Strategy' - Strategy to identify users. Possible values are USE_DN and USE_USERNAME.
+ The default functionality if this property is missing is USE_DN in order to retain
+ backward compatibility. USE_DN will use the full DN of the user entry if possible.
+ USE_USERNAME will use the username the user logged in with.
'Authentication Expiration' - The duration of how long the user authentication is valid
for. If the user never logs out, they will be required to log back in following
this duration.
@@ -86,6 +90,7 @@
<property name="User Search Base"></property>
<property name="User Search Filter"></property>
+ <property name="Identity Strategy">USE_DN</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
To enable the ldap-provider remove 2 lines. This is 2 of 2. -->
http://git-wip-us.apache.org/repos/asf/nifi/blob/c8830742/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/contextlistener/ApplicationStartupContextListener.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/contextlistener/ApplicationStartupContextListener.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/contextlistener/ApplicationStartupContextListener.java
index ae0fcaf..6ce7cb4 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/contextlistener/ApplicationStartupContextListener.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/contextlistener/ApplicationStartupContextListener.java
@@ -16,11 +16,8 @@
*/
package org.apache.nifi.web.contextlistener;
-import java.io.IOException;
-
-import javax.servlet.ServletContextEvent;
-import javax.servlet.ServletContextListener;
-
+import org.apache.nifi.authentication.LoginIdentityProvider;
+import org.apache.nifi.authorization.Authorizer;
import org.apache.nifi.cluster.coordination.http.replication.RequestReplicator;
import org.apache.nifi.controller.FlowController;
import org.apache.nifi.controller.repository.RepositoryPurgeException;
@@ -33,6 +30,10 @@ import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;
+import javax.servlet.ServletContextEvent;
+import javax.servlet.ServletContextListener;
+import java.io.IOException;
+
/**
* Application context listener for starting the application. If the application is configured for a standalone environment or the application is a node in a clustered environment then a flow
* controller is created and managed. Otherwise, we assume the application is running as the cluster manager in a clustered environment. In this case, the cluster manager is created and managed.
@@ -80,16 +81,16 @@ public class ApplicationStartupContextListener implements ServletContextListener
logger.info("Flow Controller started successfully.");
}
} catch (BeansException | RepositoryPurgeException | IOException e) {
- // ensure the flow service is terminated
- if (flowService != null && flowService.isRunning()) {
- flowService.stop(false);
- }
-
- final RequestReplicator requestReplicator = ctx.getBean("requestReplicator", RequestReplicator.class);
- if (requestReplicator != null) {
- requestReplicator.shutdown();
- }
+ shutdown(flowService, ctx.getBean("requestReplicator", RequestReplicator.class));
+ throw new NiFiCoreException("Unable to start Flow Controller.", e);
+ }
+ try {
+ // attempt to get a few beans that we want to to ensure properly created since they are lazily initialized
+ ctx.getBean("loginIdentityProvider", LoginIdentityProvider.class);
+ ctx.getBean("authorizer", Authorizer.class);
+ } catch (final BeansException e) {
+ shutdown(flowService, ctx.getBean("requestReplicator", RequestReplicator.class));
throw new NiFiCoreException("Unable to start Flow Controller.", e);
}
}
@@ -97,23 +98,34 @@ public class ApplicationStartupContextListener implements ServletContextListener
@Override
public void contextDestroyed(ServletContextEvent sce) {
ApplicationContext ctx = WebApplicationContextUtils.getWebApplicationContext(sce.getServletContext());
- try {
- logger.info("Initiating shutdown of flow service...");
- FlowService flowService = ctx.getBean("flowService", FlowService.class);
- if (flowService.isRunning()) {
+ logger.info("Initiating shutdown of flow service...");
+ shutdown(ctx.getBean("flowService", FlowService.class), ctx.getBean("requestReplicator", RequestReplicator.class));
+ logger.info("Flow service termination completed.");
+ }
+
+ private void shutdown(final FlowService flowService, final RequestReplicator requestReplicator) {
+ try {
+ // ensure the flow service is terminated
+ if (flowService != null && flowService.isRunning()) {
flowService.stop(false);
}
+ } catch (final Exception e) {
+ final String msg = "Problem occurred ensuring flow controller or repository was properly terminated due to " + e;
+ if (logger.isDebugEnabled()) {
+ logger.warn(msg, e);
+ } else {
+ logger.warn(msg);
+ }
+ }
- final RequestReplicator requestReplicator = ctx.getBean("requestReplicator", RequestReplicator.class);
+ try {
+ // ensure the request replicator is shutdown
if (requestReplicator != null) {
requestReplicator.shutdown();
}
-
- logger.info("Flow service termination completed.");
-
} catch (final Exception e) {
- String msg = "Problem occurred ensuring flow controller or repository was properly terminated due to " + e;
+ final String msg = "Problem occurred ensuring request replicator was properly terminated due to " + e;
if (logger.isDebugEnabled()) {
logger.warn(msg, e);
} else {
http://git-wip-us.apache.org/repos/asf/nifi/blob/c8830742/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/IdentityStrategy.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/IdentityStrategy.java b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/IdentityStrategy.java
new file mode 100644
index 0000000..8a4af5f
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/IdentityStrategy.java
@@ -0,0 +1,26 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.ldap;
+
+/**
+ *
+ */
+public enum IdentityStrategy {
+
+ USE_DN,
+ USE_USERNAME;
+}
http://git-wip-us.apache.org/repos/asf/nifi/blob/c8830742/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java
index fdef620..4338783 100644
--- a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java
+++ b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java
@@ -68,6 +68,7 @@ public class LdapProvider implements LoginIdentityProvider {
private AbstractLdapAuthenticationProvider provider;
private String issuer;
private long expiration;
+ private IdentityStrategy identityStrategy;
@Override
public final void initialize(final LoginIdentityProviderInitializationContext initializationContext) throws ProviderCreationException {
@@ -195,7 +196,8 @@ public class LdapProvider implements LoginIdentityProvider {
rawReferralStrategy, StringUtils.join(ReferralStrategy.values(), ", ")));
}
- context.setReferral(referralStrategy.toString());
+ // using the value as this needs to be the lowercase version while the value is configured with the enum constant
+ context.setReferral(referralStrategy.getValue());
// url
final String url = configurationContext.getProperty("Url");
@@ -221,6 +223,24 @@ public class LdapProvider implements LoginIdentityProvider {
final BindAuthenticator authenticator = new BindAuthenticator(context);
authenticator.setUserSearch(userSearch);
+ // identity strategy
+ final String rawIdentityStrategy = configurationContext.getProperty("Identity Strategy");
+
+ if (StringUtils.isBlank(rawIdentityStrategy)) {
+ logger.info(String.format("Identity Strategy is not configured, defaulting strategy to %s.", IdentityStrategy.USE_DN));
+
+ // if this value is not configured, default to use dn which was the previous implementation
+ identityStrategy = IdentityStrategy.USE_DN;
+ } else {
+ try {
+ // attempt to get the configured identity strategy
+ identityStrategy = IdentityStrategy.valueOf(rawIdentityStrategy);
+ } catch (final IllegalArgumentException iae) {
+ throw new ProviderCreationException(String.format("Unrecognized identity strategy '%s'. Possible values are [%s]",
+ rawIdentityStrategy, StringUtils.join(IdentityStrategy.values(), ", ")));
+ }
+ }
+
try {
// handling initializing beans
context.afterPropertiesSet();
@@ -260,10 +280,16 @@ public class LdapProvider implements LoginIdentityProvider {
final UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(credentials.getUsername(), credentials.getPassword());
final Authentication authentication = provider.authenticate(token);
- // attempt to get the ldap user details to get the DN
- if (authentication.getPrincipal() instanceof LdapUserDetails) {
- final LdapUserDetails userDetails = (LdapUserDetails) authentication.getPrincipal();
- return new AuthenticationResponse(userDetails.getDn(), credentials.getUsername(), expiration, issuer);
+ // use dn if configured
+ if (IdentityStrategy.USE_DN.equals(identityStrategy)) {
+ // attempt to get the ldap user details to get the DN
+ if (authentication.getPrincipal() instanceof LdapUserDetails) {
+ final LdapUserDetails userDetails = (LdapUserDetails) authentication.getPrincipal();
+ return new AuthenticationResponse(userDetails.getDn(), credentials.getUsername(), expiration, issuer);
+ } else {
+ logger.warn(String.format("Unable to determine user DN for %s, using username.", authentication.getName()));
+ return new AuthenticationResponse(authentication.getName(), credentials.getUsername(), expiration, issuer);
+ }
} else {
return new AuthenticationResponse(authentication.getName(), credentials.getUsername(), expiration, issuer);
}
http://git-wip-us.apache.org/repos/asf/nifi/blob/c8830742/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/ReferralStrategy.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/ReferralStrategy.java b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/ReferralStrategy.java
index e2e3873..b21eb41 100644
--- a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/ReferralStrategy.java
+++ b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/ReferralStrategy.java
@@ -31,8 +31,7 @@ public enum ReferralStrategy {
this.value = value;
}
- @Override
- public String toString() {
+ public String getValue() {
return value;
}