You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Bryan Bende (Jira)" <ji...@apache.org> on 2023/06/22 16:10:00 UTC
[jira] [Assigned] (NIFI-11492) Allow OIDC/SAML authorization without existance of user
[ https://issues.apache.org/jira/browse/NIFI-11492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bryan Bende reassigned NIFI-11492:
----------------------------------
Assignee: Bryan Bende
> Allow OIDC/SAML authorization without existance of user
> -------------------------------------------------------
>
> Key: NIFI-11492
> URL: https://issues.apache.org/jira/browse/NIFI-11492
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 1.21.0
> Reporter: Bryan Bende
> Assignee: Bryan Bende
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> When authenticating via SAML or OIDC, the NiFiUser passes along any groups obtained from the identity provider's response. These groups are then passed into authorization on the request and combined with the user's groups when checking policies.
> Currently the StandardManagedAuthorizer uses the configured UserGroupProvider and does the following:
> {code:java}
> final UserAndGroups userAndGroups = userGroupProvider.getUserAndGroups(request.getIdentity());
> final User user = userAndGroups.getUser();
> if (user == null) {
> return AuthorizationResult.denied(String.format("Unknown user with identity '%s'.", request.getIdentity()));
> }{code}
> This was existing logic that was correct before the concept of external groups existed, because without finding the user, we had no user id or groups to check policies against. However, now that we have the external groups, even if no user exists we should be able to still proceed with checking policies for just those external groups. This would make it so the knowledge of all users doesn't need to be defined if only group policies are being implemented.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)