You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by jo...@apache.org on 2018/01/04 17:10:05 UTC
nifi git commit: NIFI-4531: This closes #2372. Providing support for
running NiFi Docker image with LDAP authentication provider.
Repository: nifi
Updated Branches:
refs/heads/master c832a2ed7 -> f7f001eb9
NIFI-4531: This closes #2372.
Providing support for running NiFi Docker image with LDAP authentication provider.
Project: http://git-wip-us.apache.org/repos/asf/nifi/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/f7f001eb
Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/f7f001eb
Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/f7f001eb
Branch: refs/heads/master
Commit: f7f001eb9ac604421cdcecc208563e60a9e9d627
Parents: c832a2e
Author: Aldrin Piri <al...@apache.org>
Authored: Tue Nov 28 20:00:32 2017 -0500
Committer: joewitt <jo...@apache.org>
Committed: Thu Jan 4 12:09:46 2018 -0500
----------------------------------------------------------------------
nifi-docker/dockerhub/Dockerfile | 4 +-
nifi-docker/dockerhub/README.md | 52 ++++++++++++++++----
nifi-docker/dockerhub/sh/common.sh | 3 +-
nifi-docker/dockerhub/sh/secure.sh | 10 ++--
nifi-docker/dockerhub/sh/start.sh | 33 ++++++++-----
.../dockerhub/sh/update_login_providers.sh | 47 ++++++++++++++++++
6 files changed, 122 insertions(+), 27 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/nifi/blob/f7f001eb/nifi-docker/dockerhub/Dockerfile
----------------------------------------------------------------------
diff --git a/nifi-docker/dockerhub/Dockerfile b/nifi-docker/dockerhub/Dockerfile
index 23418c0..6074dd0 100644
--- a/nifi-docker/dockerhub/Dockerfile
+++ b/nifi-docker/dockerhub/Dockerfile
@@ -35,7 +35,9 @@ ADD sh/ /opt/nifi/scripts/
RUN groupadd -g ${GID} nifi || groupmod -n nifi `getent group ${GID} | cut -d: -f1` \
&& useradd --shell /bin/bash -u ${UID} -g ${GID} -m nifi \
&& mkdir -p ${NIFI_HOME}/conf/templates \
- && chown -R nifi:nifi ${NIFI_BASE_DIR}
+ && chown -R nifi:nifi ${NIFI_BASE_DIR} \
+ && apt-get update \
+ && apt-get install -y jq xmlstarlet
USER nifi
http://git-wip-us.apache.org/repos/asf/nifi/blob/f7f001eb/nifi-docker/dockerhub/README.md
----------------------------------------------------------------------
diff --git a/nifi-docker/dockerhub/README.md b/nifi-docker/dockerhub/README.md
index 657bc6d..d87765e 100644
--- a/nifi-docker/dockerhub/README.md
+++ b/nifi-docker/dockerhub/README.md
@@ -16,10 +16,10 @@
# Docker Image Quickstart
## Capabilities
-This image currently supports running in standalone mode either unsecured or with Two-Way SSL.
-
-More capabilities will continue to be added and made available from the
-
+This image currently supports running in standalone mode either unsecured or with user authentication provided through:
+ * [Two-Way SSL with Client Certificates](http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security-configuration)
+ * [Lightweight Directory Access Protocol (LDAP)](http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider)
+
## Building
The Docker image can be built using the following command:
@@ -74,6 +74,45 @@ Finally, this command makes use of a volume to provide certificates on the host
-d \
apache/nifi:latest
+### Standalone Instance, LDAP
+In this configuration, the user will need to provide certificates and the associated configuration information. Optionally,
+if the LDAP provider of interest is operating in LDAPS or START_TLS modes, certificates will additionally be needed.
+Of particular note, is the `AUTH` environment variable which is set to `ldap`. Additionally, the user must provide a
+DN as provided by the configured LDAP server in the `INITIAL_ADMIN_IDENTITY` environment variable. This value will be
+used to seed the instance with an initial user with administrative privileges. Finally, this command makes use of a
+volume to provide certificates on the host system to the container instance.
+
+#### For a minimal, connection to an LDAP server using SIMPLE authentication:
+
+ docker run --name nifi \
+ -v /User/dreynolds/certs/localhost:/opt/certs \
+ -p 18443:8443 \
+ -e AUTH=tls \
+ -e KEYSTORE_PATH=/opt/certs/keystore.jks \
+ -e KEYSTORE_TYPE=JKS \
+ -e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \
+ -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
+ -e TRUSTSTORE_PASSWORD=rHkWR1gDNW3R9hgbeRsT3OM3Ue0zwGtQqcFKJD2EXWE \
+ -e TRUSTSTORE_TYPE=JKS \
+ -e INITIAL_ADMIN_IDENTITY='cn=admin,dc=example,dc=org' \
+ -e LDAP_AUTHENTICATION_STRATEGY='SIMPLE' \
+ -e LDAP_MANAGER_DN='cn=admin,dc=example,dc=org' \
+ -e LDAP_MANAGER_PASSWORD='password' \
+ -e LDAP_USER_SEARCH_BASE='dc=example,dc=org' \
+ -e LDAP_USER_SEARCH_FILTER='cn={0}' \
+ -e LDAP_IDENTITY_STRATEGY='USE_DN' \
+ -e LDAP_URL='ldap://ldap:389' \
+ -d \
+ apache/nifi:latest
+
+#### The following, optional environment variables may be added to the above command when connecting to a secure LDAP server configured with START_TLS or LDAPS
+
+ -e LDAP_TLS_KEYSTORE: ''
+ -e LDAP_TLS_KEYSTORE_PASSWORD: ''
+ -e LDAP_TLS_KEYSTORE_TYPE: ''
+ -e LDAP_TLS_TRUSTSTORE: ''
+ -e LDAP_TLS_TRUSTSTORE_PASSWORD: ''
+ -e LDAP_TLS_TRUSTSTORE_TYPE: ''
## Configuration Information
The following ports are specified by the Docker container for NiFi operation within the container and
@@ -84,8 +123,3 @@ can be published to the host.
| HTTP Port | nifi.web.http.port | 8080 |
| HTTPS Port | nifi.web.https.port | 8443 |
| Remote Input Socket Port | nifi.remote.input.socket.port | 10000 |
-
-
-
-
-
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/nifi/blob/f7f001eb/nifi-docker/dockerhub/sh/common.sh
----------------------------------------------------------------------
diff --git a/nifi-docker/dockerhub/sh/common.sh b/nifi-docker/dockerhub/sh/common.sh
index 5d252bc..a0a6550 100755
--- a/nifi-docker/dockerhub/sh/common.sh
+++ b/nifi-docker/dockerhub/sh/common.sh
@@ -1,5 +1,4 @@
#!/bin/sh -e
-
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
@@ -26,4 +25,4 @@ prop_replace () {
# NIFI_HOME is defined by an ENV command in the backing Dockerfile
export nifi_props_file=${NIFI_HOME}/conf/nifi.properties
-export hostname=$(hostname)
\ No newline at end of file
+export hostname=$(hostname)
http://git-wip-us.apache.org/repos/asf/nifi/blob/f7f001eb/nifi-docker/dockerhub/sh/secure.sh
----------------------------------------------------------------------
diff --git a/nifi-docker/dockerhub/sh/secure.sh b/nifi-docker/dockerhub/sh/secure.sh
index 93e8267..4609005 100644
--- a/nifi-docker/dockerhub/sh/secure.sh
+++ b/nifi-docker/dockerhub/sh/secure.sh
@@ -15,7 +15,9 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh
+scripts_dir='/opt/nifi/scripts'
+
+[ -f "${scripts_dir}/common.sh" ] && . "${scripts_dir}/common.sh"
# Perform idempotent changes of configuration to support secure environments
echo 'Configuring environment with SSL settings'
@@ -28,13 +30,13 @@ fi
: ${KEYSTORE_TYPE:?"Must specify the type of keystore (JKS, PKCS12, PEM) of the keystore being used."}
: ${KEYSTORE_PASSWORD:?"Must specify the password of the keystore being used."}
-: ${TRUSTSTORE_PATH:?"Must specify an absolute path to the truststore being used."}
+: ${TRUSTSTORE_PATH:?"Must specify an absolute path to the truststore being used."}
if [ ! -f "${TRUSTSTORE_PATH}" ]; then
echo "Keystore file specified (${TRUSTSTORE_PATH}) does not exist."
exit 1
fi
-: ${TRUSTSTORE_TYPE:?"Need to set DEST non-empty"}
-: ${TRUSTSTORE_PASSWORD:?"Need to set DEST non-empty"}
+: ${TRUSTSTORE_TYPE:?"Must specify the type of truststore (JKS, PKCS12, PEM) of the truststore being used."}
+: ${TRUSTSTORE_PASSWORD:?"Must specify the password of the truststore being used."}
prop_replace 'nifi.security.keystore' "${KEYSTORE_PATH}"
prop_replace 'nifi.security.keystoreType' "${KEYSTORE_TYPE}"
http://git-wip-us.apache.org/repos/asf/nifi/blob/f7f001eb/nifi-docker/dockerhub/sh/start.sh
----------------------------------------------------------------------
diff --git a/nifi-docker/dockerhub/sh/start.sh b/nifi-docker/dockerhub/sh/start.sh
index 178f30e..df79ad6 100755
--- a/nifi-docker/dockerhub/sh/start.sh
+++ b/nifi-docker/dockerhub/sh/start.sh
@@ -15,29 +15,40 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh
+scripts_dir='/opt/nifi/scripts'
+
+[ -f "${scripts_dir}/common.sh" ] && . "${scripts_dir}/common.sh"
# Establish baseline properties
-prop_replace 'nifi.web.http.port' '8080'
-prop_replace 'nifi.web.http.host' "${hostname}"
-prop_replace 'nifi.remote.input.host' "${hostname}"
-prop_replace 'nifi.remote.input.socket.port' '10000'
-prop_replace 'nifi.remote.input.secure' 'false'
+prop_replace 'nifi.web.http.port' '8080'
+prop_replace 'nifi.web.http.host' "${hostname}"
+prop_replace 'nifi.remote.input.host' "${hostname}"
+prop_replace 'nifi.remote.input.socket.port' '10000'
+prop_replace 'nifi.remote.input.secure' 'false'
# Check if we are secured or unsecured
case ${AUTH} in
tls)
echo 'Enabling Two-Way SSL user authentication'
- . /opt/nifi/scripts/secure.sh
+ . "${scripts_dir}/secure.sh"
+ ;;
+ ldap)
+ echo 'Enabling LDAP user authentication'
+ # Reference ldap-provider in properties
+ prop_replace 'nifi.security.user.login.identity.provider' 'ldap-provider'
+ prop_replace 'nifi.security.needClientAuth' 'WANT'
+
+ . "${scripts_dir}/secure.sh"
+ . "${scripts_dir}/update_login_providers.sh"
;;
esac
-# Continuously provide logs so that 'docker logs' can produce them
-tail -F ${NIFI_HOME}/logs/nifi-app.log &
-${NIFI_HOME}/bin/nifi.sh run &
+# Continuously provide logs so that 'docker logs' can produce them
+tail -F "${NIFI_HOME}/logs/nifi-app.log" &
+"${NIFI_HOME}/bin/nifi.sh" run &
nifi_pid="$!"
trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT;
echo NiFi running with PID ${nifi_pid}.
-wait ${nifi_pid}
+wait ${nifi_pid}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/nifi/blob/f7f001eb/nifi-docker/dockerhub/sh/update_login_providers.sh
----------------------------------------------------------------------
diff --git a/nifi-docker/dockerhub/sh/update_login_providers.sh b/nifi-docker/dockerhub/sh/update_login_providers.sh
new file mode 100755
index 0000000..e124960
--- /dev/null
+++ b/nifi-docker/dockerhub/sh/update_login_providers.sh
@@ -0,0 +1,47 @@
+#!/bin/sh -e
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+login_providers_file=${NIFI_HOME}/conf/login-identity-providers.xml
+property_xpath='//loginIdentityProviders/provider/property'
+
+# Update a given property in the login-identity-providers file if a value is specified
+edit_property() {
+ property_name=$1
+ property_value=$2
+
+ if [ -n "${property_value}" ]; then
+ xmlstarlet ed --inplace -u "${property_xpath}[@name='${property_name}']" -v "${property_value}" "${login_providers_file}"
+ fi
+}
+
+# Remove comments to enable the ldap-provider
+sed -i '/To enable the ldap-provider remove/d' "${login_providers_file}"
+
+edit_property 'Authentication Strategy' "${LDAP_AUTHENTICATION_STRATEGY}"
+edit_property 'Manager DN' "${LDAP_MANAGER_DN}"
+edit_property 'Manager Password' "${LDAP_MANAGER_PASSWORD}"
+edit_property 'TLS - Keystore' "${LDAP_TLS_KEYSTORE}"
+edit_property 'TLS - Keystore Password' "${LDAP_TLS_KEYSTORE_PASSWORD}"
+edit_property 'TLS - Keystore Type' "${LDAP_TLS_KEYSTORE_TYPE}"
+edit_property 'TLS - Truststore' "${LDAP_TLS_TRUSTSTORE}"
+edit_property 'TLS - Truststore Password' "${LDAP_TLS_TRUSTSTORE_PASSWORD}"
+edit_property 'TLS - Truststore Type' "${LDAP_TLS_TRUSTSTORE_TYPE}"
+edit_property 'TLS - Protocol' "${LDAP_TLS_PROTOCOL}"
+edit_property 'Url' "${LDAP_URL}"
+edit_property 'User Search Base' "${LDAP_USER_SEARCH_BASE}"
+edit_property 'User Search Filter' "${LDAP_USER_SEARCH_FILTER}"
+edit_property 'Identity Strategy' "${LDAP_IDENTITY_STRATEGY}"
\ No newline at end of file