You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by jo...@apache.org on 2018/01/04 17:10:05 UTC

nifi git commit: NIFI-4531: This closes #2372. Providing support for running NiFi Docker image with LDAP authentication provider.

Repository: nifi
Updated Branches:
  refs/heads/master c832a2ed7 -> f7f001eb9


NIFI-4531: This closes #2372.
Providing support for running NiFi Docker image with LDAP authentication provider.


Project: http://git-wip-us.apache.org/repos/asf/nifi/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/f7f001eb
Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/f7f001eb
Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/f7f001eb

Branch: refs/heads/master
Commit: f7f001eb9ac604421cdcecc208563e60a9e9d627
Parents: c832a2e
Author: Aldrin Piri <al...@apache.org>
Authored: Tue Nov 28 20:00:32 2017 -0500
Committer: joewitt <jo...@apache.org>
Committed: Thu Jan 4 12:09:46 2018 -0500

----------------------------------------------------------------------
 nifi-docker/dockerhub/Dockerfile                |  4 +-
 nifi-docker/dockerhub/README.md                 | 52 ++++++++++++++++----
 nifi-docker/dockerhub/sh/common.sh              |  3 +-
 nifi-docker/dockerhub/sh/secure.sh              | 10 ++--
 nifi-docker/dockerhub/sh/start.sh               | 33 ++++++++-----
 .../dockerhub/sh/update_login_providers.sh      | 47 ++++++++++++++++++
 6 files changed, 122 insertions(+), 27 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/nifi/blob/f7f001eb/nifi-docker/dockerhub/Dockerfile
----------------------------------------------------------------------
diff --git a/nifi-docker/dockerhub/Dockerfile b/nifi-docker/dockerhub/Dockerfile
index 23418c0..6074dd0 100644
--- a/nifi-docker/dockerhub/Dockerfile
+++ b/nifi-docker/dockerhub/Dockerfile
@@ -35,7 +35,9 @@ ADD sh/ /opt/nifi/scripts/
 RUN groupadd -g ${GID} nifi || groupmod -n nifi `getent group ${GID} | cut -d: -f1` \
     && useradd --shell /bin/bash -u ${UID} -g ${GID} -m nifi \
     && mkdir -p ${NIFI_HOME}/conf/templates \
-    && chown -R nifi:nifi ${NIFI_BASE_DIR}
+    && chown -R nifi:nifi ${NIFI_BASE_DIR} \
+    && apt-get update \
+    && apt-get install -y jq xmlstarlet
 
 USER nifi
 

http://git-wip-us.apache.org/repos/asf/nifi/blob/f7f001eb/nifi-docker/dockerhub/README.md
----------------------------------------------------------------------
diff --git a/nifi-docker/dockerhub/README.md b/nifi-docker/dockerhub/README.md
index 657bc6d..d87765e 100644
--- a/nifi-docker/dockerhub/README.md
+++ b/nifi-docker/dockerhub/README.md
@@ -16,10 +16,10 @@
 # Docker Image Quickstart
 
 ## Capabilities
-This image currently supports running in standalone mode either unsecured or with Two-Way SSL.
-
-More capabilities will continue to be added and made available from the 
-
+This image currently supports running in standalone mode either unsecured or with user authentication provided through:
+   * [Two-Way SSL with Client Certificates](http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security-configuration)
+   * [Lightweight Directory Access Protocol (LDAP)](http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider)
+   
 ## Building
 The Docker image can be built using the following command:
 
@@ -74,6 +74,45 @@ Finally, this command makes use of a volume to provide certificates on the host
       -d \
       apache/nifi:latest
 
+### Standalone Instance, LDAP
+In this configuration, the user will need to provide certificates and the associated configuration information.  Optionally,
+if the LDAP provider of interest is operating in LDAPS or START_TLS modes, certificates will additionally be needed.
+Of particular note, is the `AUTH` environment variable which is set to `ldap`.  Additionally, the user must provide a
+DN as provided by the configured LDAP server in the `INITIAL_ADMIN_IDENTITY` environment variable. This value will be 
+used to seed the instance with an initial user with administrative privileges.  Finally, this command makes use of a 
+volume to provide certificates on the host system to the container instance.
+
+#### For a minimal, connection to an LDAP server using SIMPLE authentication:
+
+    docker run --name nifi \
+      -v /User/dreynolds/certs/localhost:/opt/certs \
+      -p 18443:8443 \
+      -e AUTH=tls \
+      -e KEYSTORE_PATH=/opt/certs/keystore.jks \
+      -e KEYSTORE_TYPE=JKS \
+      -e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \
+      -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
+      -e TRUSTSTORE_PASSWORD=rHkWR1gDNW3R9hgbeRsT3OM3Ue0zwGtQqcFKJD2EXWE \
+      -e TRUSTSTORE_TYPE=JKS \
+      -e INITIAL_ADMIN_IDENTITY='cn=admin,dc=example,dc=org' \
+      -e LDAP_AUTHENTICATION_STRATEGY='SIMPLE' \
+      -e LDAP_MANAGER_DN='cn=admin,dc=example,dc=org' \
+      -e LDAP_MANAGER_PASSWORD='password' \
+      -e LDAP_USER_SEARCH_BASE='dc=example,dc=org' \
+      -e LDAP_USER_SEARCH_FILTER='cn={0}' \
+      -e LDAP_IDENTITY_STRATEGY='USE_DN' \
+      -e LDAP_URL='ldap://ldap:389' \
+      -d \
+      apache/nifi:latest
+
+#### The following, optional environment variables may be added to the above command when connecting to a secure  LDAP server configured with START_TLS or LDAPS
+
+    -e LDAP_TLS_KEYSTORE: ''
+    -e LDAP_TLS_KEYSTORE_PASSWORD: ''
+    -e LDAP_TLS_KEYSTORE_TYPE: ''
+    -e LDAP_TLS_TRUSTSTORE: ''
+    -e LDAP_TLS_TRUSTSTORE_PASSWORD: ''
+    -e LDAP_TLS_TRUSTSTORE_TYPE: ''
 
 ## Configuration Information
 The following ports are specified by the Docker container for NiFi operation within the container and 
@@ -84,8 +123,3 @@ can be published to the host.
 | HTTP Port                | nifi.web.http.port            | 8080  |
 | HTTPS Port               | nifi.web.https.port           | 8443  |
 | Remote Input Socket Port | nifi.remote.input.socket.port | 10000 |
-
-
-
-
-  
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/nifi/blob/f7f001eb/nifi-docker/dockerhub/sh/common.sh
----------------------------------------------------------------------
diff --git a/nifi-docker/dockerhub/sh/common.sh b/nifi-docker/dockerhub/sh/common.sh
index 5d252bc..a0a6550 100755
--- a/nifi-docker/dockerhub/sh/common.sh
+++ b/nifi-docker/dockerhub/sh/common.sh
@@ -1,5 +1,4 @@
 #!/bin/sh -e
-
 #    Licensed to the Apache Software Foundation (ASF) under one or more
 #    contributor license agreements.  See the NOTICE file distributed with
 #    this work for additional information regarding copyright ownership.
@@ -26,4 +25,4 @@ prop_replace () {
 
 # NIFI_HOME is defined by an ENV command in the backing Dockerfile
 export nifi_props_file=${NIFI_HOME}/conf/nifi.properties
-export hostname=$(hostname)
\ No newline at end of file
+export hostname=$(hostname)

http://git-wip-us.apache.org/repos/asf/nifi/blob/f7f001eb/nifi-docker/dockerhub/sh/secure.sh
----------------------------------------------------------------------
diff --git a/nifi-docker/dockerhub/sh/secure.sh b/nifi-docker/dockerhub/sh/secure.sh
index 93e8267..4609005 100644
--- a/nifi-docker/dockerhub/sh/secure.sh
+++ b/nifi-docker/dockerhub/sh/secure.sh
@@ -15,7 +15,9 @@
 #    See the License for the specific language governing permissions and
 #    limitations under the License.
 
-[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh
+scripts_dir='/opt/nifi/scripts'
+
+[ -f "${scripts_dir}/common.sh" ] && . "${scripts_dir}/common.sh"
 
 # Perform idempotent changes of configuration to support secure environments
 echo 'Configuring environment with SSL settings'
@@ -28,13 +30,13 @@ fi
 : ${KEYSTORE_TYPE:?"Must specify the type of keystore (JKS, PKCS12, PEM) of the keystore being used."}
 : ${KEYSTORE_PASSWORD:?"Must specify the password of the keystore being used."}
 
-: ${TRUSTSTORE_PATH:?"Must specify an absolute path to the truststore  being used."}
+: ${TRUSTSTORE_PATH:?"Must specify an absolute path to the truststore being used."}
 if [ ! -f "${TRUSTSTORE_PATH}" ]; then
     echo "Keystore file specified (${TRUSTSTORE_PATH}) does not exist."
     exit 1
 fi
-: ${TRUSTSTORE_TYPE:?"Need to set DEST non-empty"}
-: ${TRUSTSTORE_PASSWORD:?"Need to set DEST non-empty"}
+: ${TRUSTSTORE_TYPE:?"Must specify the type of truststore (JKS, PKCS12, PEM) of the truststore being used."}
+: ${TRUSTSTORE_PASSWORD:?"Must specify the password of the truststore being used."}
 
 prop_replace 'nifi.security.keystore'           "${KEYSTORE_PATH}"
 prop_replace 'nifi.security.keystoreType'       "${KEYSTORE_TYPE}"

http://git-wip-us.apache.org/repos/asf/nifi/blob/f7f001eb/nifi-docker/dockerhub/sh/start.sh
----------------------------------------------------------------------
diff --git a/nifi-docker/dockerhub/sh/start.sh b/nifi-docker/dockerhub/sh/start.sh
index 178f30e..df79ad6 100755
--- a/nifi-docker/dockerhub/sh/start.sh
+++ b/nifi-docker/dockerhub/sh/start.sh
@@ -15,29 +15,40 @@
 #    See the License for the specific language governing permissions and
 #    limitations under the License.
 
-[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh
+scripts_dir='/opt/nifi/scripts'
+
+[ -f "${scripts_dir}/common.sh" ] && . "${scripts_dir}/common.sh"
 
 # Establish baseline properties
-prop_replace 'nifi.web.http.port'  '8080'
-prop_replace 'nifi.web.http.host'  "${hostname}"
-prop_replace 'nifi.remote.input.host' "${hostname}"
-prop_replace 'nifi.remote.input.socket.port' '10000'
-prop_replace 'nifi.remote.input.secure' 'false'
+prop_replace 'nifi.web.http.port'               '8080'
+prop_replace 'nifi.web.http.host'               "${hostname}"
+prop_replace 'nifi.remote.input.host'           "${hostname}"
+prop_replace 'nifi.remote.input.socket.port'    '10000'
+prop_replace 'nifi.remote.input.secure'         'false'
 
 # Check if we are secured or unsecured
 case ${AUTH} in
     tls)
         echo 'Enabling Two-Way SSL user authentication'
-        . /opt/nifi/scripts/secure.sh
+        . "${scripts_dir}/secure.sh"
+        ;;
+    ldap)
+        echo 'Enabling LDAP user authentication'
+        # Reference ldap-provider in properties
+        prop_replace 'nifi.security.user.login.identity.provider' 'ldap-provider'
+        prop_replace 'nifi.security.needClientAuth' 'WANT'
+
+        . "${scripts_dir}/secure.sh"
+        . "${scripts_dir}/update_login_providers.sh"
         ;;
 esac
 
-# Continuously provide logs so that 'docker logs' can produce them
-tail -F ${NIFI_HOME}/logs/nifi-app.log &
-${NIFI_HOME}/bin/nifi.sh run &
+# Continuously provide logs so that 'docker logs' can    produce them
+tail -F "${NIFI_HOME}/logs/nifi-app.log" &
+"${NIFI_HOME}/bin/nifi.sh" run &
 nifi_pid="$!"
 
 trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT;
 
 echo NiFi running with PID ${nifi_pid}.
-wait ${nifi_pid}
+wait ${nifi_pid}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/nifi/blob/f7f001eb/nifi-docker/dockerhub/sh/update_login_providers.sh
----------------------------------------------------------------------
diff --git a/nifi-docker/dockerhub/sh/update_login_providers.sh b/nifi-docker/dockerhub/sh/update_login_providers.sh
new file mode 100755
index 0000000..e124960
--- /dev/null
+++ b/nifi-docker/dockerhub/sh/update_login_providers.sh
@@ -0,0 +1,47 @@
+#!/bin/sh -e
+
+#    Licensed to the Apache Software Foundation (ASF) under one or more
+#    contributor license agreements.  See the NOTICE file distributed with
+#    this work for additional information regarding copyright ownership.
+#    The ASF licenses this file to You under the Apache License, Version 2.0
+#    (the "License"); you may not use this file except in compliance with
+#    the License.  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+
+login_providers_file=${NIFI_HOME}/conf/login-identity-providers.xml
+property_xpath='//loginIdentityProviders/provider/property'
+
+# Update a given property in the login-identity-providers file if a value is specified
+edit_property() {
+  property_name=$1
+  property_value=$2
+
+  if [ -n "${property_value}" ]; then
+    xmlstarlet ed --inplace -u "${property_xpath}[@name='${property_name}']" -v "${property_value}" "${login_providers_file}"
+  fi
+}
+
+# Remove comments to enable the ldap-provider
+sed -i '/To enable the ldap-provider remove/d' "${login_providers_file}"
+
+edit_property 'Authentication Strategy'     "${LDAP_AUTHENTICATION_STRATEGY}"
+edit_property 'Manager DN'                  "${LDAP_MANAGER_DN}"
+edit_property 'Manager Password'            "${LDAP_MANAGER_PASSWORD}"
+edit_property 'TLS - Keystore'              "${LDAP_TLS_KEYSTORE}"
+edit_property 'TLS - Keystore Password'     "${LDAP_TLS_KEYSTORE_PASSWORD}"
+edit_property 'TLS - Keystore Type'         "${LDAP_TLS_KEYSTORE_TYPE}"
+edit_property 'TLS - Truststore'            "${LDAP_TLS_TRUSTSTORE}"
+edit_property 'TLS - Truststore Password'   "${LDAP_TLS_TRUSTSTORE_PASSWORD}"
+edit_property 'TLS - Truststore Type'       "${LDAP_TLS_TRUSTSTORE_TYPE}"
+edit_property 'TLS - Protocol'              "${LDAP_TLS_PROTOCOL}"
+edit_property 'Url'                         "${LDAP_URL}"
+edit_property 'User Search Base'            "${LDAP_USER_SEARCH_BASE}"
+edit_property 'User Search Filter'          "${LDAP_USER_SEARCH_FILTER}"
+edit_property 'Identity Strategy'           "${LDAP_IDENTITY_STRATEGY}"
\ No newline at end of file