You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nifi.apache.org by Joe Witt <jo...@gmail.com> on 2022/03/09 15:42:11 UTC
Re: [discuss] pulling together a NiFi 1.16
Team
We appear to be at a good point to start pulling together the release
candidate for 1.16.
https://issues.apache.org/jira/projects/NIFI/versions/12350741
I'm basically waiting for https://issues.apache.org/jira/browse/NIFI-9761
to land then will start pulling together the release.
Thanks
On Mon, Feb 14, 2022 at 11:18 AM Joe Witt <jo...@gmail.com> wrote:
> Eduardo
>
> Getting reviewers on the UI/rest/front-end are among the toughest as
> there just aren't as many of those folks.
>
> The reply from Pierre was probably most telling. It looks fine but
> many of us would pause to merge without knowing precisely what the
> implications are. What happens on a taxed system with many
> CSs...I''ll comment on the PR.
>
> Thanks
> Joe
>
> On Mon, Feb 14, 2022 at 11:13 AM Eduardo Fontes
> <ed...@gmail.com> wrote:
> >
> > Hi All,
> >
> > Is it possible to include
> https://issues.apache.org/jira/browse/NIFI-8927
> > in release 1.16?
> > I've been asking for a review https://github.com/apache/nifi/pull/5247
> > since AUG/2021 and I don't understand why nobody did it. It's a simple
> and
> > useful UI feature.
> >
> > Peace out.
> > Eduardo Fontes
>
Re: [discuss] pulling together a NiFi 1.16
Posted by Matt Burgess <ma...@apache.org>.
I'm all for bringing into the next RC, if something goes sideways
during the RC validation we can always take it back out.
-Matt
On Wed, Mar 16, 2022 at 5:39 PM Joe Witt <jo...@gmail.com> wrote:
>
> Team
>
> We will have RC3 now because of a regression. But we also now have an
> interesting opportunity.
>
> With https://github.com/apache/nifi/pull/5870/files we could both build and
> run on Java 17. The changes are largely about tests and such. I'm
> inclined to pull this in during the rc process. I encourage others to
> chime in/review/etc.. in case there are some strong reasons not to pull it
> in.
>
> Adding 'Java 17 now supported' would be quite a nice thing...
>
> Thanks
>
> On Thu, Mar 10, 2022 at 9:10 AM Joe Witt <jo...@gmail.com> wrote:
>
> > Team,
> >
> > Mike's PR got merged it looks like.
> >
> > I'm initiating 1.16 RC. For all commits going forward please tag as fix
> > version 1.17
> > https://issues.apache.org/jira/projects/NIFI/versions/12351438
> >
> > If we have failed RC's i'll pull things into 1.16 as needed.
> >
> > Thanks
> >
> > On Wed, Mar 9, 2022 at 9:25 AM Joe Witt <jo...@gmail.com> wrote:
> >
> >> Mike
> >>
> >> I left a comment on the PR. But as usual with these releases there are
> >> always things that are close/nearly there/just need a review/etc.. If that
> >> or anything else lands by the time the RC is generated then we're good.
> >>
> >> Thanks
> >>
> >> On Wed, Mar 9, 2022 at 9:21 AM Mike Thomsen <mi...@gmail.com>
> >> wrote:
> >>
> >>> Joe,
> >>>
> >>> I would like to see this review closed out before a 1.16 RC if
> >>> possible: https://github.com/apache/nifi/pull/4646 I think it's mainly
> >>> waiting on someone to verify that all of the changes have been made.
> >>>
> >>> Thanks,
> >>>
> >>> Mike
> >>>
> >>>
> >>> On Wed, Mar 9, 2022 at 10:54 AM Joe Witt <jo...@gmail.com> wrote:
> >>> >
> >>> > Mark
> >>> >
> >>> > The single user authorizer and default setup install is just to avoid
> >>> > having wide open systems by default. So if you want to make changes to
> >>> > security settings and do it right you dont' use that mode. Happy to
> >>> have
> >>> > improvements within that scope of intent but does not sound like
> >>> anything
> >>> > we'd wait for. When it lands it lands.
> >>> >
> >>> > Thanks
> >>> >
> >>> > On Wed, Mar 9, 2022 at 8:49 AM Mark Bean <ma...@gmail.com>
> >>> wrote:
> >>> >
> >>> > > Joe,
> >>> > >
> >>> > > I just discovered an issue yesterday that might need attention
> >>> first. I
> >>> > > haven't investigated fully yet nor created a ticket because I don't
> >>> yet
> >>> > > fully understand it. However, it appears as though the
> >>> > > single-user-authorizer may not be behaving as intended. When I
> >>> updated
> >>> > > nifi.properties to swap the self-signed, auto-generated keystore and
> >>> > > truststore with "real" ones, single-user became _every_ user. My
> >>> suspicion
> >>> > > is that any user whose browser presents a cert that was signed by a
> >>> CA in
> >>> > > the truststore is allowed in - without even prompting for
> >>> > > username/password.
> >>> > >
> >>> > > It may be considered a configuration error to allow this to happen.
> >>> Still,
> >>> > > this seems like extremely dangerous behavior.
> >>> > >
> >>> > > -Mark
> >>> > >
> >>> > >
> >>> > > On Wed, Mar 9, 2022 at 10:42 AM Joe Witt <jo...@gmail.com> wrote:
> >>> > >
> >>> > > > Team
> >>> > > >
> >>> > > > We appear to be at a good point to start pulling together the
> >>> release
> >>> > > > candidate for 1.16.
> >>> > > >
> >>> > > > https://issues.apache.org/jira/projects/NIFI/versions/12350741
> >>> > > >
> >>> > > > I'm basically waiting for
> >>> > > https://issues.apache.org/jira/browse/NIFI-9761
> >>> > > > to land then will start pulling together the release.
> >>> > > >
> >>> > > > Thanks
> >>> > > >
> >>> > > > On Mon, Feb 14, 2022 at 11:18 AM Joe Witt <jo...@gmail.com>
> >>> wrote:
> >>> > > >
> >>> > > > > Eduardo
> >>> > > > >
> >>> > > > > Getting reviewers on the UI/rest/front-end are among the
> >>> toughest as
> >>> > > > > there just aren't as many of those folks.
> >>> > > > >
> >>> > > > > The reply from Pierre was probably most telling. It looks fine
> >>> but
> >>> > > > > many of us would pause to merge without knowing precisely what
> >>> the
> >>> > > > > implications are. What happens on a taxed system with many
> >>> > > > > CSs...I''ll comment on the PR.
> >>> > > > >
> >>> > > > > Thanks
> >>> > > > > Joe
> >>> > > > >
> >>> > > > > On Mon, Feb 14, 2022 at 11:13 AM Eduardo Fontes
> >>> > > > > <ed...@gmail.com> wrote:
> >>> > > > > >
> >>> > > > > > Hi All,
> >>> > > > > >
> >>> > > > > > Is it possible to include
> >>> > > > > https://issues.apache.org/jira/browse/NIFI-8927
> >>> > > > > > in release 1.16?
> >>> > > > > > I've been asking for a review
> >>> > > https://github.com/apache/nifi/pull/5247
> >>> > > > > > since AUG/2021 and I don't understand why nobody did it. It's a
> >>> > > simple
> >>> > > > > and
> >>> > > > > > useful UI feature.
> >>> > > > > >
> >>> > > > > > Peace out.
> >>> > > > > > Eduardo Fontes
> >>> > > > >
> >>> > > >
> >>> > >
> >>>
> >>
Re: [discuss] pulling together a NiFi 1.16
Posted by Joe Witt <jo...@gmail.com>.
Team
We will have RC3 now because of a regression. But we also now have an
interesting opportunity.
With https://github.com/apache/nifi/pull/5870/files we could both build and
run on Java 17. The changes are largely about tests and such. I'm
inclined to pull this in during the rc process. I encourage others to
chime in/review/etc.. in case there are some strong reasons not to pull it
in.
Adding 'Java 17 now supported' would be quite a nice thing...
Thanks
On Thu, Mar 10, 2022 at 9:10 AM Joe Witt <jo...@gmail.com> wrote:
> Team,
>
> Mike's PR got merged it looks like.
>
> I'm initiating 1.16 RC. For all commits going forward please tag as fix
> version 1.17
> https://issues.apache.org/jira/projects/NIFI/versions/12351438
>
> If we have failed RC's i'll pull things into 1.16 as needed.
>
> Thanks
>
> On Wed, Mar 9, 2022 at 9:25 AM Joe Witt <jo...@gmail.com> wrote:
>
>> Mike
>>
>> I left a comment on the PR. But as usual with these releases there are
>> always things that are close/nearly there/just need a review/etc.. If that
>> or anything else lands by the time the RC is generated then we're good.
>>
>> Thanks
>>
>> On Wed, Mar 9, 2022 at 9:21 AM Mike Thomsen <mi...@gmail.com>
>> wrote:
>>
>>> Joe,
>>>
>>> I would like to see this review closed out before a 1.16 RC if
>>> possible: https://github.com/apache/nifi/pull/4646 I think it's mainly
>>> waiting on someone to verify that all of the changes have been made.
>>>
>>> Thanks,
>>>
>>> Mike
>>>
>>>
>>> On Wed, Mar 9, 2022 at 10:54 AM Joe Witt <jo...@gmail.com> wrote:
>>> >
>>> > Mark
>>> >
>>> > The single user authorizer and default setup install is just to avoid
>>> > having wide open systems by default. So if you want to make changes to
>>> > security settings and do it right you dont' use that mode. Happy to
>>> have
>>> > improvements within that scope of intent but does not sound like
>>> anything
>>> > we'd wait for. When it lands it lands.
>>> >
>>> > Thanks
>>> >
>>> > On Wed, Mar 9, 2022 at 8:49 AM Mark Bean <ma...@gmail.com>
>>> wrote:
>>> >
>>> > > Joe,
>>> > >
>>> > > I just discovered an issue yesterday that might need attention
>>> first. I
>>> > > haven't investigated fully yet nor created a ticket because I don't
>>> yet
>>> > > fully understand it. However, it appears as though the
>>> > > single-user-authorizer may not be behaving as intended. When I
>>> updated
>>> > > nifi.properties to swap the self-signed, auto-generated keystore and
>>> > > truststore with "real" ones, single-user became _every_ user. My
>>> suspicion
>>> > > is that any user whose browser presents a cert that was signed by a
>>> CA in
>>> > > the truststore is allowed in - without even prompting for
>>> > > username/password.
>>> > >
>>> > > It may be considered a configuration error to allow this to happen.
>>> Still,
>>> > > this seems like extremely dangerous behavior.
>>> > >
>>> > > -Mark
>>> > >
>>> > >
>>> > > On Wed, Mar 9, 2022 at 10:42 AM Joe Witt <jo...@gmail.com> wrote:
>>> > >
>>> > > > Team
>>> > > >
>>> > > > We appear to be at a good point to start pulling together the
>>> release
>>> > > > candidate for 1.16.
>>> > > >
>>> > > > https://issues.apache.org/jira/projects/NIFI/versions/12350741
>>> > > >
>>> > > > I'm basically waiting for
>>> > > https://issues.apache.org/jira/browse/NIFI-9761
>>> > > > to land then will start pulling together the release.
>>> > > >
>>> > > > Thanks
>>> > > >
>>> > > > On Mon, Feb 14, 2022 at 11:18 AM Joe Witt <jo...@gmail.com>
>>> wrote:
>>> > > >
>>> > > > > Eduardo
>>> > > > >
>>> > > > > Getting reviewers on the UI/rest/front-end are among the
>>> toughest as
>>> > > > > there just aren't as many of those folks.
>>> > > > >
>>> > > > > The reply from Pierre was probably most telling. It looks fine
>>> but
>>> > > > > many of us would pause to merge without knowing precisely what
>>> the
>>> > > > > implications are. What happens on a taxed system with many
>>> > > > > CSs...I''ll comment on the PR.
>>> > > > >
>>> > > > > Thanks
>>> > > > > Joe
>>> > > > >
>>> > > > > On Mon, Feb 14, 2022 at 11:13 AM Eduardo Fontes
>>> > > > > <ed...@gmail.com> wrote:
>>> > > > > >
>>> > > > > > Hi All,
>>> > > > > >
>>> > > > > > Is it possible to include
>>> > > > > https://issues.apache.org/jira/browse/NIFI-8927
>>> > > > > > in release 1.16?
>>> > > > > > I've been asking for a review
>>> > > https://github.com/apache/nifi/pull/5247
>>> > > > > > since AUG/2021 and I don't understand why nobody did it. It's a
>>> > > simple
>>> > > > > and
>>> > > > > > useful UI feature.
>>> > > > > >
>>> > > > > > Peace out.
>>> > > > > > Eduardo Fontes
>>> > > > >
>>> > > >
>>> > >
>>>
>>
Re: [discuss] pulling together a NiFi 1.16
Posted by Joe Witt <jo...@gmail.com>.
Team,
Mike's PR got merged it looks like.
I'm initiating 1.16 RC. For all commits going forward please tag as fix
version 1.17 https://issues.apache.org/jira/projects/NIFI/versions/12351438
If we have failed RC's i'll pull things into 1.16 as needed.
Thanks
On Wed, Mar 9, 2022 at 9:25 AM Joe Witt <jo...@gmail.com> wrote:
> Mike
>
> I left a comment on the PR. But as usual with these releases there are
> always things that are close/nearly there/just need a review/etc.. If that
> or anything else lands by the time the RC is generated then we're good.
>
> Thanks
>
> On Wed, Mar 9, 2022 at 9:21 AM Mike Thomsen <mi...@gmail.com>
> wrote:
>
>> Joe,
>>
>> I would like to see this review closed out before a 1.16 RC if
>> possible: https://github.com/apache/nifi/pull/4646 I think it's mainly
>> waiting on someone to verify that all of the changes have been made.
>>
>> Thanks,
>>
>> Mike
>>
>>
>> On Wed, Mar 9, 2022 at 10:54 AM Joe Witt <jo...@gmail.com> wrote:
>> >
>> > Mark
>> >
>> > The single user authorizer and default setup install is just to avoid
>> > having wide open systems by default. So if you want to make changes to
>> > security settings and do it right you dont' use that mode. Happy to
>> have
>> > improvements within that scope of intent but does not sound like
>> anything
>> > we'd wait for. When it lands it lands.
>> >
>> > Thanks
>> >
>> > On Wed, Mar 9, 2022 at 8:49 AM Mark Bean <ma...@gmail.com> wrote:
>> >
>> > > Joe,
>> > >
>> > > I just discovered an issue yesterday that might need attention first.
>> I
>> > > haven't investigated fully yet nor created a ticket because I don't
>> yet
>> > > fully understand it. However, it appears as though the
>> > > single-user-authorizer may not be behaving as intended. When I updated
>> > > nifi.properties to swap the self-signed, auto-generated keystore and
>> > > truststore with "real" ones, single-user became _every_ user. My
>> suspicion
>> > > is that any user whose browser presents a cert that was signed by a
>> CA in
>> > > the truststore is allowed in - without even prompting for
>> > > username/password.
>> > >
>> > > It may be considered a configuration error to allow this to happen.
>> Still,
>> > > this seems like extremely dangerous behavior.
>> > >
>> > > -Mark
>> > >
>> > >
>> > > On Wed, Mar 9, 2022 at 10:42 AM Joe Witt <jo...@gmail.com> wrote:
>> > >
>> > > > Team
>> > > >
>> > > > We appear to be at a good point to start pulling together the
>> release
>> > > > candidate for 1.16.
>> > > >
>> > > > https://issues.apache.org/jira/projects/NIFI/versions/12350741
>> > > >
>> > > > I'm basically waiting for
>> > > https://issues.apache.org/jira/browse/NIFI-9761
>> > > > to land then will start pulling together the release.
>> > > >
>> > > > Thanks
>> > > >
>> > > > On Mon, Feb 14, 2022 at 11:18 AM Joe Witt <jo...@gmail.com>
>> wrote:
>> > > >
>> > > > > Eduardo
>> > > > >
>> > > > > Getting reviewers on the UI/rest/front-end are among the toughest
>> as
>> > > > > there just aren't as many of those folks.
>> > > > >
>> > > > > The reply from Pierre was probably most telling. It looks fine but
>> > > > > many of us would pause to merge without knowing precisely what the
>> > > > > implications are. What happens on a taxed system with many
>> > > > > CSs...I''ll comment on the PR.
>> > > > >
>> > > > > Thanks
>> > > > > Joe
>> > > > >
>> > > > > On Mon, Feb 14, 2022 at 11:13 AM Eduardo Fontes
>> > > > > <ed...@gmail.com> wrote:
>> > > > > >
>> > > > > > Hi All,
>> > > > > >
>> > > > > > Is it possible to include
>> > > > > https://issues.apache.org/jira/browse/NIFI-8927
>> > > > > > in release 1.16?
>> > > > > > I've been asking for a review
>> > > https://github.com/apache/nifi/pull/5247
>> > > > > > since AUG/2021 and I don't understand why nobody did it. It's a
>> > > simple
>> > > > > and
>> > > > > > useful UI feature.
>> > > > > >
>> > > > > > Peace out.
>> > > > > > Eduardo Fontes
>> > > > >
>> > > >
>> > >
>>
>
Re: [discuss] pulling together a NiFi 1.16
Posted by Joe Witt <jo...@gmail.com>.
Mike
I left a comment on the PR. But as usual with these releases there are
always things that are close/nearly there/just need a review/etc.. If that
or anything else lands by the time the RC is generated then we're good.
Thanks
On Wed, Mar 9, 2022 at 9:21 AM Mike Thomsen <mi...@gmail.com> wrote:
> Joe,
>
> I would like to see this review closed out before a 1.16 RC if
> possible: https://github.com/apache/nifi/pull/4646 I think it's mainly
> waiting on someone to verify that all of the changes have been made.
>
> Thanks,
>
> Mike
>
>
> On Wed, Mar 9, 2022 at 10:54 AM Joe Witt <jo...@gmail.com> wrote:
> >
> > Mark
> >
> > The single user authorizer and default setup install is just to avoid
> > having wide open systems by default. So if you want to make changes to
> > security settings and do it right you dont' use that mode. Happy to have
> > improvements within that scope of intent but does not sound like anything
> > we'd wait for. When it lands it lands.
> >
> > Thanks
> >
> > On Wed, Mar 9, 2022 at 8:49 AM Mark Bean <ma...@gmail.com> wrote:
> >
> > > Joe,
> > >
> > > I just discovered an issue yesterday that might need attention first. I
> > > haven't investigated fully yet nor created a ticket because I don't yet
> > > fully understand it. However, it appears as though the
> > > single-user-authorizer may not be behaving as intended. When I updated
> > > nifi.properties to swap the self-signed, auto-generated keystore and
> > > truststore with "real" ones, single-user became _every_ user. My
> suspicion
> > > is that any user whose browser presents a cert that was signed by a CA
> in
> > > the truststore is allowed in - without even prompting for
> > > username/password.
> > >
> > > It may be considered a configuration error to allow this to happen.
> Still,
> > > this seems like extremely dangerous behavior.
> > >
> > > -Mark
> > >
> > >
> > > On Wed, Mar 9, 2022 at 10:42 AM Joe Witt <jo...@gmail.com> wrote:
> > >
> > > > Team
> > > >
> > > > We appear to be at a good point to start pulling together the release
> > > > candidate for 1.16.
> > > >
> > > > https://issues.apache.org/jira/projects/NIFI/versions/12350741
> > > >
> > > > I'm basically waiting for
> > > https://issues.apache.org/jira/browse/NIFI-9761
> > > > to land then will start pulling together the release.
> > > >
> > > > Thanks
> > > >
> > > > On Mon, Feb 14, 2022 at 11:18 AM Joe Witt <jo...@gmail.com>
> wrote:
> > > >
> > > > > Eduardo
> > > > >
> > > > > Getting reviewers on the UI/rest/front-end are among the toughest
> as
> > > > > there just aren't as many of those folks.
> > > > >
> > > > > The reply from Pierre was probably most telling. It looks fine but
> > > > > many of us would pause to merge without knowing precisely what the
> > > > > implications are. What happens on a taxed system with many
> > > > > CSs...I''ll comment on the PR.
> > > > >
> > > > > Thanks
> > > > > Joe
> > > > >
> > > > > On Mon, Feb 14, 2022 at 11:13 AM Eduardo Fontes
> > > > > <ed...@gmail.com> wrote:
> > > > > >
> > > > > > Hi All,
> > > > > >
> > > > > > Is it possible to include
> > > > > https://issues.apache.org/jira/browse/NIFI-8927
> > > > > > in release 1.16?
> > > > > > I've been asking for a review
> > > https://github.com/apache/nifi/pull/5247
> > > > > > since AUG/2021 and I don't understand why nobody did it. It's a
> > > simple
> > > > > and
> > > > > > useful UI feature.
> > > > > >
> > > > > > Peace out.
> > > > > > Eduardo Fontes
> > > > >
> > > >
> > >
>
Re: [discuss] pulling together a NiFi 1.16
Posted by Mike Thomsen <mi...@gmail.com>.
Joe,
I would like to see this review closed out before a 1.16 RC if
possible: https://github.com/apache/nifi/pull/4646 I think it's mainly
waiting on someone to verify that all of the changes have been made.
Thanks,
Mike
On Wed, Mar 9, 2022 at 10:54 AM Joe Witt <jo...@gmail.com> wrote:
>
> Mark
>
> The single user authorizer and default setup install is just to avoid
> having wide open systems by default. So if you want to make changes to
> security settings and do it right you dont' use that mode. Happy to have
> improvements within that scope of intent but does not sound like anything
> we'd wait for. When it lands it lands.
>
> Thanks
>
> On Wed, Mar 9, 2022 at 8:49 AM Mark Bean <ma...@gmail.com> wrote:
>
> > Joe,
> >
> > I just discovered an issue yesterday that might need attention first. I
> > haven't investigated fully yet nor created a ticket because I don't yet
> > fully understand it. However, it appears as though the
> > single-user-authorizer may not be behaving as intended. When I updated
> > nifi.properties to swap the self-signed, auto-generated keystore and
> > truststore with "real" ones, single-user became _every_ user. My suspicion
> > is that any user whose browser presents a cert that was signed by a CA in
> > the truststore is allowed in - without even prompting for
> > username/password.
> >
> > It may be considered a configuration error to allow this to happen. Still,
> > this seems like extremely dangerous behavior.
> >
> > -Mark
> >
> >
> > On Wed, Mar 9, 2022 at 10:42 AM Joe Witt <jo...@gmail.com> wrote:
> >
> > > Team
> > >
> > > We appear to be at a good point to start pulling together the release
> > > candidate for 1.16.
> > >
> > > https://issues.apache.org/jira/projects/NIFI/versions/12350741
> > >
> > > I'm basically waiting for
> > https://issues.apache.org/jira/browse/NIFI-9761
> > > to land then will start pulling together the release.
> > >
> > > Thanks
> > >
> > > On Mon, Feb 14, 2022 at 11:18 AM Joe Witt <jo...@gmail.com> wrote:
> > >
> > > > Eduardo
> > > >
> > > > Getting reviewers on the UI/rest/front-end are among the toughest as
> > > > there just aren't as many of those folks.
> > > >
> > > > The reply from Pierre was probably most telling. It looks fine but
> > > > many of us would pause to merge without knowing precisely what the
> > > > implications are. What happens on a taxed system with many
> > > > CSs...I''ll comment on the PR.
> > > >
> > > > Thanks
> > > > Joe
> > > >
> > > > On Mon, Feb 14, 2022 at 11:13 AM Eduardo Fontes
> > > > <ed...@gmail.com> wrote:
> > > > >
> > > > > Hi All,
> > > > >
> > > > > Is it possible to include
> > > > https://issues.apache.org/jira/browse/NIFI-8927
> > > > > in release 1.16?
> > > > > I've been asking for a review
> > https://github.com/apache/nifi/pull/5247
> > > > > since AUG/2021 and I don't understand why nobody did it. It's a
> > simple
> > > > and
> > > > > useful UI feature.
> > > > >
> > > > > Peace out.
> > > > > Eduardo Fontes
> > > >
> > >
> >
Re: [discuss] pulling together a NiFi 1.16
Posted by David Handermann <ex...@apache.org>.
Mark,
To elaborate on Joe's reply, changing the trust store configuration alters
the security profile of NiFi by allowing clients with trusted certificates
to access the system. Changing the key store and trust store should always
occur in conjunction with changing the authorization configuration.
The Single User Authorizer includes a safety check to prevent configuration
in conjunction with Login Identity Providers other than the Single User
Login Identity Provider. In the case of certificate authentication,
however, the Login Identity Provider does not apply, since certificate
authentication happens prior to application-level access. Although it might
be possible to add further safety checking in the Single User Authorizer to
also check the username against a particular value, this could introduce
additional coupling between authentication and authorization. As this is
primarily a configuration problem, and changing the trust store has a
significant impact on the security profile of the system, this particular
scenario does not seem like a significant concern.
Regards,
David Handermann
On Wed, Mar 9, 2022 at 9:55 AM Joe Witt <jo...@gmail.com> wrote:
> Mark
>
> The single user authorizer and default setup install is just to avoid
> having wide open systems by default. So if you want to make changes to
> security settings and do it right you dont' use that mode. Happy to have
> improvements within that scope of intent but does not sound like anything
> we'd wait for. When it lands it lands.
>
> Thanks
>
> On Wed, Mar 9, 2022 at 8:49 AM Mark Bean <ma...@gmail.com> wrote:
>
> > Joe,
> >
> > I just discovered an issue yesterday that might need attention first. I
> > haven't investigated fully yet nor created a ticket because I don't yet
> > fully understand it. However, it appears as though the
> > single-user-authorizer may not be behaving as intended. When I updated
> > nifi.properties to swap the self-signed, auto-generated keystore and
> > truststore with "real" ones, single-user became _every_ user. My
> suspicion
> > is that any user whose browser presents a cert that was signed by a CA in
> > the truststore is allowed in - without even prompting for
> > username/password.
> >
> > It may be considered a configuration error to allow this to happen.
> Still,
> > this seems like extremely dangerous behavior.
> >
> > -Mark
> >
> >
> > On Wed, Mar 9, 2022 at 10:42 AM Joe Witt <jo...@gmail.com> wrote:
> >
> > > Team
> > >
> > > We appear to be at a good point to start pulling together the release
> > > candidate for 1.16.
> > >
> > > https://issues.apache.org/jira/projects/NIFI/versions/12350741
> > >
> > > I'm basically waiting for
> > https://issues.apache.org/jira/browse/NIFI-9761
> > > to land then will start pulling together the release.
> > >
> > > Thanks
> > >
> > > On Mon, Feb 14, 2022 at 11:18 AM Joe Witt <jo...@gmail.com> wrote:
> > >
> > > > Eduardo
> > > >
> > > > Getting reviewers on the UI/rest/front-end are among the toughest as
> > > > there just aren't as many of those folks.
> > > >
> > > > The reply from Pierre was probably most telling. It looks fine but
> > > > many of us would pause to merge without knowing precisely what the
> > > > implications are. What happens on a taxed system with many
> > > > CSs...I''ll comment on the PR.
> > > >
> > > > Thanks
> > > > Joe
> > > >
> > > > On Mon, Feb 14, 2022 at 11:13 AM Eduardo Fontes
> > > > <ed...@gmail.com> wrote:
> > > > >
> > > > > Hi All,
> > > > >
> > > > > Is it possible to include
> > > > https://issues.apache.org/jira/browse/NIFI-8927
> > > > > in release 1.16?
> > > > > I've been asking for a review
> > https://github.com/apache/nifi/pull/5247
> > > > > since AUG/2021 and I don't understand why nobody did it. It's a
> > simple
> > > > and
> > > > > useful UI feature.
> > > > >
> > > > > Peace out.
> > > > > Eduardo Fontes
> > > >
> > >
> >
>
Re: [discuss] pulling together a NiFi 1.16
Posted by Joe Witt <jo...@gmail.com>.
Mark
The single user authorizer and default setup install is just to avoid
having wide open systems by default. So if you want to make changes to
security settings and do it right you dont' use that mode. Happy to have
improvements within that scope of intent but does not sound like anything
we'd wait for. When it lands it lands.
Thanks
On Wed, Mar 9, 2022 at 8:49 AM Mark Bean <ma...@gmail.com> wrote:
> Joe,
>
> I just discovered an issue yesterday that might need attention first. I
> haven't investigated fully yet nor created a ticket because I don't yet
> fully understand it. However, it appears as though the
> single-user-authorizer may not be behaving as intended. When I updated
> nifi.properties to swap the self-signed, auto-generated keystore and
> truststore with "real" ones, single-user became _every_ user. My suspicion
> is that any user whose browser presents a cert that was signed by a CA in
> the truststore is allowed in - without even prompting for
> username/password.
>
> It may be considered a configuration error to allow this to happen. Still,
> this seems like extremely dangerous behavior.
>
> -Mark
>
>
> On Wed, Mar 9, 2022 at 10:42 AM Joe Witt <jo...@gmail.com> wrote:
>
> > Team
> >
> > We appear to be at a good point to start pulling together the release
> > candidate for 1.16.
> >
> > https://issues.apache.org/jira/projects/NIFI/versions/12350741
> >
> > I'm basically waiting for
> https://issues.apache.org/jira/browse/NIFI-9761
> > to land then will start pulling together the release.
> >
> > Thanks
> >
> > On Mon, Feb 14, 2022 at 11:18 AM Joe Witt <jo...@gmail.com> wrote:
> >
> > > Eduardo
> > >
> > > Getting reviewers on the UI/rest/front-end are among the toughest as
> > > there just aren't as many of those folks.
> > >
> > > The reply from Pierre was probably most telling. It looks fine but
> > > many of us would pause to merge without knowing precisely what the
> > > implications are. What happens on a taxed system with many
> > > CSs...I''ll comment on the PR.
> > >
> > > Thanks
> > > Joe
> > >
> > > On Mon, Feb 14, 2022 at 11:13 AM Eduardo Fontes
> > > <ed...@gmail.com> wrote:
> > > >
> > > > Hi All,
> > > >
> > > > Is it possible to include
> > > https://issues.apache.org/jira/browse/NIFI-8927
> > > > in release 1.16?
> > > > I've been asking for a review
> https://github.com/apache/nifi/pull/5247
> > > > since AUG/2021 and I don't understand why nobody did it. It's a
> simple
> > > and
> > > > useful UI feature.
> > > >
> > > > Peace out.
> > > > Eduardo Fontes
> > >
> >
>
Re: [discuss] pulling together a NiFi 1.16
Posted by Mark Bean <ma...@gmail.com>.
Joe,
I just discovered an issue yesterday that might need attention first. I
haven't investigated fully yet nor created a ticket because I don't yet
fully understand it. However, it appears as though the
single-user-authorizer may not be behaving as intended. When I updated
nifi.properties to swap the self-signed, auto-generated keystore and
truststore with "real" ones, single-user became _every_ user. My suspicion
is that any user whose browser presents a cert that was signed by a CA in
the truststore is allowed in - without even prompting for username/password.
It may be considered a configuration error to allow this to happen. Still,
this seems like extremely dangerous behavior.
-Mark
On Wed, Mar 9, 2022 at 10:42 AM Joe Witt <jo...@gmail.com> wrote:
> Team
>
> We appear to be at a good point to start pulling together the release
> candidate for 1.16.
>
> https://issues.apache.org/jira/projects/NIFI/versions/12350741
>
> I'm basically waiting for https://issues.apache.org/jira/browse/NIFI-9761
> to land then will start pulling together the release.
>
> Thanks
>
> On Mon, Feb 14, 2022 at 11:18 AM Joe Witt <jo...@gmail.com> wrote:
>
> > Eduardo
> >
> > Getting reviewers on the UI/rest/front-end are among the toughest as
> > there just aren't as many of those folks.
> >
> > The reply from Pierre was probably most telling. It looks fine but
> > many of us would pause to merge without knowing precisely what the
> > implications are. What happens on a taxed system with many
> > CSs...I''ll comment on the PR.
> >
> > Thanks
> > Joe
> >
> > On Mon, Feb 14, 2022 at 11:13 AM Eduardo Fontes
> > <ed...@gmail.com> wrote:
> > >
> > > Hi All,
> > >
> > > Is it possible to include
> > https://issues.apache.org/jira/browse/NIFI-8927
> > > in release 1.16?
> > > I've been asking for a review https://github.com/apache/nifi/pull/5247
> > > since AUG/2021 and I don't understand why nobody did it. It's a simple
> > and
> > > useful UI feature.
> > >
> > > Peace out.
> > > Eduardo Fontes
> >
>