You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2021/07/14 16:58:59 UTC

[GitHub] [nifi] exceptionfactory opened a new pull request #5216: NIFI-8783 Moved SingleUserAuthorizer Login Provider check

exceptionfactory opened a new pull request #5216:
URL: https://github.com/apache/nifi/pull/5216


   #### Description of PR
   
   NIFI-8783 Moves the check for `SingleUserLoginIdentityProvider` from `setProperties()` to `initialize()` in `SingleUserAuthorizer`. This approach allows the `SingleUserAuthorizer` definition to exist in `authorizers.xml` but continues to prevent it from being used without the `SingleUserLoginIdentityProvider` being configured as the selected Login Identity Provider.
   
   In order to streamline the review of the contribution we ask you
   to ensure the following steps have been taken:
   
   ### For all changes:
   - [X] Is there a JIRA ticket associated with this PR? Is it referenced 
        in the commit message?
   
   - [X] Does your PR title start with **NIFI-XXXX** where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
   
   - [X] Has your PR been rebased against the latest commit within the target branch (typically `main`)?
   
   - [X] Is your initial contribution a single, squashed commit? _Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not `squash` or use `--force` when pushing to allow for clean monitoring of changes._
   
   ### For code changes:
   - [ ] Have you ensured that the full suite of tests is executed via `mvn -Pcontrib-check clean install` at the root `nifi` folder?
   - [X] Have you written or updated unit tests to verify your changes?
   - [ ] Have you verified that the full build is successful on JDK 8?
   - [ ] Have you verified that the full build is successful on JDK 11?
   - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? 
   - [ ] If applicable, have you updated the `LICENSE` file, including the main `LICENSE` file under `nifi-assembly`?
   - [ ] If applicable, have you updated the `NOTICE` file, including the main `NOTICE` file found under `nifi-assembly`?
   - [ ] If adding new Properties, have you added `.displayName` in addition to .name (programmatic access) for each of the new properties?
   
   ### For documentation related changes:
   - [ ] Have you ensured that format looks appropriate for the output in which it is rendered?
   
   ### Note:
   Please ensure that once the PR is submitted, you check GitHub Actions CI for build issues and submit an update to your PR as soon as possible.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] exceptionfactory commented on pull request #5216: NIFI-8783 Moved SingleUserAuthorizer Login Provider check

Posted by GitBox <gi...@apache.org>.

exceptionfactory commented on pull request #5216:
URL: https://github.com/apache/nifi/pull/5216#issuecomment-880294530


   Thanks for the feedback @jfrazee. As @bbende mentioned, this particular check is specific to the `SingleUserAuthorizer`.  The purpose is to prevent the `SingleUserAuthorizer` from being used with a Login Identity Provider other than `SingleUserLoginIdentityProvider`.  The `setProperties()` method that receives the instance of `NiFiProperties` gets called before `initialize()`, so moving the logic to `initialize()` allows the Authorizer to check its own identifier and thus be defined without necessarily being enabled.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] jfrazee commented on pull request #5216: NIFI-8783 Moved SingleUserAuthorizer Login Provider check

Posted by GitBox <gi...@apache.org>.

jfrazee commented on pull request #5216:
URL: https://github.com/apache/nifi/pull/5216#issuecomment-880252565


   @exceptionfactory There was a thread in Slack where someone noted similar behavior for the AzureGraphUserGroupProvider so I also checked the LdapUserGroupProvider and all will try to initialize whether or not they're being used resulting in startup failures, so I don't think this is a SingleUserAuthorizer issue alone.
   
   I checked some commits back in April and this wasn't happening. Not sure where the problem is yet though.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] bbende commented on pull request #5216: NIFI-8783 Moved SingleUserAuthorizer Login Provider check

Posted by GitBox <gi...@apache.org>.

bbende commented on pull request #5216:
URL: https://github.com/apache/nifi/pull/5216#issuecomment-880259482


   @jfrazee this issue was specially for single-user-group authorizer because it was doing a check to ensure that it can only be used with the single-user-group login identity provider.
   
   In general though, anything declared in the provider files should be able to be instantiated and configured, even if it is not directly used in NiFi properties. So if any other provider has an issue like this we should address that too with additional JIRAs/PRs.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] jfrazee commented on pull request #5216: NIFI-8783 Moved SingleUserAuthorizer Login Provider check

Posted by GitBox <gi...@apache.org>.

jfrazee commented on pull request #5216:
URL: https://github.com/apache/nifi/pull/5216#issuecomment-880301186


   @bbende @exceptionfactory Thanks. After working through it, it's just a superficially similar thing -- any userGroupProvider present (uncommented) must have a valid configuration whether or not it or the managed-authorizer is being used. There's been no change in behavior, just new ways to bump into it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] exceptionfactory commented on pull request #5216: NIFI-8783 Moved SingleUserAuthorizer Login Provider check

Posted by GitBox <gi...@apache.org>.

exceptionfactory commented on pull request #5216:
URL: https://github.com/apache/nifi/pull/5216#issuecomment-880631929


   > Ok, I verified that:
   > 
   >     1. Starting up with a selected authorizer of single-user-authorizer and a login-identity-provider of ldap-provider correctly fails with `SingleUserAuthorizer requires org.apache.nifi.authentication.single.user.SingleUserLoginIdentityProvider to be configured`
   > 
   >     2. Starting up with single-user-authorizer present in authorizers.xml, but with a selected authorizer of managed-authorizer and a login-identity-provider of ldap-provider now works.
   
   Thanks for the verification @gresockj!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] bbende merged pull request #5216: NIFI-8783 Moved SingleUserAuthorizer Login Provider check

Posted by GitBox <gi...@apache.org>.

bbende merged pull request #5216:
URL: https://github.com/apache/nifi/pull/5216


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org