You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2022/10/01 20:32:57 UTC

[GitHub] [nifi] malthe opened a new pull request, #6467: NIFI-10571 Retrieve groups from Azure AD app registration

malthe opened a new pull request, #6467:
URL: https://github.com/apache/nifi/pull/6467

   <!-- Licensed to the Apache Software Foundation (ASF) under one or more -->
   <!-- contributor license agreements.  See the NOTICE file distributed with -->
   <!-- this work for additional information regarding copyright ownership. -->
   <!-- The ASF licenses this file to You under the Apache License, Version 2.0 -->
   <!-- (the "License"); you may not use this file except in compliance with -->
   <!-- the License.  You may obtain a copy of the License at -->
   <!--     http://www.apache.org/licenses/LICENSE-2.0 -->
   <!-- Unless required by applicable law or agreed to in writing, software -->
   <!-- distributed under the License is distributed on an "AS IS" BASIS, -->
   <!-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -->
   <!-- See the License for the specific language governing permissions and -->
   <!-- limitations under the License. -->
   
   # Summary
   
   [NIFI-10571](https://issues.apache.org/jira/browse/NIFI-10571)
   
   # Tracking
   
   Please complete the following tracking steps prior to pull request creation.
   
   ### Issue Tracking
   
   - [x] [Apache NiFi Jira](https://issues.apache.org/jira/browse/NIFI) issue created
   
   ### Pull Request Tracking
   
   - [x] Pull Request title starts with Apache NiFi Jira issue number, such as `NIFI-00000`
   - [x] Pull Request commit message starts with Apache NiFi Jira issue number, as such `NIFI-00000`
   
   ### Pull Request Formatting
   
   - [x] Pull Request based on current revision of the `main` branch
   - [x] Pull Request refers to a feature branch with one commit containing changes
   
   # Verification
   
   Please indicate the verification steps performed prior to pull request creation.
   
   ### Build
   
   - [x] Build completed using `mvn clean install -P contrib-check`
     - [ ] JDK 8
     - [ ] JDK 11
     - [x] JDK 17
   
   ### Licensing
   
   - [ ] New dependencies are compatible with the [Apache License 2.0](https://apache.org/licenses/LICENSE-2.0) according to the [License Policy](https://www.apache.org/legal/resolved.html)
   - [ ] New dependencies are documented in applicable `LICENSE` and `NOTICE` files
   
   ### Documentation
   
   - [ ] Documentation formatting appears as expected in rendered files
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] malthe commented on pull request #6467: NIFI-10571 Retrieve groups from Azure AD app registration

Posted by GitBox <gi...@apache.org>.
malthe commented on PR #6467:
URL: https://github.com/apache/nifi/pull/6467#issuecomment-1264474389

   This is related to https://github.com/apache/nifi/pull/6454 (which makes it possible for app roles to get assigned as groups via IDP).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] malthe commented on pull request #6467: NIFI-10571 Retrieve groups from Azure AD app registration

Posted by GitBox <gi...@apache.org>.
malthe commented on PR #6467:
URL: https://github.com/apache/nifi/pull/6467#issuecomment-1270636734

   @exceptionfactory, I started out extending the existing user group provider for Azure but ultimately thought that perhaps it is confusing to users that the same component has these two quite different capabilities.
   
   That said, specifying "Object ID" could enable the retrieval of app roles as an optional configuration for the existing AzureGraphUserGroupProvider. In fact, in both cases, Azure Graph API is used (just quite differently).
   
   But then what about the various existing options such as group filter? Today it is a required option because it is expected that we'll be querying for users and groups. While one could solve this by having a strategy property, perhaps one wants both modes enabled at the same time.
   
   While specifying "Object ID" could be the enabler for retrieving app roles, what would be the _disabler_ for trying to retrieve users and groups?
   
   I came to the conclusion that perhaps it's simply because these two user group providers are different enough to warrant their own classes. But I don't feel very strongly about this. Perhaps there is one caveat which is that I have used mocking for testing the provider while the tests for AzureGraphUserGroupProvider actually make calls to the service.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] exceptionfactory commented on pull request #6467: NIFI-10571 Retrieve groups from Azure AD app registration

Posted by "exceptionfactory (via GitHub)" <gi...@apache.org>.
exceptionfactory commented on PR #6467:
URL: https://github.com/apache/nifi/pull/6467#issuecomment-1487499586

   Thanks @malthe!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] exceptionfactory commented on pull request #6467: NIFI-10571 Retrieve groups from Azure AD app registration

Posted by "exceptionfactory (via GitHub)" <gi...@apache.org>.
exceptionfactory commented on PR #6467:
URL: https://github.com/apache/nifi/pull/6467#issuecomment-1487476134

   @malthe Returning to this pull request after some time, thanks for your patience.
   
   On further review, I'm not sure it is a good fit to incorporate as a standard capability. The current implementation does not support returning user information, so it appears limited to just the `Group` aspect of the `UserGroupProvider` interface. Although it could be combined together with the existing `AzureGraphUserGroupProvider`, that is a key configuration factor that may not be immediately obvious.
   
   The existing `AzureGraphUserGroupProvider` covers both users and groups, and although this provider could be helpful in some scenarios, I'm not sure if it is common enough to warrant including as a standard component. It might make more sense to publish it separately to Maven Central and see if it gains interest among community users. What do you think?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] malthe commented on pull request #6467: NIFI-10571 Retrieve groups from Azure AD app registration

Posted by "malthe (via GitHub)" <gi...@apache.org>.
malthe commented on PR #6467:
URL: https://github.com/apache/nifi/pull/6467#issuecomment-1527075230

   @bluedragonknight well this was adressing exactly that need, but perhaps the right solution is to use a one-way synchronization system to manage users over in NiFi – in your case, using Azure App Roles as the basis.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] bluedragonknight commented on pull request #6467: NIFI-10571 Retrieve groups from Azure AD app registration

Posted by "bluedragonknight (via GitHub)" <gi...@apache.org>.
bluedragonknight commented on PR #6467:
URL: https://github.com/apache/nifi/pull/6467#issuecomment-1527459618

   @malthe So was this actually merged into source?  I haven't seen any one using it in a tutorial and i came across this by pure chance.  If this is implemented then i will use your code structure here in my authorizers.xml and give it a try.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] bluedragonknight commented on pull request #6467: NIFI-10571 Retrieve groups from Azure AD app registration

Posted by "bluedragonknight (via GitHub)" <gi...@apache.org>.
bluedragonknight commented on PR #6467:
URL: https://github.com/apache/nifi/pull/6467#issuecomment-1526847315

   What all does it take to implement what you have here for AzureAD App Roles vs AD Groups.  I am moving away from AD Groups as they are not needed due to how AzureAD App Roles work.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] malthe commented on pull request #6467: NIFI-10571 Retrieve groups from Azure AD app registration

Posted by "malthe (via GitHub)" <gi...@apache.org>.
malthe commented on PR #6467:
URL: https://github.com/apache/nifi/pull/6467#issuecomment-1527470698

   @bluedragonknight no this was abandoned because it was felt that it was perhaps too narrow of a use-case, somehow too tied up with a certain integration pattern.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] malthe closed pull request #6467: NIFI-10571 Retrieve groups from Azure AD app registration

Posted by "malthe (via GitHub)" <gi...@apache.org>.
malthe closed pull request #6467: NIFI-10571 Retrieve groups from Azure AD app registration
URL: https://github.com/apache/nifi/pull/6467


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] malthe commented on pull request #6467: NIFI-10571 Retrieve groups from Azure AD app registration

Posted by "malthe (via GitHub)" <gi...@apache.org>.
malthe commented on PR #6467:
URL: https://github.com/apache/nifi/pull/6467#issuecomment-1487491723

   I think that's a fair point – and the right way to integrate this is perhaps using https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/sync-scim instead – syncing relevant user/groups to a target system.
   
   (Rather than the target system going back to the source on-demand.)
   
   I think we can close this issue then.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] exceptionfactory commented on pull request #6467: NIFI-10571 Retrieve groups from Azure AD app registration

Posted by "exceptionfactory (via GitHub)" <gi...@apache.org>.
exceptionfactory commented on PR #6467:
URL: https://github.com/apache/nifi/pull/6467#issuecomment-1527486411

   @bluedragonknight Although this pull request was not merged as noted, the Apache NiFi Jira Issue [NIFI-11492](https://issues.apache.org/jira/browse/NIFI-11492) might be another avenue of improvement for integration with Azure App Roles.
   
   As described in that issue, the authorization framework could be updated to avoid having to define users in the User Group Provider when sufficient information is available from an Identity Provider. This would work with Azure OIDC integration and passing App Roles as a Token Claim. The issue still needs some evaluation, but it might provide a more general improvement for this use case.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org