You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by mcgilman <gi...@git.apache.org> on 2017/07/05 13:43:39 UTC

[GitHub] nifi pull request #1978: NIFI-4127: Composite User Group Providers

GitHub user mcgilman opened a pull request:

    https://github.com/apache/nifi/pull/1978

    NIFI-4127: Composite User Group Providers

    NIFI-4127:
    - Introducing composite ConfigurableUserGroupProvider and UserGroupProvider.
    - Adding appropriate unit tests.
    - Updating object model to support per resource (user/group/policy) configuration.
    - Updating UI to support per resource (user/group/policy) configuration.
    - Adding necessary documentation.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/mcgilman/nifi NIFI-4127

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/nifi/pull/1978.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1978
    
----
commit 0e679007e59bfea050f73b046f52b2a772a281ae
Author: Matt Gilman <ma...@gmail.com>
Date:   2017-06-28T20:40:41Z

    NIFI-4127:
    - Introducing composite ConfigurableUserGroupProvider and UserGroupProvider.
    - Adding appropriate unit tests.
    - Updating object model to support per resource (user/group/policy) configuration.
    - Updating UI to support per resource (user/group/policy) configuration.
    - Adding necessary documentation.

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #1978: NIFI-4127: Composite User Group Providers

Posted by mcgilman <gi...@git.apache.org>.

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1978#discussion_r125994624

--- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
@@ -464,6 +464,17 @@ Another option for the UserGroupProvider is the LdapUserGroupProvider. By defaul
* Group Name Attribute - Attribute to use to extract group name (i.e. cn). Optional. If not set, the entire DN is used.
* Group Member Attribute - Attribute to use to define group membership (i.e. member). Optional. If not set group membership will not be calculated through the groups. Will rely on group member being defined through 'User Group Name Attribute' if set.

Ah. Sorry your totally right. I forgot about those checks. They have been in place for awhile. So that constraint shouldn't be unique to the composite providers. Regardless, I will update the documentation accordingly. I suppose I could remove those tests I referenced since they will never hit when running in the app. However, they still ensure the order the providers are invoked so I'll probably leave them in place. Anyways, thanks for confirming.

---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #1978: NIFI-4127: Composite User Group Providers

Posted by asfgit <gi...@git.apache.org>.

Github user asfgit closed the pull request at:

    https://github.com/apache/nifi/pull/1978


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #1978: NIFI-4127: Composite User Group Providers

Posted by pvillard31 <gi...@git.apache.org>.

Github user pvillard31 commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/1978#discussion_r125993273
  
    --- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
    @@ -464,6 +464,17 @@ Another option for the UserGroupProvider is the LdapUserGroupProvider. By defaul
     * Group Name Attribute - Attribute to use to extract group name (i.e. cn). Optional. If not set, the entire DN is used.
     * Group Member Attribute - Attribute to use to define group membership (i.e. member). Optional. If not set group membership will not be calculated through the groups. Will rely on group member being defined through 'User Group Name Attribute' if set.
     
    +Another option for the UserGroupProvider are composite implementations. This means that multiple sources/implementations can be configured and composed. For instance, an admin can configure users/groups to be loaded from a file and an directory server. There are two composite implementations, one that supports multiple UserGroupProviders and one that supports multiple UserGroupProviders and a single configurable UserGroupProvider.
    +
    +The CompositeUserGroupProvider will provide support for retrieving users and groups from multiple sources.
    --- End diff --
    
    Hmm you're right but here is what I did: a first test with the configurable provider and two LDAP servers, no collision, everything starting as expected. Then, I stopped nifi, manually modified the file of the configurable provider to add a user already existing in one of the LDAP providers. In that case, NiFi failed to start with the following stack trace:
    
    ````
    2017-07-06 21:19:53,484 WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web server... shutting down.
    org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'niFiWebApiSecurityConfiguration': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire method: public void org.apache.nifi.web.NiFiWebApiSecurityConfiguration.setJwtAuthenticationProvider(org.apache.nifi.web.security.jwt.JwtAuthenticationProvider); nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jwtAuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: Found multiple users/user group
 s with identity 'test'.
    	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:334)
    	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1214)
    	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:543)
    	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:482)
    	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
    	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
    	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
    	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
    	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:772)
    	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:839)
    	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:538)
    	at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:446)
    	at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:328)
    	at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:107)
    	at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:876)
    	at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:532)
    	at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:839)
    	at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:344)
    	at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1480)
    	at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1442)
    	at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:799)
    	at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:261)
    	at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:540)
    	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
    	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
    	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113)
    	at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
    	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
    	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
    	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:105)
    	at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
    	at org.eclipse.jetty.server.handler.gzip.GzipHandler.doStart(GzipHandler.java:290)
    	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
    	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
    	at org.eclipse.jetty.server.Server.start(Server.java:452)
    	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:105)
    	at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
    	at org.eclipse.jetty.server.Server.doStart(Server.java:419)
    	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
    	at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:705)
    	at org.apache.nifi.NiFi.<init>(NiFi.java:160)
    	at org.apache.nifi.NiFi.main(NiFi.java:267)
    Caused by: org.springframework.beans.factory.BeanCreationException: Could not autowire method: public void org.apache.nifi.web.NiFiWebApiSecurityConfiguration.setJwtAuthenticationProvider(org.apache.nifi.web.security.jwt.JwtAuthenticationProvider); nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jwtAuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: Found multiple users/user groups with identity 'test'.
    	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.inject(AutowiredAnnotationBeanPostProcessor.java:661)
    	at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:88)
    	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:331)
    	... 41 common frames omitted
    Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jwtAuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: Found multiple users/user groups with identity 'test'.
    	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:359)
    	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
    	at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:634)
    	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:140)
    	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1143)
    	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1046)
    	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:510)
    	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:482)
    	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
    	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
    	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
    	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
    	at org.springframework.beans.factory.support.DefaultListableBeanFactory.findAutowireCandidates(DefaultListableBeanFactory.java:1192)
    	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1116)
    	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1014)
    	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.inject(AutowiredAnnotationBeanPostProcessor.java:618)
    	... 43 common frames omitted
    Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: Found multiple users/user groups with identity 'test'.
    	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175)
    	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
    	at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1585)
    	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:317)
    	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
    	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
    	... 58 common frames omitted
    Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: Found multiple users/user groups with identity 'test'.
    	at org.apache.nifi.authorization.AuthorizerFactory$1.onConfigured(AuthorizerFactory.java:337)
    	at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:140)
    	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168)
    	... 63 common frames omitted
    2017-07-06 21:19:53,487 INFO [Thread-1] org.apache.nifi.NiFi Initiating shutdown of Jetty web server...
    ````
    
    If you tell me that no one should be manually updating the users file, that's totally fine for me. Or maybe I misconfigured something?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #1978: NIFI-4127: Composite User Group Providers

Posted by pvillard31 <gi...@git.apache.org>.

Github user pvillard31 commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1978#discussion_r125982809

typo: and a directory server

[GitHub] nifi issue #1978: NIFI-4127: Composite User Group Providers

Posted by mcgilman <gi...@git.apache.org>.

Github user mcgilman commented on the issue:

    https://github.com/apache/nifi/pull/1978
  
    @pvillard31 A second commit has been pushed updating the documentation and providing an example of the composite configurable user group provider. Thanks again for the review!


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #1978: NIFI-4127: Composite User Group Providers

Posted by pvillard31 <gi...@git.apache.org>.

Github user pvillard31 commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1978#discussion_r125984210

+Another option for the UserGroupProvider are composite implementations. This means that multiple sources/implementations can be configured and composed. For instance, an admin can configure users/groups to be loaded from a file and an directory server. There are two composite implementations, one that supports multiple UserGroupProviders and one that supports multiple UserGroupProviders and a single configurable UserGroupProvider.
+
+The CompositeUserGroupProvider will provide support for retrieving users and groups from multiple sources.
+
+* User Group Provider - The identifier of user group providers to load from. The name of each property must be unique, for example: "User Group Provider A", "User Group Provider B", "User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"
+
+The CompositeConfigurableUserGroupProvider will provide support for retrieving users and groups from multiple sources. Additionally, a single configurable user group provider is required. Users from the configurable user group provider are configurable, however users loaded from one of the User Group Provider [unique key] will not be.
+
+* Configurable User Group Provider - A configurable user group provider.
--- End diff --

I would add an example or update the example below in the documentation to show the configuration of the CompositeConfigurableUserGroupProvider as I believe it'll be largely used.

[GitHub] nifi issue #1978: NIFI-4127: Composite User Group Providers

Posted by pvillard31 <gi...@git.apache.org>.

Github user pvillard31 commented on the issue:

    https://github.com/apache/nifi/pull/1978
  
    +1, thanks @mcgilman, I'll squash and merge to master.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #1978: NIFI-4127: Composite User Group Providers

Posted by pvillard31 <gi...@git.apache.org>.

Github user pvillard31 commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1978#discussion_r125983712

It's really a detail, but for uniformity, could you add "The X has the following properties:"?

[GitHub] nifi pull request #1978: NIFI-4127: Composite User Group Providers

Posted by mcgilman <gi...@git.apache.org>.

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1978#discussion_r125987445

Multiple users should be supported in this PR. Did you see otherwise? There are a couple test cases that verify this [1] [2]. Order does matter and I can update the docs to describe this fact. UserGroupProviders are invoked in the order they appear in the authorizers.xml.

[1] https://github.com/mcgilman/nifi/blob/0e679007e59bfea050f73b046f52b2a772a281ae/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/test/java/org/apache/nifi/authorization/CompositeUserGroupProviderTest.java#L139
[2] https://github.com/mcgilman/nifi/blob/0e679007e59bfea050f73b046f52b2a772a281ae/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/test/java/org/apache/nifi/authorization/CompositeConfigurableUserGroupProviderTest.java#L93

[GitHub] nifi pull request #1978: NIFI-4127: Composite User Group Providers

Posted by pvillard31 <gi...@git.apache.org>.

Github user pvillard31 commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1978#discussion_r125983064

I think we should indicate that if we have users/groups collisions between the sources, NiFi won't start successfully.

[GitHub] nifi issue #1978: NIFI-4127: Composite User Group Providers

Posted by pvillard31 <gi...@git.apache.org>.

Github user pvillard31 commented on the issue:

    https://github.com/apache/nifi/pull/1978
  
    Reviewing...


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---