You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2020/02/18 20:09:38 UTC
[GitHub] [nifi] bbende opened a new pull request #4062: NIFI-7030 Add Kerberos principal and password properties to Solr proc…
bbende opened a new pull request #4062: NIFI-7030 Add Kerberos principal and password properties to Solr proc…
URL: https://github.com/apache/nifi/pull/4062
…essors.
This allows authenticating to a kerberized Solr using a principal and password, as an alternative to the keytab credential service.
I tested this with docker-kdc, Solr 8.4.1, and ZooKeeper 3.4.6, all running locally.
The Solr reference guide has good instructions on how to configure everything:
https://lucene.apache.org/solr/guide/8_4/kerberos-authentication-plugin.html#kerberos-authentication-plugin
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [nifi] alopresto commented on a change in pull request #4062: NIFI-7030 Add Kerberos principal and password properties to Solr proc…
Posted by GitBox <gi...@apache.org>.
alopresto commented on a change in pull request #4062: NIFI-7030 Add Kerberos principal and password properties to Solr proc…
URL: https://github.com/apache/nifi/pull/4062#discussion_r381675566
##########
File path: nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/main/java/org/apache/nifi/processors/solr/SolrUtils.java
##########
@@ -149,6 +151,25 @@
.required(false)
.build();
+ public static final PropertyDescriptor KERBEROS_PRINCIPAL = new PropertyDescriptor.Builder()
+ .name("Kerberos Principal")
+ .description("The principal to use when specifying the principal and password directly in the processor for authenticating to Solr via Kerberos.")
+ .required(false)
+ .addValidator(StandardValidators.NON_EMPTY_VALIDATOR)
+ .addValidator(StandardValidators.createAttributeExpressionLanguageValidator(AttributeExpression.ResultType.STRING))
+ .expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
+ .build();
+
+ public static final PropertyDescriptor KERBEROS_PASSWORD = new PropertyDescriptor.Builder()
+ .name("Kerberos Password")
Review comment:
Minor issue but I would use `.name("kerberos-password")` and `.displayName("Kerberos Password")` here.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [nifi] jtstorck closed pull request #4062: NIFI-7030 Add Kerberos principal and password properties to Solr proc…
Posted by GitBox <gi...@apache.org>.
jtstorck closed pull request #4062: NIFI-7030 Add Kerberos principal and password properties to Solr proc…
URL: https://github.com/apache/nifi/pull/4062
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [nifi] alopresto commented on a change in pull request #4062: NIFI-7030 Add Kerberos principal and password properties to Solr proc…
Posted by GitBox <gi...@apache.org>.
alopresto commented on a change in pull request #4062: NIFI-7030 Add Kerberos principal and password properties to Solr proc…
URL: https://github.com/apache/nifi/pull/4062#discussion_r381677000
##########
File path: nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/test/java/org/apache/nifi/processors/solr/TestPutSolrContentStream.java
##########
@@ -459,6 +460,67 @@ public void testBasicAuthAndKerberosNotAllowedTogether() throws IOException, Ini
Assert.assertEquals(keytab, ((KerberosKeytabUser)kerberosUser).getKeytabFile());
}
+ @Test
+ public void testBasicAuthAndKerberosPrincipalPasswordNotAllowedTogether() throws IOException, InitializationException {
+ final SolrClient solrClient = createEmbeddedSolrClient(DEFAULT_SOLR_CORE);
+ final TestableProcessor proc = new TestableProcessor(solrClient);
+ final TestRunner runner = createDefaultTestRunner(proc);
+ runner.assertValid();
+
+ runner.setProperty(SolrUtils.BASIC_USERNAME, "user1");
+ runner.setProperty(SolrUtils.BASIC_PASSWORD, "password");
+ runner.assertValid();
+
+ final String kerberosPrincipal = "nifi@FOO.COM";
+ final String kerberosPassword = "nifi";
+ runner.setProperty(SolrUtils.KERBEROS_PRINCIPAL, kerberosPrincipal);
+ runner.setProperty(SolrUtils.KERBEROS_PASSWORD, kerberosPassword);
+
+ runner.assertNotValid();
+
+ runner.removeProperty(SolrUtils.BASIC_USERNAME);
+ runner.removeProperty(SolrUtils.BASIC_PASSWORD);
+ runner.assertValid();
+
+ proc.onScheduled(runner.getProcessContext());
+ final KerberosUser kerberosUser = proc.getMockKerberosKeytabUser();;
Review comment:
Double `;` typo.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [nifi] alopresto commented on a change in pull request #4062: NIFI-7030 Add Kerberos principal and password properties to Solr proc…
Posted by GitBox <gi...@apache.org>.
alopresto commented on a change in pull request #4062: NIFI-7030 Add Kerberos principal and password properties to Solr proc…
URL: https://github.com/apache/nifi/pull/4062#discussion_r381675449
##########
File path: nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/main/java/org/apache/nifi/processors/solr/SolrUtils.java
##########
@@ -149,6 +151,25 @@
.required(false)
.build();
+ public static final PropertyDescriptor KERBEROS_PRINCIPAL = new PropertyDescriptor.Builder()
+ .name("Kerberos Principal")
Review comment:
Minor issue but I would use `.name("kerberos-principal")` and `.displayName("Kerberos Principal")` here.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [nifi] bbende commented on issue #4062: NIFI-7030 Add Kerberos principal and password properties to Solr proc…
Posted by GitBox <gi...@apache.org>.
bbende commented on issue #4062: NIFI-7030 Add Kerberos principal and password properties to Solr proc…
URL: https://github.com/apache/nifi/pull/4062#issuecomment-589295278
Pushed commits that address review comments from @alopresto
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [nifi] alopresto commented on a change in pull request #4062: NIFI-7030 Add Kerberos principal and password properties to Solr proc…
Posted by GitBox <gi...@apache.org>.
alopresto commented on a change in pull request #4062: NIFI-7030 Add Kerberos principal and password properties to Solr proc…
URL: https://github.com/apache/nifi/pull/4062#discussion_r381677350
##########
File path: nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/test/java/org/apache/nifi/processors/solr/TestPutSolrContentStream.java
##########
@@ -459,6 +460,67 @@ public void testBasicAuthAndKerberosNotAllowedTogether() throws IOException, Ini
Assert.assertEquals(keytab, ((KerberosKeytabUser)kerberosUser).getKeytabFile());
}
+ @Test
+ public void testBasicAuthAndKerberosPrincipalPasswordNotAllowedTogether() throws IOException, InitializationException {
+ final SolrClient solrClient = createEmbeddedSolrClient(DEFAULT_SOLR_CORE);
+ final TestableProcessor proc = new TestableProcessor(solrClient);
+ final TestRunner runner = createDefaultTestRunner(proc);
+ runner.assertValid();
+
+ runner.setProperty(SolrUtils.BASIC_USERNAME, "user1");
+ runner.setProperty(SolrUtils.BASIC_PASSWORD, "password");
+ runner.assertValid();
+
+ final String kerberosPrincipal = "nifi@FOO.COM";
+ final String kerberosPassword = "nifi";
+ runner.setProperty(SolrUtils.KERBEROS_PRINCIPAL, kerberosPrincipal);
+ runner.setProperty(SolrUtils.KERBEROS_PASSWORD, kerberosPassword);
+
+ runner.assertNotValid();
+
+ runner.removeProperty(SolrUtils.BASIC_USERNAME);
+ runner.removeProperty(SolrUtils.BASIC_PASSWORD);
+ runner.assertValid();
+
+ proc.onScheduled(runner.getProcessContext());
+ final KerberosUser kerberosUser = proc.getMockKerberosKeytabUser();;
+ Assert.assertNotNull(kerberosUser);
+ Assert.assertEquals(kerberosPrincipal, kerberosUser.getPrincipal());
+ Assert.assertEquals(kerberosPassword, ((KerberosPasswordUser)kerberosUser).getPassword());
+ }
+
+ @Test
+ public void testKerberosPrincipalPasswordAndKerberosCredentialServiceNotAllowedTogether() throws IOException, InitializationException {
+ final SolrClient solrClient = createEmbeddedSolrClient(DEFAULT_SOLR_CORE);
+ final TestableProcessor proc = new TestableProcessor(solrClient);
+ final TestRunner runner = createDefaultTestRunner(proc);
+ runner.assertValid();
+
+ final String kerberosPrincipal = "nifi@FOO.COM";
+ final String kerberosPassword = "nifi";
+ runner.setProperty(SolrUtils.KERBEROS_PRINCIPAL, kerberosPrincipal);
+ runner.setProperty(SolrUtils.KERBEROS_PASSWORD, kerberosPassword);
+
+ final String principal = "nifi@FOO.COM";
+ final String keytab = "src/test/resources/foo.keytab";
+ final KerberosCredentialsService kerberosCredentialsService = new MockKerberosCredentialsService(principal, keytab);
+ runner.addControllerService("kerb-credentials", kerberosCredentialsService);
+ runner.enableControllerService(kerberosCredentialsService);
+ runner.setProperty(SolrUtils.KERBEROS_CREDENTIALS_SERVICE, "kerb-credentials");
+
+ runner.assertNotValid();
+
+ runner.removeProperty(SolrUtils.KERBEROS_PRINCIPAL);
+ runner.removeProperty(SolrUtils.KERBEROS_PASSWORD);
+ runner.assertValid();
+
+ proc.onScheduled(runner.getProcessContext());
+ final KerberosUser kerberosUser = proc.getMockKerberosKeytabUser();;
Review comment:
Double `;` typo.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [nifi] alopresto commented on a change in pull request #4062: NIFI-7030 Add Kerberos principal and password properties to Solr proc…
Posted by GitBox <gi...@apache.org>.
alopresto commented on a change in pull request #4062: NIFI-7030 Add Kerberos principal and password properties to Solr proc…
URL: https://github.com/apache/nifi/pull/4062#discussion_r381676001
##########
File path: nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/main/java/org/apache/nifi/processors/solr/SolrUtils.java
##########
@@ -149,6 +151,25 @@
.required(false)
.build();
+ public static final PropertyDescriptor KERBEROS_PRINCIPAL = new PropertyDescriptor.Builder()
+ .name("Kerberos Principal")
+ .description("The principal to use when specifying the principal and password directly in the processor for authenticating to Solr via Kerberos.")
+ .required(false)
+ .addValidator(StandardValidators.NON_EMPTY_VALIDATOR)
+ .addValidator(StandardValidators.createAttributeExpressionLanguageValidator(AttributeExpression.ResultType.STRING))
+ .expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
+ .build();
+
+ public static final PropertyDescriptor KERBEROS_PASSWORD = new PropertyDescriptor.Builder()
+ .name("Kerberos Password")
+ .description("The password to use when specifying the principal and password directly in the processor for authenticating to Solr via Kerberos.")
+ .required(false)
+ .addValidator(StandardValidators.NON_EMPTY_VALIDATOR)
+ .addValidator(StandardValidators.createAttributeExpressionLanguageValidator(AttributeExpression.ResultType.STRING))
+ .expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
Review comment:
I don't think sensitive property descriptors should support EL - parameters now solve the requirement. This also means that in other locations where the value is referenced from the context, we do not need to evaluate EL.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services