You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2023/06/22 20:51:00 UTC

[jira] [Commented] (NIFI-11492) Allow OIDC/SAML authorization without existance of user

    [ https://issues.apache.org/jira/browse/NIFI-11492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17736281#comment-17736281 ] 

ASF subversion and git services commented on NIFI-11492:
--------------------------------------------------------

Commit 40014486a408c2676afecad9d20b8c130a4bc8d1 in nifi's branch refs/heads/main from Bryan Bende
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=40014486a4 ]

NIFI-11492 Allow authorization to proceed based on request groups even if user does not exist

This closes #7425

Signed-off-by: David Handermann <ex...@apache.org>


> Allow OIDC/SAML authorization without existance of user
> -------------------------------------------------------
>
>                 Key: NIFI-11492
>                 URL: https://issues.apache.org/jira/browse/NIFI-11492
>             Project: Apache NiFi
>          Issue Type: Improvement
>    Affects Versions: 1.21.0
>            Reporter: Bryan Bende
>            Assignee: Bryan Bende
>            Priority: Major
>             Fix For: 1.latest, 2.latest
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> When authenticating via SAML or OIDC, the NiFiUser passes along any groups obtained from the identity provider's response. These groups are then passed into authorization on the request and combined with the user's groups when checking policies.
> Currently the StandardManagedAuthorizer uses the configured UserGroupProvider and does the following:
> {code:java}
> final UserAndGroups userAndGroups = userGroupProvider.getUserAndGroups(request.getIdentity());
> final User user = userAndGroups.getUser();
> if (user == null) {
>     return AuthorizationResult.denied(String.format("Unknown user with identity '%s'.", request.getIdentity()));
> }{code}
> This was existing logic that was correct before the concept of external groups existed, because without finding the user, we had no user id or groups to check policies against. However, now that we have the external groups, even if no user exists we should be able to still proceed with checking policies for just those external groups. This would make it so the knowledge of all users doesn't need to be defined if only group policies are being implemented.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)