NIFIREG-60 NiFi Proxy Identity Support
Adds the ability to configure NiFi Identities to act as proxies for FileAccessPolicyProvider in authorizers.xml This closes #45. Signed-off-by: Bryan Bende <bbende@apache.org>
This commit is contained in:
Kevin Doran
Bryan Bende
Родитель
81a1a360c0
Коммит
cc3820990e
|
|
@ -34,6 +34,7 @@ import org.apache.nifi.registry.security.authorization.exception.UninheritableAu
|
|||
import org.apache.nifi.registry.security.authorization.file.generated.Authorizations;
|
||||
import org.apache.nifi.registry.security.authorization.file.generated.Policies;
|
||||
import org.apache.nifi.registry.security.authorization.file.generated.Policy;
|
||||
import org.apache.nifi.registry.security.authorization.resource.ResourceType;
|
||||
import org.apache.nifi.registry.security.exception.SecurityProviderCreationException;
|
||||
import org.apache.nifi.registry.security.exception.SecurityProviderDestructionException;
|
||||
import org.apache.nifi.registry.util.PropertyValue;
|
||||
|
|
@ -69,10 +70,13 @@ import java.util.ArrayList;
|
|||
import java.util.Collections;
|
||||
import java.util.Comparator;
|
||||
import java.util.Date;
|
||||
import java.util.HashSet;
|
||||
import java.util.Iterator;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import java.util.concurrent.atomic.AtomicReference;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvider {
|
||||
|
|
@ -126,16 +130,17 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
|
|||
new ResourceActionPair("/proxy", WRITE_CODE)
|
||||
};
|
||||
|
||||
static final String PROP_NODE_IDENTITY_PREFIX = "Node Identity ";
|
||||
static final String PROP_NIFI_IDENTITY_PREFIX = "NiFi Identity ";
|
||||
static final String PROP_USER_GROUP_PROVIDER = "User Group Provider";
|
||||
static final String PROP_AUTHORIZATIONS_FILE = "Authorizations File";
|
||||
static final String PROP_INITIAL_ADMIN_IDENTITY = "Initial Admin Identity";
|
||||
static final Pattern NODE_IDENTITY_PATTERN = Pattern.compile(PROP_NODE_IDENTITY_PREFIX + "\\S+");
|
||||
static final Pattern NIFI_IDENTITY_PATTERN = Pattern.compile(PROP_NIFI_IDENTITY_PREFIX + "\\S+");
|
||||
|
||||
private Schema authorizationsSchema;
|
||||
private NiFiRegistryProperties properties;
|
||||
private File authorizationsFile;
|
||||
private String initialAdminIdentity;
|
||||
private Set<String> nifiIdentities;
|
||||
private List<IdentityMapping> identityMappings;
|
||||
|
||||
private UserGroupProvider userGroupProvider;
|
||||
|
|
@ -179,21 +184,21 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
|
|||
saveAuthorizations(new Authorizations());
|
||||
}
|
||||
|
||||
// extract the identity mappings from nifi.properties if any are provided
|
||||
// extract the identity mappings from nifi-registry.properties if any are provided
|
||||
identityMappings = Collections.unmodifiableList(IdentityMappingUtil.getIdentityMappings(properties));
|
||||
|
||||
// get the value of the initial admin identity
|
||||
final PropertyValue initialAdminIdentityProp = configurationContext.getProperty(PROP_INITIAL_ADMIN_IDENTITY);
|
||||
initialAdminIdentity = initialAdminIdentityProp.isSet() ? IdentityMappingUtil.mapIdentity(initialAdminIdentityProp.getValue(), identityMappings) : null;
|
||||
|
||||
// // extract any node identities
|
||||
// nodeIdentities = new HashSet<>();
|
||||
// for (Map.Entry<String,String> entry : configurationContext.getProperties().entrySet()) {
|
||||
// Matcher matcher = NODE_IDENTITY_PATTERN.matcher(entry.getKey());
|
||||
// if (matcher.matches() && !StringUtils.isBlank(entry.getValue())) {
|
||||
// nodeIdentities.add(IdentityMappingUtil.mapIdentity(entry.getValue(), identityMappings));
|
||||
// }
|
||||
// }
|
||||
// extract any nifi identities
|
||||
nifiIdentities = new HashSet<>();
|
||||
for (Map.Entry<String,String> entry : configurationContext.getProperties().entrySet()) {
|
||||
Matcher matcher = NIFI_IDENTITY_PATTERN.matcher(entry.getKey());
|
||||
if (matcher.matches() && !StringUtils.isBlank(entry.getValue())) {
|
||||
nifiIdentities.add(IdentityMappingUtil.mapIdentity(entry.getValue(), identityMappings));
|
||||
}
|
||||
}
|
||||
|
||||
// load the authorizations
|
||||
load();
|
||||
|
|
@ -474,11 +479,20 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
|
|||
final AuthorizationsHolder authorizationsHolder = new AuthorizationsHolder(authorizations);
|
||||
final boolean emptyAuthorizations = authorizationsHolder.getAllPolicies().isEmpty();
|
||||
final boolean hasInitialAdminIdentity = (initialAdminIdentity != null && !StringUtils.isBlank(initialAdminIdentity));
|
||||
final boolean hasNiFiIdentities = (nifiIdentities != null && !nifiIdentities.isEmpty());
|
||||
|
||||
// if we are starting fresh then we might need to populate an initial admin
|
||||
if (emptyAuthorizations && hasInitialAdminIdentity) {
|
||||
logger.info("Populating authorizations for Initial Admin: " + initialAdminIdentity);
|
||||
populateInitialAdmin(authorizations);
|
||||
if (emptyAuthorizations) {
|
||||
if (hasInitialAdminIdentity) {
|
||||
logger.info("Populating authorizations for Initial Admin: " + initialAdminIdentity);
|
||||
populateInitialAdmin(authorizations);
|
||||
}
|
||||
|
||||
if (hasNiFiIdentities) {
|
||||
logger.info("Populating proxy authorizations for NiFi clients: [{}]", StringUtils.join(nifiIdentities, ";"));
|
||||
populateNiFiIdentities(authorizations);
|
||||
}
|
||||
|
||||
saveAndRefreshHolder(authorizations);
|
||||
} else {
|
||||
this.authorizationsHolder.set(authorizationsHolder);
|
||||
|
|
@ -516,28 +530,22 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
|
|||
}
|
||||
}
|
||||
|
||||
// /**
|
||||
// * Creates a user for each node and gives the nodes write permission to /proxy.
|
||||
// *
|
||||
// * @param authorizations the overall authorizations
|
||||
// */
|
||||
// private void populateNodes(Authorizations authorizations) {
|
||||
// for (String nodeIdentity : nodeIdentities) {
|
||||
// final User node = userGroupProvider.getUserByIdentity(nodeIdentity);
|
||||
// if (node == null) {
|
||||
// throw new AuthorizerCreationException("Unable to locate node " + nodeIdentity + " to seed policies.");
|
||||
// }
|
||||
//
|
||||
// // grant access to the proxy resource
|
||||
// addUserToAccessPolicy(authorizations, ResourceType.Proxy.getValue(), node.getIdentifier(), WRITE_CODE);
|
||||
//
|
||||
// // grant the user read/write access data of the root group
|
||||
// if (rootGroupId != null) {
|
||||
// addUserToAccessPolicy(authorizations, ResourceType.Data.getValue() + ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, node.getIdentifier(), READ_CODE);
|
||||
// addUserToAccessPolicy(authorizations, ResourceType.Data.getValue() + ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, node.getIdentifier(), WRITE_CODE);
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
/**
|
||||
* Creates a user for each NiFi client and gives each one write permission to /proxy.
|
||||
*
|
||||
* @param authorizations the overall authorizations
|
||||
*/
|
||||
private void populateNiFiIdentities(Authorizations authorizations) {
|
||||
for (String nifiIdentity : nifiIdentities) {
|
||||
final User node = userGroupProvider.getUserByIdentity(nifiIdentity);
|
||||
if (node == null) {
|
||||
throw new SecurityProviderCreationException("Unable to locate node " + nifiIdentity + " to seed policies.");
|
||||
}
|
||||
|
||||
// grant access to the proxy resource
|
||||
addUserToAccessPolicy(authorizations, ResourceType.Proxy.getValue(), node.getIdentifier(), WRITE_CODE);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -122,12 +122,12 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
|
|||
accessPolicyProperties.put(FileAuthorizer.PROP_LEGACY_AUTHORIZED_USERS_FILE, configurationProperties.get(FileAuthorizer.PROP_LEGACY_AUTHORIZED_USERS_FILE));
|
||||
}
|
||||
|
||||
// ensure all node identities are seeded into the user provider
|
||||
// ensure all nifi identities are seeded into the user provider
|
||||
configurationProperties.forEach((property, value) -> {
|
||||
final Matcher matcher = FileAccessPolicyProvider.NODE_IDENTITY_PATTERN.matcher(property);
|
||||
final Matcher matcher = FileAccessPolicyProvider.NIFI_IDENTITY_PATTERN.matcher(property);
|
||||
if (matcher.matches()) {
|
||||
accessPolicyProperties.put(property, value);
|
||||
userGroupProperties.put(property.replace(FileAccessPolicyProvider.PROP_NODE_IDENTITY_PREFIX, FileUserGroupProvider.PROP_INITIAL_USER_IDENTITY_PREFIX), value);
|
||||
userGroupProperties.put(property.replace(FileAccessPolicyProvider.PROP_NIFI_IDENTITY_PREFIX, FileUserGroupProvider.PROP_INITIAL_USER_IDENTITY_PREFIX), value);
|
||||
}
|
||||
});
|
||||
|
||||
|
|
|
|||
|
|
@ -150,10 +150,10 @@ public class FileUserGroupProvider implements ConfigurableUserGroupProvider {
|
|||
|
||||
final File tenantsFileDirectory = tenantsFile.getAbsoluteFile().getParentFile();
|
||||
|
||||
// extract the identity mappings from nifi.properties if any are provided
|
||||
// extract the identity mappings from nifi-registry.properties if any are provided
|
||||
identityMappings = Collections.unmodifiableList(IdentityMappingUtil.getIdentityMappings(properties));
|
||||
|
||||
// extract any node identities
|
||||
// extract any nifi identities
|
||||
initialUserIdentities = new HashSet<>();
|
||||
for (Map.Entry<String,String> entry : configurationContext.getProperties().entrySet()) {
|
||||
Matcher matcher = INITIAL_USER_IDENTITY_PATTERN.matcher(entry.getKey());
|
||||
|
|
|
|||
|
|
@ -331,7 +331,7 @@ public class LdapUserGroupProvider implements UserGroupProvider {
|
|||
pageSize = rawPageSize.asInteger();
|
||||
}
|
||||
|
||||
// extract the identity mappings from nifi.properties if any are provided
|
||||
// extract the identity mappings from nifi-registry.properties if any are provided
|
||||
identityMappings = Collections.unmodifiableList(IdentityMappingUtil.getIdentityMappings(properties));
|
||||
|
||||
// set the base environment is necessary
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ public class IdentityMappingUtil {
|
|||
}
|
||||
}
|
||||
|
||||
// sort the list by the key so users can control the ordering in nifi.properties
|
||||
// sort the list by the key so users can control the ordering in nifi-registry.properties
|
||||
Collections.sort(mappings, new Comparator<IdentityMapping>() {
|
||||
@Override
|
||||
public int compare(IdentityMapping m1, IdentityMapping m2) {
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
-->
|
||||
<!--
|
||||
This file lists the userGroupProviders, accessPolicyProviders, and authorizers to use when running securely. In order
|
||||
to use a specific authorizer it must be configured here and its identifier must be specified in the nifi.properties file.
|
||||
to use a specific authorizer it must be configured here and its identifier must be specified in the nifi-registry.properties file.
|
||||
If the authorizer is a managedAuthorizer, it may need to be configured with an accessPolicyProvider and an userGroupProvider.
|
||||
This file allows for configuration of them, but they must be configured in order:
|
||||
|
||||
|
|
@ -37,7 +37,7 @@
|
|||
each property must be unique, for example: "Initial User Identity A", "Initial User Identity B",
|
||||
"Initial User Identity C" or "Initial User Identity 1", "Initial User Identity 2", "Initial User Identity 3"
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the user identities,
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the user identities,
|
||||
so the values should be the unmapped identities (i.e. full DN from a certificate).
|
||||
-->
|
||||
<userGroupProvider>
|
||||
|
|
@ -101,7 +101,7 @@
|
|||
group membership will not be calculated through the groups. Will rely on group member being defined
|
||||
through 'User Group Name Attribute' if set.
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the user identities.
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the user identities.
|
||||
Group names are not mapped.
|
||||
-->
|
||||
<!-- To enable the ldap-user-group-provider remove 2 lines. This is 1 of 2.
|
||||
|
|
@ -154,8 +154,8 @@
|
|||
each property must be unique, for example: "User Group Provider A", "User Group Provider B",
|
||||
"User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties are not applied in this implementation. This behavior
|
||||
would need to be applied by the base implementation.
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties are not applied in this implementation. This
|
||||
behavior would need to be applied by the base implementation.
|
||||
-->
|
||||
<!-- To enable the composite-user-group-provider remove 2 lines. This is 1 of 2.
|
||||
<userGroupProvider>
|
||||
|
|
@ -176,8 +176,8 @@
|
|||
each property must be unique, for example: "User Group Provider A", "User Group Provider B",
|
||||
"User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties are not applied in this implementation. This behavior
|
||||
would need to be applied by the base implementation.
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties are not applied in this implementation. This
|
||||
behavior would need to be applied by the base implementation.
|
||||
-->
|
||||
<!-- To enable the composite-configurable-user-group-provider remove 2 lines. This is 1 of 2.
|
||||
<userGroupProvider>
|
||||
|
|
@ -202,15 +202,16 @@
|
|||
a DN when using certificates or LDAP. This property will only be used when there
|
||||
are no other policies defined.
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the initial admin identity,
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the initial admin identity,
|
||||
so the value should be the unmapped identity. This identity must be found in the configured User Group Provider.
|
||||
|
||||
- Node Identity [unique key] - The identity of a NiFi cluster node. When clustered, a property for each node
|
||||
should be defined, so that every node knows about every other node. If not clustered these properties can be ignored.
|
||||
The name of each property must be unique, for example for a three node cluster:
|
||||
"Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1", "Node Identity 2", "Node Identity 3"
|
||||
- NiFi Identity [unique key] - The identity of a NiFi node that will have access to this NiFi Registry and will be able
|
||||
to act as a proxy on behalf of a NiFi Registry end user. A property should be created for the identity of every NiFi
|
||||
node that needs to access this NiFi Registry. The name of each property must be unique, for example for three
|
||||
NiFi clients:
|
||||
"NiFi Identity A", "NiFi Identity B", "NiFi Identity C" or "NiFi Identity 1", "NiFi Identity 2", "NiFi Identity 3"
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the node identities,
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the nifi identities,
|
||||
so the values should be the unmapped identities (i.e. full DN from a certificate). This identity must be found
|
||||
in the configured User Group Provider.
|
||||
-->
|
||||
|
|
@ -221,7 +222,7 @@
|
|||
<property name="Authorizations File">./conf/authorizations.xml</property>
|
||||
<property name="Initial Admin Identity"><!-- CN=abc, OU=xyz --></property>
|
||||
|
||||
<!--<property name="Node Identity 1"></property>-->
|
||||
<!--<property name="NiFi Identity 1"></property>-->
|
||||
</accessPolicyProvider>
|
||||
|
||||
<!--
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
-->
|
||||
<!--
|
||||
This file lists the userGroupProviders, accessPolicyProviders, and authorizers to use when running securely. In order
|
||||
to use a specific authorizer it must be configured here and its identifier must be specified in the nifi.properties file.
|
||||
to use a specific authorizer it must be configured here and its identifier must be specified in the nifi-registry.properties file.
|
||||
If the authorizer is a managedAuthorizer, it may need to be configured with an accessPolicyProvider and an userGroupProvider.
|
||||
This file allows for configuration of them, but they must be configured in order:
|
||||
|
||||
|
|
@ -39,7 +39,7 @@
|
|||
each property must be unique, for example: "Initial User Identity A", "Initial User Identity B",
|
||||
"Initial User Identity C" or "Initial User Identity 1", "Initial User Identity 2", "Initial User Identity 3"
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the user identities,
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the user identities,
|
||||
so the values should be the unmapped identities (i.e. full DN from a certificate).
|
||||
-->
|
||||
<userGroupProvider>
|
||||
|
|
@ -56,7 +56,7 @@
|
|||
each property must be unique, for example: "User Group Provider A", "User Group Provider B",
|
||||
"User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties are not applied in this implementation. This behavior
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties are not applied in this implementation. This behavior
|
||||
would need to be applied by the base implementation.
|
||||
-->
|
||||
<!-- To enable the composite-user-group-provider remove 2 lines. This is 1 of 2.
|
||||
|
|
@ -78,7 +78,7 @@
|
|||
each property must be unique, for example: "User Group Provider A", "User Group Provider B",
|
||||
"User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties are not applied in this implementation. This behavior
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties are not applied in this implementation. This behavior
|
||||
would need to be applied by the base implementation.
|
||||
-->
|
||||
<!-- To enable the composite-configurable-user-group-provider remove 2 lines. This is 1 of 2.
|
||||
|
|
@ -104,15 +104,14 @@
|
|||
a DN when using certificates or LDAP. This property will only be used when there
|
||||
are no other policies defined.
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the initial admin identity,
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the initial admin identity,
|
||||
so the value should be the unmapped identity. This identity must be found in the configured User Group Provider.
|
||||
|
||||
- Node Identity [unique key] - The identity of a NiFi cluster node. When clustered, a property for each node
|
||||
should be defined, so that every node knows about every other node. If not clustered these properties can be ignored.
|
||||
The name of each property must be unique, for example for a three node cluster:
|
||||
"Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1", "Node Identity 2", "Node Identity 3"
|
||||
- NiFi Identity [unique key] - The identity of a NiFi node that will have access to this NiFi Registry and will be able
|
||||
to act as a proxy on behalf of a NiFi Registry end user. A property should be created for the identity of every NiFi
|
||||
node that needs to access this NiFi Registry.
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the node identities,
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the nifi identities,
|
||||
so the values should be the unmapped identities (i.e. full DN from a certificate). This identity must be found
|
||||
in the configured User Group Provider.
|
||||
-->
|
||||
|
|
@ -123,7 +122,7 @@
|
|||
<property name="Authorizations File">./target/test-classes/conf/secure-file/authorizations.xml</property>
|
||||
<property name="Initial Admin Identity">CN=user1, OU=nifi</property>
|
||||
|
||||
<!--<property name="Node Identity 1"></property>-->
|
||||
<!--<property name="NiFi Identity 1"></property>-->
|
||||
</accessPolicyProvider>
|
||||
|
||||
<!--
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
-->
|
||||
<!--
|
||||
This file lists the userGroupProviders, accessPolicyProviders, and authorizers to use when running securely. In order
|
||||
to use a specific authorizer it must be configured here and its identifier must be specified in the nifi.properties file.
|
||||
to use a specific authorizer it must be configured here and its identifier must be specified in the nifi-registry.properties file.
|
||||
If the authorizer is a managedAuthorizer, it may need to be configured with an accessPolicyProvider and an userGroupProvider.
|
||||
This file allows for configuration of them, but they must be configured in order:
|
||||
|
||||
|
|
@ -39,7 +39,7 @@
|
|||
each property must be unique, for example: "Initial User Identity A", "Initial User Identity B",
|
||||
"Initial User Identity C" or "Initial User Identity 1", "Initial User Identity 2", "Initial User Identity 3"
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the user identities,
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the user identities,
|
||||
so the values should be the unmapped identities (i.e. full DN from a certificate).
|
||||
-->
|
||||
<userGroupProvider>
|
||||
|
|
@ -63,15 +63,14 @@
|
|||
a DN when using certificates or LDAP. This property will only be used when there
|
||||
are no other policies defined.
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the initial admin identity,
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the initial admin identity,
|
||||
so the value should be the unmapped identity. This identity must be found in the configured User Group Provider.
|
||||
|
||||
- Node Identity [unique key] - The identity of a NiFi cluster node. When clustered, a property for each node
|
||||
should be defined, so that every node knows about every other node. If not clustered these properties can be ignored.
|
||||
The name of each property must be unique, for example for a three node cluster:
|
||||
"Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1", "Node Identity 2", "Node Identity 3"
|
||||
- NiFi Identity [unique key] - The identity of a NiFi node that will have access to this NiFi Registry and will be able
|
||||
to act as a proxy on behalf of a NiFi Registry end user. A property should be created for the identity of every NiFi
|
||||
node that needs to access this NiFi Registry.
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the node identities,
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the nifi identities,
|
||||
so the values should be the unmapped identities (i.e. full DN from a certificate). This identity must be found
|
||||
in the configured User Group Provider.
|
||||
-->
|
||||
|
|
@ -82,7 +81,7 @@
|
|||
<property name="Authorizations File">./target/test-classes/conf/secure-kerberos/authorizations.xml</property>
|
||||
<property name="Initial Admin Identity">kerberosUser@LOCALHOST</property>
|
||||
|
||||
<!--<property name="Node Identity 1"></property>-->
|
||||
<!--<property name="NiFi Identity 1"></property>-->
|
||||
</accessPolicyProvider>
|
||||
|
||||
<!--
|
||||
|
|
|
|||
|
|
@ -17,8 +17,8 @@
|
|||
-->
|
||||
<!--
|
||||
This file lists the login identity providers to use when running securely. In order
|
||||
to use a specific provider it must be configured here and it's identifier
|
||||
must be specified in the nifi.properties file.
|
||||
to use a specific provider it must be configured here and its identifier
|
||||
must be specified in the nifi-registry.properties file.
|
||||
-->
|
||||
<identityProviders>
|
||||
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
-->
|
||||
<!--
|
||||
This file lists the userGroupProviders, accessPolicyProviders, and authorizers to use when running securely. In order
|
||||
to use a specific authorizer it must be configured here and its identifier must be specified in the nifi.properties file.
|
||||
to use a specific authorizer it must be configured here and its identifier must be specified in the nifi-registry.properties file.
|
||||
If the authorizer is a managedAuthorizer, it may need to be configured with an accessPolicyProvider and an userGroupProvider.
|
||||
This file allows for configuration of them, but they must be configured in order:
|
||||
|
||||
|
|
@ -39,7 +39,7 @@
|
|||
each property must be unique, for example: "Initial User Identity A", "Initial User Identity B",
|
||||
"Initial User Identity C" or "Initial User Identity 1", "Initial User Identity 2", "Initial User Identity 3"
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the user identities,
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the user identities,
|
||||
so the values should be the unmapped identities (i.e. full DN from a certificate).
|
||||
-->
|
||||
<!-- To enable the file-user-group-provider remove 2 lines. This is 1 of 2.
|
||||
|
|
@ -105,7 +105,7 @@
|
|||
group membership will not be calculated through the groups. Will rely on group member being defined
|
||||
through 'User Group Name Attribute' if set.
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the user identities.
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the user identities.
|
||||
Group names are not mapped.
|
||||
-->
|
||||
<userGroupProvider>
|
||||
|
|
@ -158,7 +158,7 @@
|
|||
each property must be unique, for example: "User Group Provider A", "User Group Provider B",
|
||||
"User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties are not applied in this implementation. This behavior
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties are not applied in this implementation. This behavior
|
||||
would need to be applied by the base implementation.
|
||||
-->
|
||||
<!-- To enable the composite-user-group-provider remove 2 lines. This is 1 of 2.
|
||||
|
|
@ -180,7 +180,7 @@
|
|||
each property must be unique, for example: "User Group Provider A", "User Group Provider B",
|
||||
"User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties are not applied in this implementation. This behavior
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties are not applied in this implementation. This behavior
|
||||
would need to be applied by the base implementation.
|
||||
-->
|
||||
<!-- To enable the composite-configurable-user-group-provider remove 2 lines. This is 1 of 2.
|
||||
|
|
@ -206,15 +206,14 @@
|
|||
a DN when using certificates or LDAP. This property will only be used when there
|
||||
are no other policies defined.
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the initial admin identity,
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the initial admin identity,
|
||||
so the value should be the unmapped identity. This identity must be found in the configured User Group Provider.
|
||||
|
||||
- Node Identity [unique key] - The identity of a NiFi cluster node. When clustered, a property for each node
|
||||
should be defined, so that every node knows about every other node. If not clustered these properties can be ignored.
|
||||
The name of each property must be unique, for example for a three node cluster:
|
||||
"Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1", "Node Identity 2", "Node Identity 3"
|
||||
- NiFi Identity [unique key] - The identity of a NiFi node that will have access to this NiFi Registry and will be able
|
||||
to act as a proxy on behalf of a NiFi Registry end user. A property should be created for the identity of every NiFi
|
||||
node that needs to access this NiFi Registry.
|
||||
|
||||
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the node identities,
|
||||
NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the nifi identities,
|
||||
so the values should be the unmapped identities (i.e. full DN from a certificate). This identity must be found
|
||||
in the configured User Group Provider.
|
||||
-->
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
<!--
|
||||
This file lists the login identity providers to use when running securely. In order
|
||||
to use a specific provider it must be configured here and it's identifier
|
||||
must be specified in the nifi.properties file.
|
||||
must be specified in the nifi-registry.properties file.
|
||||
-->
|
||||
<identityProviders>
|
||||
<!--
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче