- Ranger Authorizer is deployed as Registry extension.
- Added /config REST endpoint to expose Registry configuration for UI to
determine if user, group and policies can be edited.
- Added 'include-ranger' maven build profile and refactored project
structure to control ranger extension build.
- Added README.md to illustrate how to use this extension.
- Added default configuration files.
- Remove javax.ws.rs package in jersey-bundle jar to avoid rs version conflict.
- Added example conf to audit to Kerberized Solr.
- Updated hadoop version to 3.0.0
- Added ExtensionCloseable to use extension class loader when
configuring authorizer. Without this, Hadoop Configuration class uses
WebApp class loader that is set to current thread context class loader
which does not have extension classes.
- Refactored anonymous inner classes at AuthorizerFactory to expose
underlying authorizer instance, to use its extension class loader.
- Confirmed NiFi Registry can:
- download policies from Kerbelized Ranger
- send audit logs to Kerbelized Solr
- send audit logs to Kerbelized HDFS
- Refactored project structures and updated L&N.
This closes#131.
Signed-off-by: Kevin Doran <kdoran@apache.org>
- Adding a property to specify an external directory containing driver jars and adding it to the web-api WAR's classpath during startup
- Updating admin guide
This closes#121.
Signed-off-by: Kevin Doran <kdoran@apache.org>
Allows sensitive property values to be encrypted in the following
configuration files:
- nifi-registry.properties
- identity-providers.xml
- authorizers.xml
A master decryption key can be configured that allows
decrypting protected properties at runtime, specifically:
- Adds CryptoKeyProvider interface for injecting key into application
- Provides implementation that is backed by bootstrap.conf
- Provides implementation that keeps key in memory
- Provides mechanism for removing CryptoKeyProvider from scope
after Application Context is done loading
NIFIREG-61 Simplify Master Key Loading
Simplifies the code associated with loading the master crypto key
to standardize on using the bootstrap.conf file.
This closes#51.
Signed-off-by: Bryan Bende <bbende@apache.org>
Adds the ability to configure NiFi Identities to act as proxies for
FileAccessPolicyProvider in authorizers.xml
This closes#45.
Signed-off-by: Bryan Bende <bbende@apache.org>
- KerberosIdentityProvider: an IdentityProvider extension for username/password login
- KerberosSpnegoIdentityProvider: authenticates Kerberos tickets over SPNEGO exchange with client and mutual Kerberos server
- Adds NiFiRegistryProperties fields for configuring KerberosSpnegoIdentityProvider
- Adds a dedicated endpoint for clients to use to generate a JWT using a Kerberos Ticket (backed by KerberosSpnegoIP)
- Adds a new endpoint (POST /acces/token) that attempts to do server-side auto detection of client authentication method
- Adds NotAllowedExceptionMapper that returns 405 for NotAllowedExceptions thrown in the Jersey framework
- Adds UnathorizedException and UnathorizedExceptionMapper for returning 401 responses with WWW-Authenticate challenges
- Refines IdentityProvider interface by connecting WWW-Authenticate challenges to IdentityProviderUsage object
This closes#41.
Signed-off-by: Bryan Bende <bbende@apache.org>
- Adds LdapIdentityProvider for authentication
- Adds /access/token endpoint for generating JWT for users that can authenticate with a configured IdenitiyProvider
- Adds JwtAuthenticationProvider for authentication
- Adds KeyService for key generation and tracking for signing JWTs
- Adds LdapUserGroupProvider for authorization
- Adds LDAP integration tests
- Refactors nifi-registry-security-api-impl into nifi-registry-framework
- Refactors all security related packages, such as o.a.n.r.authorization and o.a.n.r.authentication, under org.apache.nifi.registry.security
- Fixing issues found in code review
- Make LoginIdentityProviderFactory a DisposableBean
This closes#29.
Signed-off-by: Bryan Bende <bbende@apache.org>
Authentication and authorization enforcement for web API, largely based on NiFi.
This commit adds interfaces, framework, and file-based authorizer providers (file access policy provider, file user group provider).
Authentication of identities is currently based on certificates in two-way SSL (HTTPS). Alternative identity strategies (user&pass, JWT) will
be added later building upon the foundation in this commit.
As part of this feature, some changes were made to the RegistryService interface and the providers it utilizes.
This closes#14.
Signed-off-by: Bryan Bende <bbende@apache.org>
- Setup Flyway with initial migration to define tables
- Setup entity classes with repositories
- Setup unit testing for repositories
- Removed existing MetadataProvider concept
- Removed provider impl module and moved remaining pieces into framework
- Added MetadataService with DatabaseMetadataService implementation
- Refactored RegistryService to use MetadataService
- Introduced verbose flag on some end-points to control loading nested objects
- Added ability to pass down paging/sorting params
- Added endpoints for available fields
- Adding ItemResource and ability to retrieve all items, or items by bucket
- Changing from Set to List on retrieval methods
- Added web linking in entities returned from REST end-points
This closes#10.
- Renaming nifi-registry-flow-data-model to nifi-registry-data-model
- Implementing FileSystemFlowProvider & FileSystemMetadataProvider
- Adding unit tests for file system providers
- Injecting providers into test REST resource
matheswaran
Bryan Bende
Koji Kawamura
Kevin Doran
Kevin Doran