- Adding a property to specify an external directory containing driver jars and adding it to the web-api WAR's classpath during startup
- Updating admin guide
This closes#121.
Signed-off-by: Kevin Doran <kdoran@apache.org>
- Added GitPersistenceProvider which manages Flow snapshot versions
by Git commits
- Updated FlowSnapshotContext to provide author
- Added new serialization data model version 2 which stores Flow
snapshots as JSON files
- Added filename sanitizing.
- Also, changed git/Bucket.java to have bucketDirName instead of raw
bucketName because it can not be restored when loaded from Git, and it
is only used for logging.
- Push asynchronously.
- Added white space(32) to the invalid character list
- Git user as commit author and append NiFi Registry user to commit message
- Updated documents.
This closes#112.
Signed-off-by: Bryan Bende <bbende@apache.org>
"source" doesn't exist in regular /bin/sh
remove the dependency on bash by using universal "."
This closes#102.
Signed-off-by: Kevin Doran <kdoran@apache.org>
Expands on user-group configurability by allowing a referenced
user or group attribute to be specified when determining group
membership. Updates corresponding documentation. Adds test cases.
This closes#82.
Signed-off-by: Bryan Bende <bbende@apache.org>
Allows sensitive property values to be encrypted in the following
configuration files:
- nifi-registry.properties
- identity-providers.xml
- authorizers.xml
A master decryption key can be configured that allows
decrypting protected properties at runtime, specifically:
- Adds CryptoKeyProvider interface for injecting key into application
- Provides implementation that is backed by bootstrap.conf
- Provides implementation that keeps key in memory
- Provides mechanism for removing CryptoKeyProvider from scope
after Application Context is done loading
NIFIREG-61 Simplify Master Key Loading
Simplifies the code associated with loading the master crypto key
to standardize on using the bootstrap.conf file.
This closes#51.
Signed-off-by: Bryan Bende <bbende@apache.org>
Removes user existence check from FileUserGroupProvider when
group is created or updated. Replaces it with check in the
Authorizer Decorator class created by Authorizer Factory, so
that all providers are used. Also fixes bug when searching
for group membership by user that returns results across all
providers.
Also updates a package in the authorizers.xml template.
UI fixes for action icon enabled/disabled states in Administration.
This closes#64.
Signed-off-by: Bryan Bende <bbende@apache.org>
Adds the ability to configure NiFi Identities to act as proxies for
FileAccessPolicyProvider in authorizers.xml
This closes#45.
Signed-off-by: Bryan Bende <bbende@apache.org>
- KerberosIdentityProvider: an IdentityProvider extension for username/password login
- KerberosSpnegoIdentityProvider: authenticates Kerberos tickets over SPNEGO exchange with client and mutual Kerberos server
- Adds NiFiRegistryProperties fields for configuring KerberosSpnegoIdentityProvider
- Adds a dedicated endpoint for clients to use to generate a JWT using a Kerberos Ticket (backed by KerberosSpnegoIP)
- Adds a new endpoint (POST /acces/token) that attempts to do server-side auto detection of client authentication method
- Adds NotAllowedExceptionMapper that returns 405 for NotAllowedExceptions thrown in the Jersey framework
- Adds UnathorizedException and UnathorizedExceptionMapper for returning 401 responses with WWW-Authenticate challenges
- Refines IdentityProvider interface by connecting WWW-Authenticate challenges to IdentityProviderUsage object
This closes#41.
Signed-off-by: Bryan Bende <bbende@apache.org>
- Adds LdapIdentityProvider for authentication
- Adds /access/token endpoint for generating JWT for users that can authenticate with a configured IdenitiyProvider
- Adds JwtAuthenticationProvider for authentication
- Adds KeyService for key generation and tracking for signing JWTs
- Adds LdapUserGroupProvider for authorization
- Adds LDAP integration tests
- Refactors nifi-registry-security-api-impl into nifi-registry-framework
- Refactors all security related packages, such as o.a.n.r.authorization and o.a.n.r.authentication, under org.apache.nifi.registry.security
- Fixing issues found in code review
- Make LoginIdentityProviderFactory a DisposableBean
This closes#29.
Signed-off-by: Bryan Bende <bbende@apache.org>
Authentication and authorization enforcement for web API, largely based on NiFi.
This commit adds interfaces, framework, and file-based authorizer providers (file access policy provider, file user group provider).
Authentication of identities is currently based on certificates in two-way SSL (HTTPS). Alternative identity strategies (user&pass, JWT) will
be added later building upon the foundation in this commit.
As part of this feature, some changes were made to the RegistryService interface and the providers it utilizes.
This closes#14.
Signed-off-by: Bryan Bende <bbende@apache.org>
- Setup Flyway with initial migration to define tables
- Setup entity classes with repositories
- Setup unit testing for repositories
- Removed existing MetadataProvider concept
- Removed provider impl module and moved remaining pieces into framework
- Added MetadataService with DatabaseMetadataService implementation
- Refactored RegistryService to use MetadataService
- Introduced verbose flag on some end-points to control loading nested objects
- Added ability to pass down paging/sorting params
- Added endpoints for available fields
- Adding ItemResource and ability to retrieve all items, or items by bucket
- Changing from Set to List on retrieval methods
- Added web linking in entities returned from REST end-points
This closes#10.
- Renaming nifi-registry-flow-data-model to nifi-registry-data-model
- Implementing FileSystemFlowProvider & FileSystemMetadataProvider
- Adding unit tests for file system providers
- Injecting providers into test REST resource
matheswaran
Bryan Bende
Jeremy Dyer
Kevin Doran
Pierre Villard
valerybonnet
Koji Kawamura
NKame
Kevin Doran
Andrew Lim