NIFI-472: Refining the mechanism to carry out running as a different user pushing the handling of this primarily to the controlling script rather than the Java code. Making changes to the assembly such that permissions are provided on a group level control basis.

nifi/nifi-assembly/pom.xml

@@ -35,6 +35,11 @@ language governing permissions and limitations under the License. -->
                         </goals>
                         <phase>package</phase>
                         <configuration>
+                            <archiverConfig>
+                                <defaultDirectoryMode>0775</defaultDirectoryMode>
+                                <directoryMode>0775</directoryMode>
+                                <fileMode>0664</fileMode>
+                            </archiverConfig>
                             <descriptors>
                                 <descriptor>src/main/assembly/dependencies.xml</descriptor>
                             </descriptors>

nifi/nifi-assembly/src/main/assembly/dependencies.xml

@@ -29,8 +29,8 @@
             <scope>runtime</scope>
             <useProjectArtifact>false</useProjectArtifact>
             <outputDirectory>lib</outputDirectory>
-            <directoryMode>0750</directoryMode>
-            <fileMode>0640</fileMode>
+            <directoryMode>0770</directoryMode>
+            <fileMode>0660</fileMode>
             <useTransitiveFiltering>true</useTransitiveFiltering>
             <excludes>
             	<exclude>nifi-bootstrap</exclude>
@@ -44,8 +44,8 @@
             <scope>runtime</scope>
             <useProjectArtifact>false</useProjectArtifact>
             <outputDirectory>lib/bootstrap</outputDirectory>
-            <directoryMode>0750</directoryMode>
-            <fileMode>0640</fileMode>
+            <directoryMode>0770</directoryMode>
+            <fileMode>0660</fileMode>
             <useTransitiveFiltering>true</useTransitiveFiltering>
             <includes>
             	<include>nifi-bootstrap</include>
@@ -59,8 +59,8 @@
             <scope>runtime</scope>
             <useProjectArtifact>false</useProjectArtifact>
             <outputDirectory>./</outputDirectory>
-            <directoryMode>0750</directoryMode>
-            <fileMode>0640</fileMode>
+            <directoryMode>0770</directoryMode>
+            <fileMode>0664</fileMode>
             <useTransitiveFiltering>true</useTransitiveFiltering>
             <includes>
             	<include>nifi-resources</include>
@@ -79,8 +79,8 @@
             <scope>runtime</scope>
             <useProjectArtifact>false</useProjectArtifact>
             <outputDirectory>./</outputDirectory>
-            <directoryMode>0750</directoryMode>
-            <fileMode>0750</fileMode>
+            <directoryMode>0770</directoryMode>
+            <fileMode>0770</fileMode>
             <useTransitiveFiltering>true</useTransitiveFiltering>
             <includes>
             	<include>nifi-resources</include>

nifi/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/RunNiFi.java

@@ -728,20 +728,8 @@ public class RunNiFi {
         final NiFiListener listener = new NiFiListener();
         final int listenPort = listener.start(this);
 
-        String runAs = isWindows() ? null : props.get(RUN_AS_PROP);
-        if (runAs != null) {
-            runAs = runAs.trim();
-            if (runAs.isEmpty()) {
-                runAs = null;
-            }
-        }
-
         final List<String> cmd = new ArrayList<>();
-        if (runAs != null) {
-            cmd.add("sudo");
-            cmd.add("-u");
-            cmd.add(runAs);
-        }
+
         cmd.add(javaCmd);
         cmd.add("-classpath");
         cmd.add(classPath);

nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/bin/nifi.sh

@@ -151,9 +151,26 @@ install() {
 run() {
     BOOTSTRAP_CONF="$NIFI_HOME/conf/bootstrap.conf";
 
+    run_as=$(grep run.as ${BOOTSTRAP_CONF} | cut -d'=' -f2)
+
+    sudo_cmd_prefix=""
     if $cygwin; then
+        if [[ -n "$run_as" ]]; then
+            echo "The run.as option is not supported in a Cygwin environment. Exiting."
+            exit 1
+        fi;
+
         NIFI_HOME=`cygpath --path --windows "$NIFI_HOME"`
         BOOTSTRAP_CONF=`cygpath --path --windows "$BOOTSTRAP_CONF"`
+    else
+        if [[ -n "$run_as" ]]; then
+            if id -u "$run_as" >/dev/null 2>&1; then
+                sudo_cmd_prefix="sudo -u ${run_as}"
+            else
+                echo "The specified run.as user ${run_as} does not exist. Exiting."
+                exit 1
+            fi
+        fi;
     fi
 
     echo
@@ -166,9 +183,9 @@ run() {
     # run 'start' in the background because the process will continue to run, monitoring NiFi.
     # all other commands will terminate quickly so want to just wait for them
     if [ "$1" = "start" ]; then
-        ("$JAVA" -cp "$NIFI_HOME"/conf/:"$NIFI_HOME"/lib/bootstrap/* -Xms12m -Xmx24m -Dorg.apache.nifi.bootstrap.config.file="$BOOTSTRAP_CONF" org.apache.nifi.bootstrap.RunNiFi $@ &)
+        (${sudo_cmd_prefix} "$JAVA" -cp "$NIFI_HOME"/conf/:"$NIFI_HOME"/lib/bootstrap/* -Xms12m -Xmx24m -Dorg.apache.nifi.bootstrap.config.file="$BOOTSTRAP_CONF" org.apache.nifi.bootstrap.RunNiFi $@ &)
     else
-        "$JAVA" -cp "$NIFI_HOME"/conf/:"$NIFI_HOME"/lib/bootstrap/* -Xms12m -Xmx24m -Dorg.apache.nifi.bootstrap.config.file="$BOOTSTRAP_CONF" org.apache.nifi.bootstrap.RunNiFi $@
+        ${sudo_cmd_prefix} "$JAVA" -cp "$NIFI_HOME"/conf/:"$NIFI_HOME"/lib/bootstrap/* -Xms12m -Xmx24m -Dorg.apache.nifi.bootstrap.config.file="$BOOTSTRAP_CONF" org.apache.nifi.bootstrap.RunNiFi $@
     fi
 
     # Wait just a bit (3 secs) to wait for the logging to finish and then echo a new-line.