NIFI-4667 Fix LDAP Sync Interval

Corrects time unit conversion for the Sync Interval config property for LdapUserGroupProvider in authorizers.xml. Also enforces a minimum value of 10 secs for the Sync Interval to help catch unintentional misconfigurations, for example users upgrading from previous versions, where tiny Sync Interval values could be set as a workaround for NIFI-4667. This closes #2341
2017-12-13 15:27:00 -05:00 · 2017-12-13 15:27:00 -05:00 · 2608351113
parent d7347a2dc3
commit 2608351113
3 changed files with 10 additions and 5 deletions
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@ -498,7 +498,7 @@ Another option for the UserGroupProvider is the LdapUserGroupProvider. By defaul
 * Read Timeout - Duration of read timeout. (i.e. 10 secs).
 * Url - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
 * Page Size - Sets the page size when retrieving users and groups. If not specified, no paging is performed.
-* Sync Interval - Duration of time between syncing users and groups. (i.e. 30 mins).
+* Sync Interval - Duration of time between syncing users and groups. (i.e. 30 mins). Minimum allowable value is 10 secs.
 * User Search Base - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users.
 * User Object Class - Object class for identifying users (i.e. person). Required if searching users.
 * User Search Scope - Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users.
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml
@ -86,7 +86,7 @@

        'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
        'Page Size' - Sets the page size when retrieving users and groups. If not specified, no paging is performed.
-        'Sync Interval' - Duration of time between syncing users and groups. (i.e. 30 mins).
+        'Sync Interval' - Duration of time between syncing users and groups (i.e. 30 mins). Minimum allowable value is 10 secs.

        'User Search Base' - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users.
        'User Object Class' - Object class for identifying users (i.e. person). Required if searching users.
--- a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java
+++ b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java
@ -30,13 +30,13 @@ import org.apache.nifi.authorization.exception.AuthorizerCreationException;
 import org.apache.nifi.authorization.util.IdentityMapping;
 import org.apache.nifi.authorization.util.IdentityMappingUtil;
 import org.apache.nifi.components.PropertyValue;
-import org.apache.nifi.util.NiFiProperties;
 import org.apache.nifi.ldap.LdapAuthenticationStrategy;
 import org.apache.nifi.ldap.LdapsSocketFactory;
 import org.apache.nifi.ldap.ReferralStrategy;
 import org.apache.nifi.security.util.SslContextFactory;
 import org.apache.nifi.security.util.SslContextFactory.ClientAuth;
 import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.ldap.control.PagedResultsDirContextProcessor;
@ -114,6 +114,7 @@ public class LdapUserGroupProvider implements UserGroupProvider {
    public static final String PROP_GROUP_MEMBER_REFERENCED_USER_ATTRIBUTE = "Group Member Attribute - Referenced User Attribute";

    public static final String PROP_SYNC_INTERVAL = "Sync Interval";
+    private static final long MINIMUM_SYNC_INTERVAL_MILLISECONDS = 10_000;

    private List<IdentityMapping> identityMappings;
    private NiFiProperties properties;
@ -370,8 +371,12 @@ public class LdapUserGroupProvider implements UserGroupProvider {
            } catch (final IllegalArgumentException iae) {
                throw new AuthorizerCreationException(String.format("The %s '%s' is not a valid time duration", PROP_SYNC_INTERVAL, rawSyncInterval.getValue()));
            }
+            if (syncInterval < MINIMUM_SYNC_INTERVAL_MILLISECONDS) {
+                throw new AuthorizerCreationException(String.format("The %s '%s' is below the minimum value of '%d ms'",
+                        PROP_SYNC_INTERVAL, rawSyncInterval.getValue(), MINIMUM_SYNC_INTERVAL_MILLISECONDS));
+            }
        } else {
-            throw new AuthorizerCreationException("The 'Sync Interval' must be specified.");
+            throw new AuthorizerCreationException(String.format("The '%s' must be specified.", PROP_SYNC_INTERVAL));
        }

        try {
@ -385,7 +390,7 @@ public class LdapUserGroupProvider implements UserGroupProvider {
            }

            // schedule the background thread to load the users/groups
-            ldapSync.scheduleWithFixedDelay(() -> load(context), syncInterval, syncInterval, TimeUnit.SECONDS);
+            ldapSync.scheduleWithFixedDelay(() -> load(context), syncInterval, syncInterval, TimeUnit.MILLISECONDS);
        } catch (final AuthorizationAccessException e) {
            throw new AuthorizerCreationException(e);
        }