From 2608351113f22490f724e5816a01c688bd8cbe92 Mon Sep 17 00:00:00 2001 From: Kevin Doran Date: Wed, 13 Dec 2017 15:27:00 -0500 Subject: [PATCH] NIFI-4667 Fix LDAP Sync Interval Corrects time unit conversion for the Sync Interval config property for LdapUserGroupProvider in authorizers.xml. Also enforces a minimum value of 10 secs for the Sync Interval to help catch unintentional misconfigurations, for example users upgrading from previous versions, where tiny Sync Interval values could be set as a workaround for NIFI-4667. This closes #2341 --- nifi-docs/src/main/asciidoc/administration-guide.adoc | 2 +- .../src/main/resources/conf/authorizers.xml | 2 +- .../nifi/ldap/tenants/LdapUserGroupProvider.java | 11 ++++++++--- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc index 5a24bfec8e..2695c21449 100644 --- a/nifi-docs/src/main/asciidoc/administration-guide.adoc +++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc @@ -498,7 +498,7 @@ Another option for the UserGroupProvider is the LdapUserGroupProvider. By defaul * Read Timeout - Duration of read timeout. (i.e. 10 secs). * Url - Space-separated list of URLs of the LDAP servers (i.e. ldap://:). * Page Size - Sets the page size when retrieving users and groups. If not specified, no paging is performed. -* Sync Interval - Duration of time between syncing users and groups. (i.e. 30 mins). +* Sync Interval - Duration of time between syncing users and groups. (i.e. 30 mins). Minimum allowable value is 10 secs. * User Search Base - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users. * User Object Class - Object class for identifying users (i.e. person). Required if searching users. * User Search Scope - Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users. diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml index 830a2ede7a..3808404459 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml @@ -86,7 +86,7 @@ 'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://:). 'Page Size' - Sets the page size when retrieving users and groups. If not specified, no paging is performed. - 'Sync Interval' - Duration of time between syncing users and groups. (i.e. 30 mins). + 'Sync Interval' - Duration of time between syncing users and groups (i.e. 30 mins). Minimum allowable value is 10 secs. 'User Search Base' - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users. 'User Object Class' - Object class for identifying users (i.e. person). Required if searching users. diff --git a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java index ba7c4a922e..1d2b3445d5 100644 --- a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java +++ b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java @@ -30,13 +30,13 @@ import org.apache.nifi.authorization.exception.AuthorizerCreationException; import org.apache.nifi.authorization.util.IdentityMapping; import org.apache.nifi.authorization.util.IdentityMappingUtil; import org.apache.nifi.components.PropertyValue; -import org.apache.nifi.util.NiFiProperties; import org.apache.nifi.ldap.LdapAuthenticationStrategy; import org.apache.nifi.ldap.LdapsSocketFactory; import org.apache.nifi.ldap.ReferralStrategy; import org.apache.nifi.security.util.SslContextFactory; import org.apache.nifi.security.util.SslContextFactory.ClientAuth; import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.ldap.control.PagedResultsDirContextProcessor; @@ -114,6 +114,7 @@ public class LdapUserGroupProvider implements UserGroupProvider { public static final String PROP_GROUP_MEMBER_REFERENCED_USER_ATTRIBUTE = "Group Member Attribute - Referenced User Attribute"; public static final String PROP_SYNC_INTERVAL = "Sync Interval"; + private static final long MINIMUM_SYNC_INTERVAL_MILLISECONDS = 10_000; private List identityMappings; private NiFiProperties properties; @@ -370,8 +371,12 @@ public class LdapUserGroupProvider implements UserGroupProvider { } catch (final IllegalArgumentException iae) { throw new AuthorizerCreationException(String.format("The %s '%s' is not a valid time duration", PROP_SYNC_INTERVAL, rawSyncInterval.getValue())); } + if (syncInterval < MINIMUM_SYNC_INTERVAL_MILLISECONDS) { + throw new AuthorizerCreationException(String.format("The %s '%s' is below the minimum value of '%d ms'", + PROP_SYNC_INTERVAL, rawSyncInterval.getValue(), MINIMUM_SYNC_INTERVAL_MILLISECONDS)); + } } else { - throw new AuthorizerCreationException("The 'Sync Interval' must be specified."); + throw new AuthorizerCreationException(String.format("The '%s' must be specified.", PROP_SYNC_INTERVAL)); } try { @@ -385,7 +390,7 @@ public class LdapUserGroupProvider implements UserGroupProvider { } // schedule the background thread to load the users/groups - ldapSync.scheduleWithFixedDelay(() -> load(context), syncInterval, syncInterval, TimeUnit.SECONDS); + ldapSync.scheduleWithFixedDelay(() -> load(context), syncInterval, syncInterval, TimeUnit.MILLISECONDS); } catch (final AuthorizationAccessException e) { throw new AuthorizerCreationException(e); }