Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NIFI-4667 Fix LDAP Sync Interval 

Corrects time unit conversion for the Sync Interval config property
for LdapUserGroupProvider in authorizers.xml.

Also enforces a minimum value of 10 secs for the Sync Interval to help
catch unintentional misconfigurations, for example users upgrading
from previous versions, where tiny Sync Interval values could be set
as a workaround for NIFI-4667.

This closes #2341
This commit is contained in:
Kevin Doran 2017-12-13 15:27:00 -05:00 committed by Matt Gilman
parent d7347a2dc3
commit 2608351113
No known key found for this signature in database
GPG Key ID: DF61EC19432AEE37
3 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nifi-docs/src/main/asciidoc/administration-guide.adoc
View File

@ -498,7 +498,7 @@ Another option for the UserGroupProvider is the LdapUserGroupProvider. By defaul
* Read Timeout - Duration of read timeout. (i.e. 10 secs). * Read Timeout - Duration of read timeout. (i.e. 10 secs).
* Url - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>). * Url - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
* Page Size - Sets the page size when retrieving users and groups. If not specified, no paging is performed. * Page Size - Sets the page size when retrieving users and groups. If not specified, no paging is performed.
* Sync Interval - Duration of time between syncing users and groups. (i.e. 30 mins). * Sync Interval - Duration of time between syncing users and groups. (i.e. 30 mins). Minimum allowable value is 10 secs.
* User Search Base - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users. * User Search Base - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users.
* User Object Class - Object class for identifying users (i.e. person). Required if searching users. * User Object Class - Object class for identifying users (i.e. person). Required if searching users.
* User Search Scope - Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users. * User Search Scope - Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users.

2
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml
View File

@ -86,7 +86,7 @@
'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>). 'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
'Page Size' - Sets the page size when retrieving users and groups. If not specified, no paging is performed. 'Page Size' - Sets the page size when retrieving users and groups. If not specified, no paging is performed.
'Sync Interval' - Duration of time between syncing users and groups. (i.e. 30 mins). 'Sync Interval' - Duration of time between syncing users and groups (i.e. 30 mins). Minimum allowable value is 10 secs.
'User Search Base' - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users. 'User Search Base' - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users.
'User Object Class' - Object class for identifying users (i.e. person). Required if searching users. 'User Object Class' - Object class for identifying users (i.e. person). Required if searching users.

11
nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java
View File

@ -30,13 +30,13 @@ import org.apache.nifi.authorization.exception.AuthorizerCreationException;
import org.apache.nifi.authorization.util.IdentityMapping; import org.apache.nifi.authorization.util.IdentityMapping;
import org.apache.nifi.authorization.util.IdentityMappingUtil; import org.apache.nifi.authorization.util.IdentityMappingUtil;
import org.apache.nifi.components.PropertyValue; import org.apache.nifi.components.PropertyValue;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.ldap.LdapAuthenticationStrategy; import org.apache.nifi.ldap.LdapAuthenticationStrategy;
import org.apache.nifi.ldap.LdapsSocketFactory; import org.apache.nifi.ldap.LdapsSocketFactory;
import org.apache.nifi.ldap.ReferralStrategy; import org.apache.nifi.ldap.ReferralStrategy;
import org.apache.nifi.security.util.SslContextFactory; import org.apache.nifi.security.util.SslContextFactory;
import org.apache.nifi.security.util.SslContextFactory.ClientAuth; import org.apache.nifi.security.util.SslContextFactory.ClientAuth;
import org.apache.nifi.util.FormatUtils; import org.apache.nifi.util.FormatUtils;
import org.apache.nifi.util.NiFiProperties;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import org.springframework.ldap.control.PagedResultsDirContextProcessor; import org.springframework.ldap.control.PagedResultsDirContextProcessor;
@ -114,6 +114,7 @@ public class LdapUserGroupProvider implements UserGroupProvider {
public static final String PROP_GROUP_MEMBER_REFERENCED_USER_ATTRIBUTE = "Group Member Attribute - Referenced User Attribute"; public static final String PROP_GROUP_MEMBER_REFERENCED_USER_ATTRIBUTE = "Group Member Attribute - Referenced User Attribute";
public static final String PROP_SYNC_INTERVAL = "Sync Interval"; public static final String PROP_SYNC_INTERVAL = "Sync Interval";
private static final long MINIMUM_SYNC_INTERVAL_MILLISECONDS = 10_000;
private List<IdentityMapping> identityMappings; private List<IdentityMapping> identityMappings;
private NiFiProperties properties; private NiFiProperties properties;
@ -370,8 +371,12 @@ public class LdapUserGroupProvider implements UserGroupProvider {
} catch (final IllegalArgumentException iae) { } catch (final IllegalArgumentException iae) {
throw new AuthorizerCreationException(String.format("The %s '%s' is not a valid time duration", PROP_SYNC_INTERVAL, rawSyncInterval.getValue())); throw new AuthorizerCreationException(String.format("The %s '%s' is not a valid time duration", PROP_SYNC_INTERVAL, rawSyncInterval.getValue()));
} }
if (syncInterval < MINIMUM_SYNC_INTERVAL_MILLISECONDS) {
throw new AuthorizerCreationException(String.format("The %s '%s' is below the minimum value of '%d ms'",
PROP_SYNC_INTERVAL, rawSyncInterval.getValue(), MINIMUM_SYNC_INTERVAL_MILLISECONDS));
}
} else { } else {
throw new AuthorizerCreationException("The 'Sync Interval' must be specified."); throw new AuthorizerCreationException(String.format("The '%s' must be specified.", PROP_SYNC_INTERVAL));
} }
try { try {
@ -385,7 +390,7 @@ public class LdapUserGroupProvider implements UserGroupProvider {
} }
// schedule the background thread to load the users/groups // schedule the background thread to load the users/groups
ldapSync.scheduleWithFixedDelay(() -> load(context), syncInterval, syncInterval, TimeUnit.SECONDS); ldapSync.scheduleWithFixedDelay(() -> load(context), syncInterval, syncInterval, TimeUnit.MILLISECONDS);
} catch (final AuthorizationAccessException e) { } catch (final AuthorizationAccessException e) {
throw new AuthorizerCreationException(e); throw new AuthorizerCreationException(e);
} }