mirror of https://github.com/apache/nifi.git
NIFI-4667 Fix LDAP Sync Interval
Corrects time unit conversion for the Sync Interval config property for LdapUserGroupProvider in authorizers.xml. Also enforces a minimum value of 10 secs for the Sync Interval to help catch unintentional misconfigurations, for example users upgrading from previous versions, where tiny Sync Interval values could be set as a workaround for NIFI-4667. This closes #2341
This commit is contained in:
parent
d7347a2dc3
commit
2608351113
|
@ -498,7 +498,7 @@ Another option for the UserGroupProvider is the LdapUserGroupProvider. By defaul
|
||||||
* Read Timeout - Duration of read timeout. (i.e. 10 secs).
|
* Read Timeout - Duration of read timeout. (i.e. 10 secs).
|
||||||
* Url - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
|
* Url - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
|
||||||
* Page Size - Sets the page size when retrieving users and groups. If not specified, no paging is performed.
|
* Page Size - Sets the page size when retrieving users and groups. If not specified, no paging is performed.
|
||||||
* Sync Interval - Duration of time between syncing users and groups. (i.e. 30 mins).
|
* Sync Interval - Duration of time between syncing users and groups. (i.e. 30 mins). Minimum allowable value is 10 secs.
|
||||||
* User Search Base - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users.
|
* User Search Base - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users.
|
||||||
* User Object Class - Object class for identifying users (i.e. person). Required if searching users.
|
* User Object Class - Object class for identifying users (i.e. person). Required if searching users.
|
||||||
* User Search Scope - Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users.
|
* User Search Scope - Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users.
|
||||||
|
|
|
@ -86,7 +86,7 @@
|
||||||
|
|
||||||
'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
|
'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
|
||||||
'Page Size' - Sets the page size when retrieving users and groups. If not specified, no paging is performed.
|
'Page Size' - Sets the page size when retrieving users and groups. If not specified, no paging is performed.
|
||||||
'Sync Interval' - Duration of time between syncing users and groups. (i.e. 30 mins).
|
'Sync Interval' - Duration of time between syncing users and groups (i.e. 30 mins). Minimum allowable value is 10 secs.
|
||||||
|
|
||||||
'User Search Base' - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users.
|
'User Search Base' - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users.
|
||||||
'User Object Class' - Object class for identifying users (i.e. person). Required if searching users.
|
'User Object Class' - Object class for identifying users (i.e. person). Required if searching users.
|
||||||
|
|
|
@ -30,13 +30,13 @@ import org.apache.nifi.authorization.exception.AuthorizerCreationException;
|
||||||
import org.apache.nifi.authorization.util.IdentityMapping;
|
import org.apache.nifi.authorization.util.IdentityMapping;
|
||||||
import org.apache.nifi.authorization.util.IdentityMappingUtil;
|
import org.apache.nifi.authorization.util.IdentityMappingUtil;
|
||||||
import org.apache.nifi.components.PropertyValue;
|
import org.apache.nifi.components.PropertyValue;
|
||||||
import org.apache.nifi.util.NiFiProperties;
|
|
||||||
import org.apache.nifi.ldap.LdapAuthenticationStrategy;
|
import org.apache.nifi.ldap.LdapAuthenticationStrategy;
|
||||||
import org.apache.nifi.ldap.LdapsSocketFactory;
|
import org.apache.nifi.ldap.LdapsSocketFactory;
|
||||||
import org.apache.nifi.ldap.ReferralStrategy;
|
import org.apache.nifi.ldap.ReferralStrategy;
|
||||||
import org.apache.nifi.security.util.SslContextFactory;
|
import org.apache.nifi.security.util.SslContextFactory;
|
||||||
import org.apache.nifi.security.util.SslContextFactory.ClientAuth;
|
import org.apache.nifi.security.util.SslContextFactory.ClientAuth;
|
||||||
import org.apache.nifi.util.FormatUtils;
|
import org.apache.nifi.util.FormatUtils;
|
||||||
|
import org.apache.nifi.util.NiFiProperties;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
import org.springframework.ldap.control.PagedResultsDirContextProcessor;
|
import org.springframework.ldap.control.PagedResultsDirContextProcessor;
|
||||||
|
@ -114,6 +114,7 @@ public class LdapUserGroupProvider implements UserGroupProvider {
|
||||||
public static final String PROP_GROUP_MEMBER_REFERENCED_USER_ATTRIBUTE = "Group Member Attribute - Referenced User Attribute";
|
public static final String PROP_GROUP_MEMBER_REFERENCED_USER_ATTRIBUTE = "Group Member Attribute - Referenced User Attribute";
|
||||||
|
|
||||||
public static final String PROP_SYNC_INTERVAL = "Sync Interval";
|
public static final String PROP_SYNC_INTERVAL = "Sync Interval";
|
||||||
|
private static final long MINIMUM_SYNC_INTERVAL_MILLISECONDS = 10_000;
|
||||||
|
|
||||||
private List<IdentityMapping> identityMappings;
|
private List<IdentityMapping> identityMappings;
|
||||||
private NiFiProperties properties;
|
private NiFiProperties properties;
|
||||||
|
@ -370,8 +371,12 @@ public class LdapUserGroupProvider implements UserGroupProvider {
|
||||||
} catch (final IllegalArgumentException iae) {
|
} catch (final IllegalArgumentException iae) {
|
||||||
throw new AuthorizerCreationException(String.format("The %s '%s' is not a valid time duration", PROP_SYNC_INTERVAL, rawSyncInterval.getValue()));
|
throw new AuthorizerCreationException(String.format("The %s '%s' is not a valid time duration", PROP_SYNC_INTERVAL, rawSyncInterval.getValue()));
|
||||||
}
|
}
|
||||||
|
if (syncInterval < MINIMUM_SYNC_INTERVAL_MILLISECONDS) {
|
||||||
|
throw new AuthorizerCreationException(String.format("The %s '%s' is below the minimum value of '%d ms'",
|
||||||
|
PROP_SYNC_INTERVAL, rawSyncInterval.getValue(), MINIMUM_SYNC_INTERVAL_MILLISECONDS));
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
throw new AuthorizerCreationException("The 'Sync Interval' must be specified.");
|
throw new AuthorizerCreationException(String.format("The '%s' must be specified.", PROP_SYNC_INTERVAL));
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
@ -385,7 +390,7 @@ public class LdapUserGroupProvider implements UserGroupProvider {
|
||||||
}
|
}
|
||||||
|
|
||||||
// schedule the background thread to load the users/groups
|
// schedule the background thread to load the users/groups
|
||||||
ldapSync.scheduleWithFixedDelay(() -> load(context), syncInterval, syncInterval, TimeUnit.SECONDS);
|
ldapSync.scheduleWithFixedDelay(() -> load(context), syncInterval, syncInterval, TimeUnit.MILLISECONDS);
|
||||||
} catch (final AuthorizationAccessException e) {
|
} catch (final AuthorizationAccessException e) {
|
||||||
throw new AuthorizerCreationException(e);
|
throw new AuthorizerCreationException(e);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue