From 6bc6f955c077bd4ce3bf06de15ac8693725ebc85 Mon Sep 17 00:00:00 2001 From: Matt Gilman Date: Mon, 12 Jun 2017 16:53:56 -0400 Subject: [PATCH] NIFI-4059: - Introducing the LdapUserGroupProvider. - Updating documentation accordingly. - Moving the IdentityMapping utilities so they were accessible. Signed-off-by: Pierre Villard This closes #1923. --- nifi-commons/nifi-security-utils/pom.xml | 4 + .../authorization/util/IdentityMapping.java | 0 .../util/IdentityMappingUtil.java | 0 .../main/asciidoc/administration-guide.adoc | 98 +++ .../nifi-file-authorizer/pom.xml | 4 + .../src/main/resources/conf/authorizers.xml | 100 +++ .../nifi-framework/nifi-site-to-site/pom.xml | 4 + .../nifi-ldap-iaa-providers/pom.xml | 15 + .../ldap/tenants/LdapUserGroupProvider.java | 748 ++++++++++++++++++ .../apache/nifi/ldap/tenants/SearchScope.java | 28 + .../nifi/ldap/tenants/TenantHolder.java | 165 ++++ ...pache.nifi.authorization.UserGroupProvider | 15 + .../tenants/LdapUserGroupProviderTest.java | 552 +++++++++++++ .../src/test/resources/nifi-example.ldif | 136 ++++ 14 files changed, 1869 insertions(+) rename {nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization => nifi-commons/nifi-security-utils}/src/main/java/org/apache/nifi/authorization/util/IdentityMapping.java (100%) rename {nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization => nifi-commons/nifi-security-utils}/src/main/java/org/apache/nifi/authorization/util/IdentityMappingUtil.java (100%) create mode 100644 nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java create mode 100644 nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/SearchScope.java create mode 100644 nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/TenantHolder.java create mode 100755 nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/resources/META-INF/services/org.apache.nifi.authorization.UserGroupProvider create mode 100644 nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/test/java/org/apache/nifi/ldap/tenants/LdapUserGroupProviderTest.java create mode 100644 nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/test/resources/nifi-example.ldif diff --git a/nifi-commons/nifi-security-utils/pom.xml b/nifi-commons/nifi-security-utils/pom.xml index b8f830a8f4..5c9acc3c2c 100644 --- a/nifi-commons/nifi-security-utils/pom.xml +++ b/nifi-commons/nifi-security-utils/pom.xml @@ -55,6 +55,10 @@ org.bouncycastle bcpkix-jdk15on + + org.apache.nifi + nifi-properties + diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/util/IdentityMapping.java b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/authorization/util/IdentityMapping.java similarity index 100% rename from nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/util/IdentityMapping.java rename to nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/authorization/util/IdentityMapping.java diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/util/IdentityMappingUtil.java b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/authorization/util/IdentityMappingUtil.java similarity index 100% rename from nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/util/IdentityMappingUtil.java rename to nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/authorization/util/IdentityMappingUtil.java diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc index 37283bd10d..d3edbda860 100644 --- a/nifi-docs/src/main/asciidoc/administration-guide.adoc +++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc @@ -395,6 +395,39 @@ The default UserGroupProvider is the FileUserGroupProvider, however, you can dev * Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically be used to load the users and groups into the Users File. * Initial User Identity - The identity of a users and systems to seed the Users File. The name of each property must be unique, for example: "Initial User Identity A", "Initial User Identity B", "Initial User Identity C" or "Initial User Identity 1", "Initial User Identity 2", "Initial User Identity 3" +Another option for the UserGroupProvider is the LdapUserGroupProvider. By default, this option is commented out but can be configured in lieu of the FileUserGroupProvider. This will sync users and groups from a directory server and will present them in NiFi UI in read only form. The LdapUserGroupProvider has the following properties: + +* Authentication Strategy - How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS +* Manager DN - The DN of the manager that is used to bind to the LDAP server to search for users. +* Manager Password - The password of the manager that is used to bind to the LDAP server to search for users. +* TLS - Keystore - Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS. +* TLS - Keystore Password - Password for the Keystore that is used when connecting to LDAP using LDAPS or START_TLS. +* TLS - Keystore Type - Type of the Keystore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12). +* TLS - Truststore - Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS. +* TLS - Truststore Password - Password for the Truststore that is used when connecting to LDAP using LDAPS or START_TLS. +* TLS - Truststore Type - Type of the Truststore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12). +* TLS - Client Auth - Client authentication policy when connecting to LDAP using LDAPS or START_TLS. Possible values are REQUIRED, WANT, NONE. +* TLS - Protocol - Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS, TLSv1.1, TLSv1.2, etc). +* TLS - Shutdown Gracefully - Specifies whether the TLS should be shut down gracefully before the target context is closed. Defaults to false. +* Referral Strategy - Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW. +* Connect Timeout - Duration of connect timeout. (i.e. 10 secs). +* Read Timeout - Duration of read timeout. (i.e. 10 secs). +* Url - Space-separated list of URLs of the LDAP servers (i.e. ldap://:). +* Page Size - Sets the page size when retrieving users and groups. If not specified, no paging is performed. +* Sync Interval - Duration of time between syncing users and groups. (i.e. 30 mins). +* User Search Base - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users. +* User Object Class - Object class for identifying users (i.e. person). Required if searching users. +* User Search Scope - Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users. +* User Search Filter - Filter for searching for users against the 'User Search Base' (i.e. (memberof=cn=team1,ou=groups,o=nifi) ). Optional. +* User Identity Attribute - Attribute to use to extract user identity (i.e. cn). Optional. If not set, the entire DN is used. +* User Group Name Attribute - Attribute to use to define group membership (i.e. memberof). Optional. If not set group membership will not be calculated through the users. Will rely on group membership being defined through 'Group Member Attribute' if set. +* Group Search Base - Base DN for searching for groups (i.e. ou=groups,o=nifi). Required to search groups. +* Group Object Class - Object class for identifying groups (i.e. groupOfNames). Required if searching groups. +* Group Search Scope - Search scope for searching groups (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching groups. +* Group Search Filter - Filter for searching for groups against the 'Group Search Base'. Optional. +* Group Name Attribute - Attribute to use to extract group name (i.e. cn). Optional. If not set, the entire DN is used. +* Group Member Attribute - Attribute to use to define group membership (i.e. member). Optional. If not set group membership will not be calculated through the groups. Will rely on group member being defined through 'User Group Name Attribute' if set. + The default AccessPolicyProvider is the FileAccessPolicyProvider, however, you can develop additional AccessPolicyProvider as extensions. The FileAccessPolicyProvider has the following properties: * User Group Provider - The identifier for an User Group Provider defined above that will be used to access users and groups for use in the managed access policies. @@ -488,6 +521,71 @@ After you have edited and saved the 'authorizers.xml' file, restart NiFi. The NOTE: For a brand new secure flow, providing the "Initial Admin Identity" gives that user access to get into the UI and to manage users, groups and policies. But if that user wants to start modifying the flow, they need to grant themselves policies for the root process group. The system is unable to do this automatically because in a new flow the UUID of the root process group is not permanent until the flow.xml.gz is generated. If the NiFi instance is an upgrade from an existing flow.xml.gz or a 1.x instance going from unsecure to secure, then the "Initial Admin Identity" user is automatically given the privileges to modify the flow. +Here is an example loading users and groups from LDAP but still using file based access policies: + +---- + + + ldap-user-group-provider + org.apache.nifi.ldap.tenants.LdapUserGroupProvider + ANONYMOUS + + + + + + + + + + + + + + + FOLLOW + 10 secs + 10 secs + + ldap://localhost:10389 + + 30 mins + + ou=users,o=nifi + person + ONE_LEVEL + + cn + + + ou=groups,o=nifi + groupOfNames + ONE_LEVEL + + cn + member + + + file-access-policy-provider + org.apache.nifi.authorization.FileAccessPolicyProvider + ldap-user-group-provider + ./conf/authorizations.xml + John Smith + + + + + + managed-authorizer + org.apache.nifi.authorization.StandardManagedAuthorizer + file-access-policy-provider + + +---- + +The 'Initial Admin Identity' value would have loaded from the cn from John Smith's entry based on the 'User Identity Attribute' value. + + [[legacy-authorized-users]] Legacy Authorized Users (NiFi Instance Upgrade) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml index bba0413aec..cbc3192ee0 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml @@ -100,6 +100,10 @@ org.apache.nifi nifi-utils + + org.apache.nifi + nifi-security-utils + org.apache.nifi nifi-properties diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml index 247c0e8667..1cf29b18e6 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml @@ -52,6 +52,106 @@ + + +