diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index 5322d860d3..14587f2406 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -295,6 +295,7 @@ Below is an example and description of configuring a Login Identity Provider tha
+ USE_DN
12 hours
----
@@ -326,6 +327,8 @@ nifi.security.user.login.identity.provider=ldap-provider
|`Url` | Url of the LDAP servier (i.e. ldap://:).
|`User Search Base` | Base DN for searching for users (i.e. CN=Users,DC=example,DC=com).
|`User Search Filter` | Filter for searching for users against the 'User Search Base'. (i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'.
+|`Identity Strategy` | Strategy to identify users. Possible values are USE_DN and USE_USERNAME. The default functionality if this property is missing is USE_DN in order to retain backward
+compatibility. USE_DN will use the full DN of the user entry if possible. USE_USERNAME will use the username the user logged in with.
|`Authentication Expiration` | The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration.
|==================================================================================================================================================
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/login-identity-providers.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/login-identity-providers.xml
index a2beb4ce81..828868ac8e 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/login-identity-providers.xml
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/login-identity-providers.xml
@@ -54,7 +54,11 @@
'User Search Base' - Base DN for searching for users (i.e. CN=Users,DC=example,DC=com).
'User Search Filter' - Filter for searching for users against the 'User Search Base'.
(i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'.
-
+
+ 'Identity Strategy' - Strategy to identify users. Possible values are USE_DN and USE_USERNAME.
+ The default functionality if this property is missing is USE_DN in order to retain
+ backward compatibility. USE_DN will use the full DN of the user entry if possible.
+ USE_USERNAME will use the username the user logged in with.
'Authentication Expiration' - The duration of how long the user authentication is valid
for. If the user never logs out, they will be required to log back in following
this duration.
@@ -86,6 +90,7 @@
+ USE_DN
12 hours
To enable the ldap-provider remove 2 lines. This is 2 of 2. -->
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/contextlistener/ApplicationStartupContextListener.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/contextlistener/ApplicationStartupContextListener.java
index ae0fcaf77f..6ce7cb4f8d 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/contextlistener/ApplicationStartupContextListener.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/contextlistener/ApplicationStartupContextListener.java
@@ -16,11 +16,8 @@
*/
package org.apache.nifi.web.contextlistener;
-import java.io.IOException;
-
-import javax.servlet.ServletContextEvent;
-import javax.servlet.ServletContextListener;
-
+import org.apache.nifi.authentication.LoginIdentityProvider;
+import org.apache.nifi.authorization.Authorizer;
import org.apache.nifi.cluster.coordination.http.replication.RequestReplicator;
import org.apache.nifi.controller.FlowController;
import org.apache.nifi.controller.repository.RepositoryPurgeException;
@@ -33,6 +30,10 @@ import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;
+import javax.servlet.ServletContextEvent;
+import javax.servlet.ServletContextListener;
+import java.io.IOException;
+
/**
* Application context listener for starting the application. If the application is configured for a standalone environment or the application is a node in a clustered environment then a flow
* controller is created and managed. Otherwise, we assume the application is running as the cluster manager in a clustered environment. In this case, the cluster manager is created and managed.
@@ -80,16 +81,16 @@ public class ApplicationStartupContextListener implements ServletContextListener
logger.info("Flow Controller started successfully.");
}
} catch (BeansException | RepositoryPurgeException | IOException e) {
- // ensure the flow service is terminated
- if (flowService != null && flowService.isRunning()) {
- flowService.stop(false);
- }
-
- final RequestReplicator requestReplicator = ctx.getBean("requestReplicator", RequestReplicator.class);
- if (requestReplicator != null) {
- requestReplicator.shutdown();
- }
+ shutdown(flowService, ctx.getBean("requestReplicator", RequestReplicator.class));
+ throw new NiFiCoreException("Unable to start Flow Controller.", e);
+ }
+ try {
+ // attempt to get a few beans that we want to to ensure properly created since they are lazily initialized
+ ctx.getBean("loginIdentityProvider", LoginIdentityProvider.class);
+ ctx.getBean("authorizer", Authorizer.class);
+ } catch (final BeansException e) {
+ shutdown(flowService, ctx.getBean("requestReplicator", RequestReplicator.class));
throw new NiFiCoreException("Unable to start Flow Controller.", e);
}
}
@@ -97,23 +98,34 @@ public class ApplicationStartupContextListener implements ServletContextListener
@Override
public void contextDestroyed(ServletContextEvent sce) {
ApplicationContext ctx = WebApplicationContextUtils.getWebApplicationContext(sce.getServletContext());
- try {
- logger.info("Initiating shutdown of flow service...");
- FlowService flowService = ctx.getBean("flowService", FlowService.class);
- if (flowService.isRunning()) {
+ logger.info("Initiating shutdown of flow service...");
+ shutdown(ctx.getBean("flowService", FlowService.class), ctx.getBean("requestReplicator", RequestReplicator.class));
+ logger.info("Flow service termination completed.");
+ }
+
+ private void shutdown(final FlowService flowService, final RequestReplicator requestReplicator) {
+ try {
+ // ensure the flow service is terminated
+ if (flowService != null && flowService.isRunning()) {
flowService.stop(false);
}
+ } catch (final Exception e) {
+ final String msg = "Problem occurred ensuring flow controller or repository was properly terminated due to " + e;
+ if (logger.isDebugEnabled()) {
+ logger.warn(msg, e);
+ } else {
+ logger.warn(msg);
+ }
+ }
- final RequestReplicator requestReplicator = ctx.getBean("requestReplicator", RequestReplicator.class);
+ try {
+ // ensure the request replicator is shutdown
if (requestReplicator != null) {
requestReplicator.shutdown();
}
-
- logger.info("Flow service termination completed.");
-
} catch (final Exception e) {
- String msg = "Problem occurred ensuring flow controller or repository was properly terminated due to " + e;
+ final String msg = "Problem occurred ensuring request replicator was properly terminated due to " + e;
if (logger.isDebugEnabled()) {
logger.warn(msg, e);
} else {
diff --git a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/IdentityStrategy.java b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/IdentityStrategy.java
new file mode 100644
index 0000000000..8a4af5fa03
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/IdentityStrategy.java
@@ -0,0 +1,26 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.ldap;
+
+/**
+ *
+ */
+public enum IdentityStrategy {
+
+ USE_DN,
+ USE_USERNAME;
+}
diff --git a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java
index fdef62021d..43387830f3 100644
--- a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java
+++ b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java
@@ -68,6 +68,7 @@ public class LdapProvider implements LoginIdentityProvider {
private AbstractLdapAuthenticationProvider provider;
private String issuer;
private long expiration;
+ private IdentityStrategy identityStrategy;
@Override
public final void initialize(final LoginIdentityProviderInitializationContext initializationContext) throws ProviderCreationException {
@@ -195,7 +196,8 @@ public class LdapProvider implements LoginIdentityProvider {
rawReferralStrategy, StringUtils.join(ReferralStrategy.values(), ", ")));
}
- context.setReferral(referralStrategy.toString());
+ // using the value as this needs to be the lowercase version while the value is configured with the enum constant
+ context.setReferral(referralStrategy.getValue());
// url
final String url = configurationContext.getProperty("Url");
@@ -221,6 +223,24 @@ public class LdapProvider implements LoginIdentityProvider {
final BindAuthenticator authenticator = new BindAuthenticator(context);
authenticator.setUserSearch(userSearch);
+ // identity strategy
+ final String rawIdentityStrategy = configurationContext.getProperty("Identity Strategy");
+
+ if (StringUtils.isBlank(rawIdentityStrategy)) {
+ logger.info(String.format("Identity Strategy is not configured, defaulting strategy to %s.", IdentityStrategy.USE_DN));
+
+ // if this value is not configured, default to use dn which was the previous implementation
+ identityStrategy = IdentityStrategy.USE_DN;
+ } else {
+ try {
+ // attempt to get the configured identity strategy
+ identityStrategy = IdentityStrategy.valueOf(rawIdentityStrategy);
+ } catch (final IllegalArgumentException iae) {
+ throw new ProviderCreationException(String.format("Unrecognized identity strategy '%s'. Possible values are [%s]",
+ rawIdentityStrategy, StringUtils.join(IdentityStrategy.values(), ", ")));
+ }
+ }
+
try {
// handling initializing beans
context.afterPropertiesSet();
@@ -260,10 +280,16 @@ public class LdapProvider implements LoginIdentityProvider {
final UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(credentials.getUsername(), credentials.getPassword());
final Authentication authentication = provider.authenticate(token);
- // attempt to get the ldap user details to get the DN
- if (authentication.getPrincipal() instanceof LdapUserDetails) {
- final LdapUserDetails userDetails = (LdapUserDetails) authentication.getPrincipal();
- return new AuthenticationResponse(userDetails.getDn(), credentials.getUsername(), expiration, issuer);
+ // use dn if configured
+ if (IdentityStrategy.USE_DN.equals(identityStrategy)) {
+ // attempt to get the ldap user details to get the DN
+ if (authentication.getPrincipal() instanceof LdapUserDetails) {
+ final LdapUserDetails userDetails = (LdapUserDetails) authentication.getPrincipal();
+ return new AuthenticationResponse(userDetails.getDn(), credentials.getUsername(), expiration, issuer);
+ } else {
+ logger.warn(String.format("Unable to determine user DN for %s, using username.", authentication.getName()));
+ return new AuthenticationResponse(authentication.getName(), credentials.getUsername(), expiration, issuer);
+ }
} else {
return new AuthenticationResponse(authentication.getName(), credentials.getUsername(), expiration, issuer);
}
diff --git a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/ReferralStrategy.java b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/ReferralStrategy.java
index e2e3873e52..b21eb41ff7 100644
--- a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/ReferralStrategy.java
+++ b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/ReferralStrategy.java
@@ -31,8 +31,7 @@ public enum ReferralStrategy {
this.value = value;
}
- @Override
- public String toString() {
+ public String getValue() {
return value;
}