mirror of https://github.com/apache/nifi.git
NIFI-655:
- Initial commit of the LDAP based identity providers. - Fixed issue when attempting to log into a NiFi that does not support new account requests.
This commit is contained in:
parent
0281e2773f
commit
cfee612a78
|
@ -172,6 +172,11 @@ language governing permissions and limitations under the License. -->
|
||||||
<artifactId>nifi-flume-nar</artifactId>
|
<artifactId>nifi-flume-nar</artifactId>
|
||||||
<type>nar</type>
|
<type>nar</type>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.apache.nifi</groupId>
|
||||||
|
<artifactId>nifi-ldap-iaa-providers-nar</artifactId>
|
||||||
|
<type>nar</type>
|
||||||
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.apache.nifi</groupId>
|
<groupId>org.apache.nifi</groupId>
|
||||||
<artifactId>nifi-dbcp-service-nar</artifactId>
|
<artifactId>nifi-dbcp-service-nar</artifactId>
|
||||||
|
|
|
@ -205,7 +205,7 @@ public class LoginAuthenticationFilter extends AbstractAuthenticationProcessingF
|
||||||
} else {
|
} else {
|
||||||
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
|
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
|
||||||
}
|
}
|
||||||
|
|
||||||
response.setContentType("text/plain");
|
response.setContentType("text/plain");
|
||||||
|
|
||||||
final PrintWriter out = response.getWriter();
|
final PrintWriter out = response.getWriter();
|
||||||
|
|
|
@ -1071,7 +1071,7 @@ nf.Canvas = (function () {
|
||||||
deferred.resolve();
|
deferred.resolve();
|
||||||
}).fail(function (xhr, status, error) {
|
}).fail(function (xhr, status, error) {
|
||||||
// there is no anonymous access and we don't know this user - open the login page which handles login/registration/etc
|
// there is no anonymous access and we don't know this user - open the login page which handles login/registration/etc
|
||||||
if (xhr.status === 401) {
|
if (xhr.status === 401 || xhr.status === 403) {
|
||||||
window.location = '/nifi/login';
|
window.location = '/nifi/login';
|
||||||
} else {
|
} else {
|
||||||
deferred.reject(xhr, status, error);
|
deferred.reject(xhr, status, error);
|
||||||
|
|
|
@ -45,11 +45,11 @@ nf.Login = (function () {
|
||||||
$('#username').val('');
|
$('#username').val('');
|
||||||
$('#password').val('');
|
$('#password').val('');
|
||||||
$('#login-submission-button').text('Log in');
|
$('#login-submission-button').text('Log in');
|
||||||
|
|
||||||
// update the form visibility
|
// update the form visibility
|
||||||
$('#login-container').show();
|
$('#login-container').show();
|
||||||
$('#nifi-registration-container').hide();
|
$('#nifi-registration-container').hide();
|
||||||
|
|
||||||
// set the focus
|
// set the focus
|
||||||
$('#username').focus();
|
$('#username').focus();
|
||||||
};
|
};
|
||||||
|
@ -69,7 +69,7 @@ nf.Login = (function () {
|
||||||
// reset the forms
|
// reset the forms
|
||||||
$('#login-submission-button').text('Submit');
|
$('#login-submission-button').text('Submit');
|
||||||
$('#nifi-registration-justification').val('');
|
$('#nifi-registration-justification').val('');
|
||||||
|
|
||||||
// update the form visibility
|
// update the form visibility
|
||||||
$('#login-container').hide();
|
$('#login-container').hide();
|
||||||
$('#nifi-registration-container').show();
|
$('#nifi-registration-container').show();
|
||||||
|
@ -99,7 +99,7 @@ nf.Login = (function () {
|
||||||
}).done(function (jwt) {
|
}).done(function (jwt) {
|
||||||
// store the jwt and reload the page
|
// store the jwt and reload the page
|
||||||
nf.Storage.setItem('jwt', jwt);
|
nf.Storage.setItem('jwt', jwt);
|
||||||
|
|
||||||
// check to see if they actually have access now
|
// check to see if they actually have access now
|
||||||
$.ajax({
|
$.ajax({
|
||||||
type: 'GET',
|
type: 'GET',
|
||||||
|
@ -112,7 +112,7 @@ nf.Login = (function () {
|
||||||
// show the user
|
// show the user
|
||||||
var user = getJwtSubject(jwt);
|
var user = getJwtSubject(jwt);
|
||||||
$('#nifi-user-submit-justification').text(user);
|
$('#nifi-user-submit-justification').text(user);
|
||||||
|
|
||||||
// show the registration form
|
// show the registration form
|
||||||
initializeNiFiRegistration();
|
initializeNiFiRegistration();
|
||||||
showNiFiRegistration();
|
showNiFiRegistration();
|
||||||
|
@ -130,7 +130,7 @@ nf.Login = (function () {
|
||||||
// show the user
|
// show the user
|
||||||
var user = getJwtSubject(jwt);
|
var user = getJwtSubject(jwt);
|
||||||
$('#nifi-user-submit-justification').text(user);
|
$('#nifi-user-submit-justification').text(user);
|
||||||
|
|
||||||
if (xhr.status === 401) {
|
if (xhr.status === 401) {
|
||||||
initializeNiFiRegistration();
|
initializeNiFiRegistration();
|
||||||
showNiFiRegistration();
|
showNiFiRegistration();
|
||||||
|
@ -219,7 +219,7 @@ nf.Login = (function () {
|
||||||
var logout = function () {
|
var logout = function () {
|
||||||
nf.Storage.removeItem('jwt');
|
nf.Storage.removeItem('jwt');
|
||||||
};
|
};
|
||||||
|
|
||||||
var showLogoutLink = function () {
|
var showLogoutLink = function () {
|
||||||
$('#user-logout-container').show();
|
$('#user-logout-container').show();
|
||||||
};
|
};
|
||||||
|
@ -329,6 +329,29 @@ nf.Login = (function () {
|
||||||
logout();
|
logout();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// no token granted, user needs to login with their credentials
|
||||||
|
needsLogin = true;
|
||||||
|
}).always(function () {
|
||||||
|
deferred.resolve();
|
||||||
|
});
|
||||||
|
} else if (xhr.status === 403) {
|
||||||
|
// attempt to get a token for the current user without passing login credentials
|
||||||
|
token.done(function () {
|
||||||
|
showMessage = true;
|
||||||
|
|
||||||
|
// the user is logged in with certificate or credentials but their account is pending/revoked. error message should indicate
|
||||||
|
$('#login-message-title').text('Access Denied');
|
||||||
|
if ($.trim(xhr.responseText) === '') {
|
||||||
|
$('#login-message').text('Unable to authorize you to use this NiFi and anonymous access is disabled.');
|
||||||
|
} else {
|
||||||
|
$('#login-message').text(xhr.responseText);
|
||||||
|
}
|
||||||
|
}).fail(function (tokenXhr) {
|
||||||
|
if (tokenXhr.status === 400) {
|
||||||
|
// no credentials supplied so 400 must be due to an invalid/expired token
|
||||||
|
logout();
|
||||||
|
}
|
||||||
|
|
||||||
// no token granted, user needs to login with their credentials
|
// no token granted, user needs to login with their credentials
|
||||||
needsLogin = true;
|
needsLogin = true;
|
||||||
}).always(function () {
|
}).always(function () {
|
||||||
|
|
|
@ -0,0 +1,32 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!--
|
||||||
|
Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
contributor license agreements. See the NOTICE file distributed with
|
||||||
|
this work for additional information regarding copyright ownership.
|
||||||
|
The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
(the "License"); you may not use this file except in compliance with
|
||||||
|
the License. You may obtain a copy of the License at
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
-->
|
||||||
|
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||||
|
<modelVersion>4.0.0</modelVersion>
|
||||||
|
<parent>
|
||||||
|
<groupId>org.apache.nifi</groupId>
|
||||||
|
<artifactId>nifi-ldap-iaa-providers-bundle</artifactId>
|
||||||
|
<version>0.3.1-SNAPSHOT</version>
|
||||||
|
</parent>
|
||||||
|
<artifactId>nifi-ldap-iaa-providers-nar</artifactId>
|
||||||
|
<packaging>nar</packaging>
|
||||||
|
<dependencies>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.apache.nifi</groupId>
|
||||||
|
<artifactId>nifi-ldap-iaa-providers</artifactId>
|
||||||
|
</dependency>
|
||||||
|
</dependencies>
|
||||||
|
<name>nifi-ldap-iaa-providers-nar</name>
|
||||||
|
</project>
|
|
@ -0,0 +1,56 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!--
|
||||||
|
Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
contributor license agreements. See the NOTICE file distributed with
|
||||||
|
this work for additional information regarding copyright ownership.
|
||||||
|
The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
(the "License"); you may not use this file except in compliance with
|
||||||
|
the License. You may obtain a copy of the License at
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
-->
|
||||||
|
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||||
|
<modelVersion>4.0.0</modelVersion>
|
||||||
|
<parent>
|
||||||
|
<groupId>org.apache.nifi</groupId>
|
||||||
|
<artifactId>nifi-ldap-iaa-providers-bundle</artifactId>
|
||||||
|
<version>0.3.1-SNAPSHOT</version>
|
||||||
|
</parent>
|
||||||
|
<artifactId>nifi-ldap-iaa-providers</artifactId>
|
||||||
|
<packaging>jar</packaging>
|
||||||
|
<dependencies>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.apache.nifi</groupId>
|
||||||
|
<artifactId>nifi-api</artifactId>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.apache.nifi</groupId>
|
||||||
|
<artifactId>nifi-security-utils</artifactId>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.springframework.security</groupId>
|
||||||
|
<artifactId>spring-security-ldap</artifactId>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.springframework</groupId>
|
||||||
|
<artifactId>spring-beans</artifactId>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.springframework</groupId>
|
||||||
|
<artifactId>spring-context</artifactId>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.springframework</groupId>
|
||||||
|
<artifactId>spring-tx</artifactId>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.apache.commons</groupId>
|
||||||
|
<artifactId>commons-lang3</artifactId>
|
||||||
|
</dependency>
|
||||||
|
</dependencies>
|
||||||
|
<name>nifi-ldap-iaa-providers</name>
|
||||||
|
</project>
|
|
@ -0,0 +1,80 @@
|
||||||
|
/*
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
* contributor license agreements. See the NOTICE file distributed with
|
||||||
|
* this work for additional information regarding copyright ownership.
|
||||||
|
* The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
* (the "License"); you may not use this file except in compliance with
|
||||||
|
* the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.apache.nifi.ldap;
|
||||||
|
|
||||||
|
import org.apache.commons.lang3.StringUtils;
|
||||||
|
import org.apache.nifi.authentication.LoginCredentials;
|
||||||
|
import org.apache.nifi.authentication.LoginIdentityProvider;
|
||||||
|
import org.apache.nifi.authentication.LoginIdentityProviderConfigurationContext;
|
||||||
|
import org.apache.nifi.authentication.LoginIdentityProviderInitializationContext;
|
||||||
|
import org.apache.nifi.authentication.exception.IdentityAccessException;
|
||||||
|
import org.apache.nifi.authentication.exception.InvalidLoginCredentialsException;
|
||||||
|
import org.apache.nifi.authorization.exception.ProviderCreationException;
|
||||||
|
import org.apache.nifi.authorization.exception.ProviderDestructionException;
|
||||||
|
import org.slf4j.Logger;
|
||||||
|
import org.slf4j.LoggerFactory;
|
||||||
|
import org.springframework.security.authentication.AuthenticationServiceException;
|
||||||
|
import org.springframework.security.authentication.BadCredentialsException;
|
||||||
|
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
||||||
|
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Abstract LDAP based implementation of a login identity provider.
|
||||||
|
*/
|
||||||
|
public abstract class AbstractLdapProvider implements LoginIdentityProvider {
|
||||||
|
|
||||||
|
private static final Logger logger = LoggerFactory.getLogger(AbstractLdapProvider.class);
|
||||||
|
|
||||||
|
private AbstractLdapAuthenticationProvider provider;
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public final void initialize(final LoginIdentityProviderInitializationContext initializationContext) throws ProviderCreationException {
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public final void onConfigured(final LoginIdentityProviderConfigurationContext configurationContext) throws ProviderCreationException {
|
||||||
|
System.out.println(Thread.currentThread().getContextClassLoader());
|
||||||
|
provider = getLdapAuthenticationProvider(configurationContext);
|
||||||
|
}
|
||||||
|
|
||||||
|
protected abstract AbstractLdapAuthenticationProvider getLdapAuthenticationProvider(LoginIdentityProviderConfigurationContext configurationContext) throws ProviderCreationException;
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public final void authenticate(final LoginCredentials credentials) throws InvalidLoginCredentialsException, IdentityAccessException {
|
||||||
|
if (provider == null) {
|
||||||
|
throw new IdentityAccessException("The LDAP authentication provider is not initialized.");
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
final UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(credentials.getUsername(), credentials.getPassword());
|
||||||
|
provider.authenticate(token);
|
||||||
|
} catch (final AuthenticationServiceException ase) {
|
||||||
|
logger.error(ase.getMessage());
|
||||||
|
if (logger.isDebugEnabled()) {
|
||||||
|
logger.debug(StringUtils.EMPTY, ase);
|
||||||
|
}
|
||||||
|
throw new IdentityAccessException("Unable to query the configured directory server. See the logs for additional details.", ase);
|
||||||
|
} catch (final BadCredentialsException bce) {
|
||||||
|
throw new InvalidLoginCredentialsException(bce.getMessage(), bce);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public final void preDestruction() throws ProviderDestructionException {
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,46 @@
|
||||||
|
/*
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
* contributor license agreements. See the NOTICE file distributed with
|
||||||
|
* this work for additional information regarding copyright ownership.
|
||||||
|
* The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
* (the "License"); you may not use this file except in compliance with
|
||||||
|
* the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.apache.nifi.ldap;
|
||||||
|
|
||||||
|
import org.apache.commons.lang3.StringUtils;
|
||||||
|
import org.apache.nifi.authentication.LoginIdentityProviderConfigurationContext;
|
||||||
|
import org.apache.nifi.authorization.exception.ProviderCreationException;
|
||||||
|
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider;
|
||||||
|
import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Active Directory based implementation of a login identity provider.
|
||||||
|
*/
|
||||||
|
public class ActiveDirectoryProvider extends AbstractLdapProvider {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected AbstractLdapAuthenticationProvider getLdapAuthenticationProvider(LoginIdentityProviderConfigurationContext configurationContext) throws ProviderCreationException {
|
||||||
|
final String domain = configurationContext.getProperty("Domain");
|
||||||
|
if (StringUtils.isBlank(domain)) {
|
||||||
|
throw new ProviderCreationException("The Active Directory Domain must be specified.");
|
||||||
|
}
|
||||||
|
|
||||||
|
final String url = configurationContext.getProperty("Url");
|
||||||
|
if (StringUtils.isBlank(url)) {
|
||||||
|
throw new ProviderCreationException("The Active Directory Url must be specified.");
|
||||||
|
}
|
||||||
|
|
||||||
|
final String rootDn = configurationContext.getProperty("Root DN");
|
||||||
|
|
||||||
|
return new ActiveDirectoryLdapAuthenticationProvider(domain, url, StringUtils.isBlank(rootDn) ? null : rootDn);
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,27 @@
|
||||||
|
/*
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
* contributor license agreements. See the NOTICE file distributed with
|
||||||
|
* this work for additional information regarding copyright ownership.
|
||||||
|
* The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
* (the "License"); you may not use this file except in compliance with
|
||||||
|
* the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.apache.nifi.ldap;
|
||||||
|
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
public enum LdapAuthenticationStrategy {
|
||||||
|
ANONYMOUS,
|
||||||
|
SIMPLE,
|
||||||
|
DIGEST_MD5,
|
||||||
|
TLS
|
||||||
|
}
|
|
@ -0,0 +1,151 @@
|
||||||
|
/*
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
* contributor license agreements. See the NOTICE file distributed with
|
||||||
|
* this work for additional information regarding copyright ownership.
|
||||||
|
* The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
* (the "License"); you may not use this file except in compliance with
|
||||||
|
* the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.apache.nifi.ldap;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.security.KeyManagementException;
|
||||||
|
import java.security.KeyStoreException;
|
||||||
|
import java.security.NoSuchAlgorithmException;
|
||||||
|
import java.security.UnrecoverableKeyException;
|
||||||
|
import java.security.cert.CertificateException;
|
||||||
|
import javax.net.ssl.SSLContext;
|
||||||
|
import org.apache.commons.lang3.StringUtils;
|
||||||
|
import org.apache.nifi.authentication.LoginIdentityProviderConfigurationContext;
|
||||||
|
import org.apache.nifi.authorization.exception.ProviderCreationException;
|
||||||
|
import org.apache.nifi.security.util.SslContextFactory;
|
||||||
|
import org.apache.nifi.security.util.SslContextFactory.ClientAuth;
|
||||||
|
import org.springframework.ldap.core.support.AbstractTlsDirContextAuthenticationStrategy;
|
||||||
|
import org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy;
|
||||||
|
import org.springframework.ldap.core.support.DigestMd5DirContextAuthenticationStrategy;
|
||||||
|
import org.springframework.ldap.core.support.LdapContextSource;
|
||||||
|
import org.springframework.ldap.core.support.SimpleDirContextAuthenticationStrategy;
|
||||||
|
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider;
|
||||||
|
import org.springframework.security.ldap.authentication.BindAuthenticator;
|
||||||
|
import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
|
||||||
|
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
|
||||||
|
import org.springframework.security.ldap.search.LdapUserSearch;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* LDAP based implementation of a login identity provider.
|
||||||
|
*/
|
||||||
|
public class LdapProvider extends AbstractLdapProvider {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected AbstractLdapAuthenticationProvider getLdapAuthenticationProvider(LoginIdentityProviderConfigurationContext configurationContext) throws ProviderCreationException {
|
||||||
|
final LdapContextSource context = new LdapContextSource();
|
||||||
|
|
||||||
|
final String rawAuthenticationStrategy = configurationContext.getProperty("Authentication Strategy");
|
||||||
|
final LdapAuthenticationStrategy authenticationStrategy;
|
||||||
|
try {
|
||||||
|
authenticationStrategy = LdapAuthenticationStrategy.valueOf(rawAuthenticationStrategy);
|
||||||
|
} catch (final IllegalArgumentException iae) {
|
||||||
|
throw new ProviderCreationException(String.format("Unrecgonized authentication strategy '%s'", rawAuthenticationStrategy));
|
||||||
|
}
|
||||||
|
|
||||||
|
switch (authenticationStrategy) {
|
||||||
|
case ANONYMOUS:
|
||||||
|
context.setAnonymousReadOnly(true);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
final String userDn = configurationContext.getProperty("Bind DN");
|
||||||
|
final String password = configurationContext.getProperty("Bind Password");
|
||||||
|
|
||||||
|
context.setUserDn(userDn);
|
||||||
|
context.setPassword(password);
|
||||||
|
|
||||||
|
switch (authenticationStrategy) {
|
||||||
|
case SIMPLE:
|
||||||
|
context.setAuthenticationStrategy(new SimpleDirContextAuthenticationStrategy());
|
||||||
|
break;
|
||||||
|
case DIGEST_MD5:
|
||||||
|
context.setAuthenticationStrategy(new DigestMd5DirContextAuthenticationStrategy());
|
||||||
|
break;
|
||||||
|
case TLS:
|
||||||
|
final AbstractTlsDirContextAuthenticationStrategy tlsAuthenticationStrategy = new DefaultTlsDirContextAuthenticationStrategy();
|
||||||
|
|
||||||
|
// shutdown gracefully
|
||||||
|
final String rawShutdownGracefully = configurationContext.getProperty("TLS - Shutdown Gracefully");
|
||||||
|
if (StringUtils.isNotBlank(rawShutdownGracefully)) {
|
||||||
|
final boolean shutdownGracefully = Boolean.TRUE.toString().equalsIgnoreCase(rawShutdownGracefully);
|
||||||
|
tlsAuthenticationStrategy.setShutdownTlsGracefully(shutdownGracefully);
|
||||||
|
}
|
||||||
|
|
||||||
|
final String rawKeystore = configurationContext.getProperty("TLS - Keystore");
|
||||||
|
final String rawKeystorePassword = configurationContext.getProperty("TLS - Keystore Password");
|
||||||
|
final String rawKeystoreType = configurationContext.getProperty("TLS - Keystore Type");
|
||||||
|
final String rawTruststore = configurationContext.getProperty("TLS - Truststore");
|
||||||
|
final String rawTruststorePassword = configurationContext.getProperty("TLS - Truststore Password");
|
||||||
|
final String rawTruststoreType = configurationContext.getProperty("TLS - Truststore Type");
|
||||||
|
|
||||||
|
try {
|
||||||
|
final SSLContext sslContext;
|
||||||
|
if (StringUtils.isBlank(rawKeystore)) {
|
||||||
|
sslContext = SslContextFactory.createTrustSslContext(rawTruststore, rawTruststorePassword.toCharArray(), rawTruststoreType, "TLS");
|
||||||
|
} else {
|
||||||
|
if (StringUtils.isBlank(rawTruststore)) {
|
||||||
|
sslContext = SslContextFactory.createSslContext(rawKeystore, rawKeystorePassword.toCharArray(), rawKeystoreType, "TLS");
|
||||||
|
} else {
|
||||||
|
sslContext = SslContextFactory.createSslContext(rawKeystore, rawKeystorePassword.toCharArray(), rawKeystoreType,
|
||||||
|
rawTruststore, rawTruststorePassword.toCharArray(), rawTruststoreType, ClientAuth.REQUIRED, "TLS");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
tlsAuthenticationStrategy.setSslSocketFactory(sslContext.getSocketFactory());
|
||||||
|
} catch (final KeyStoreException | NoSuchAlgorithmException | CertificateException | UnrecoverableKeyException | KeyManagementException | IOException e) {
|
||||||
|
throw new ProviderCreationException(e.getMessage(), e);
|
||||||
|
}
|
||||||
|
|
||||||
|
context.setAuthenticationStrategy(tlsAuthenticationStrategy);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
final String url = configurationContext.getProperty("Url");
|
||||||
|
|
||||||
|
if (StringUtils.isBlank(url)) {
|
||||||
|
throw new ProviderCreationException("LDAP identity provider 'Url' must be specified.");
|
||||||
|
}
|
||||||
|
|
||||||
|
// connection
|
||||||
|
context.setUrl(url);
|
||||||
|
|
||||||
|
final String userSearchBase = configurationContext.getProperty("User Search Base");
|
||||||
|
final String userSearchFilter = configurationContext.getProperty("User Search Filter");
|
||||||
|
|
||||||
|
if (StringUtils.isBlank(userSearchBase) || StringUtils.isBlank(userSearchFilter)) {
|
||||||
|
throw new ProviderCreationException("LDAP identity provider 'User Search Base' and 'User Search Filter' must be specified.");
|
||||||
|
}
|
||||||
|
|
||||||
|
// query
|
||||||
|
final LdapUserSearch userSearch = new FilterBasedLdapUserSearch(userSearchBase, userSearchFilter, context);
|
||||||
|
|
||||||
|
// bind vs password?
|
||||||
|
final BindAuthenticator authenticator = new BindAuthenticator(context);
|
||||||
|
authenticator.setUserSearch(userSearch);
|
||||||
|
|
||||||
|
try {
|
||||||
|
// handling initializing beans
|
||||||
|
context.afterPropertiesSet();
|
||||||
|
authenticator.afterPropertiesSet();
|
||||||
|
} catch (final Exception e) {
|
||||||
|
throw new ProviderCreationException(e.getMessage(), e);
|
||||||
|
}
|
||||||
|
|
||||||
|
// create the underlying provider
|
||||||
|
return new LdapAuthenticationProvider(authenticator);
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,16 @@
|
||||||
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
# contributor license agreements. See the NOTICE file distributed with
|
||||||
|
# this work for additional information regarding copyright ownership.
|
||||||
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
# (the "License"); you may not use this file except in compliance with
|
||||||
|
# the License. You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
org.apache.nifi.ldap.LdapProvider
|
||||||
|
org.apache.nifi.ldap.ActiveDirectoryProvider
|
|
@ -0,0 +1,38 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!--
|
||||||
|
Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
contributor license agreements. See the NOTICE file distributed with
|
||||||
|
this work for additional information regarding copyright ownership.
|
||||||
|
The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
(the "License"); you may not use this file except in compliance with
|
||||||
|
the License. You may obtain a copy of the License at
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
-->
|
||||||
|
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||||
|
<modelVersion>4.0.0</modelVersion>
|
||||||
|
<parent>
|
||||||
|
<groupId>org.apache.nifi</groupId>
|
||||||
|
<artifactId>nifi-nar-bundles</artifactId>
|
||||||
|
<version>0.3.1-SNAPSHOT</version>
|
||||||
|
</parent>
|
||||||
|
<artifactId>nifi-ldap-iaa-providers-bundle</artifactId>
|
||||||
|
<packaging>pom</packaging>
|
||||||
|
<modules>
|
||||||
|
<module>nifi-ldap-iaa-providers</module>
|
||||||
|
<module>nifi-ldap-iaa-providers-nar</module>
|
||||||
|
</modules>
|
||||||
|
<dependencyManagement>
|
||||||
|
<dependencies>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.apache.nifi</groupId>
|
||||||
|
<artifactId>nifi-ldap-iaa-providers</artifactId>
|
||||||
|
<version>0.3.1-SNAPSHOT</version>
|
||||||
|
</dependency>
|
||||||
|
</dependencies>
|
||||||
|
</dependencyManagement>
|
||||||
|
</project>
|
|
@ -46,6 +46,7 @@
|
||||||
<module>nifi-image-bundle</module>
|
<module>nifi-image-bundle</module>
|
||||||
<module>nifi-avro-bundle</module>
|
<module>nifi-avro-bundle</module>
|
||||||
<module>nifi-couchbase-bundle</module>
|
<module>nifi-couchbase-bundle</module>
|
||||||
|
<module>nifi-ldap-iaa-providers-bundle</module>
|
||||||
</modules>
|
</modules>
|
||||||
<dependencyManagement>
|
<dependencyManagement>
|
||||||
<dependencies>
|
<dependencies>
|
||||||
|
|
67
pom.xml
67
pom.xml
|
@ -1,14 +1,14 @@
|
||||||
<?xml version="1.0" encoding="UTF-8"?>
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor
|
<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor
|
||||||
license agreements. See the NOTICE file distributed with this work for additional
|
license agreements. See the NOTICE file distributed with this work for additional
|
||||||
information regarding copyright ownership. The ASF licenses this file to
|
information regarding copyright ownership. The ASF licenses this file to
|
||||||
You under the Apache License, Version 2.0 (the "License"); you may not use
|
You under the Apache License, Version 2.0 (the "License"); you may not use
|
||||||
this file except in compliance with the License. You may obtain a copy of
|
this file except in compliance with the License. You may obtain a copy of
|
||||||
the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required
|
the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required
|
||||||
by applicable law or agreed to in writing, software distributed under the
|
by applicable law or agreed to in writing, software distributed under the
|
||||||
License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
|
License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
|
||||||
OF ANY KIND, either express or implied. See the License for the specific
|
OF ANY KIND, either express or implied. See the License for the specific
|
||||||
language governing permissions and limitations under the License. -->
|
language governing permissions and limitations under the License. -->
|
||||||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
|
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
|
||||||
<modelVersion>4.0.0</modelVersion>
|
<modelVersion>4.0.0</modelVersion>
|
||||||
<parent>
|
<parent>
|
||||||
|
@ -91,7 +91,7 @@
|
||||||
<jetty.version>9.2.11.v20150529</jetty.version>
|
<jetty.version>9.2.11.v20150529</jetty.version>
|
||||||
<lucene.version>4.10.4</lucene.version>
|
<lucene.version>4.10.4</lucene.version>
|
||||||
<spring.version>4.1.6.RELEASE</spring.version>
|
<spring.version>4.1.6.RELEASE</spring.version>
|
||||||
<spring.security.version>4.0.2.RELEASE</spring.security.version>
|
<spring.security.version>4.0.3.RELEASE</spring.security.version>
|
||||||
<jersey.version>1.19</jersey.version>
|
<jersey.version>1.19</jersey.version>
|
||||||
<hadoop.version>2.6.0</hadoop.version>
|
<hadoop.version>2.6.0</hadoop.version>
|
||||||
<yammer.metrics.version>2.2.0</yammer.metrics.version>
|
<yammer.metrics.version>2.2.0</yammer.metrics.version>
|
||||||
|
@ -251,8 +251,8 @@
|
||||||
<version>2.2.1</version>
|
<version>2.2.1</version>
|
||||||
<exclusions>
|
<exclusions>
|
||||||
<!-- | Exclude the quartz 2.2.1 bundled version of c3p0 because it is
|
<!-- | Exclude the quartz 2.2.1 bundled version of c3p0 because it is
|
||||||
lgpl licensed | We also don't use the JDBC related features of quartz for
|
lgpl licensed | We also don't use the JDBC related features of quartz for
|
||||||
which the dependency would matter -->
|
which the dependency would matter -->
|
||||||
<exclusion>
|
<exclusion>
|
||||||
<groupId>c3p0</groupId>
|
<groupId>c3p0</groupId>
|
||||||
<artifactId>c3p0</artifactId>
|
<artifactId>c3p0</artifactId>
|
||||||
|
@ -322,7 +322,7 @@
|
||||||
<version>${spring.version}</version>
|
<version>${spring.version}</version>
|
||||||
<exclusions>
|
<exclusions>
|
||||||
<!-- <artifactId>jcl-over-slf4j</artifactId> is used in dependencies
|
<!-- <artifactId>jcl-over-slf4j</artifactId> is used in dependencies
|
||||||
section -->
|
section -->
|
||||||
<exclusion>
|
<exclusion>
|
||||||
<groupId>commons-logging</groupId>
|
<groupId>commons-logging</groupId>
|
||||||
<artifactId>commons-logging</artifactId>
|
<artifactId>commons-logging</artifactId>
|
||||||
|
@ -464,6 +464,29 @@
|
||||||
</exclusion>
|
</exclusion>
|
||||||
</exclusions>
|
</exclusions>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.springframework.security</groupId>
|
||||||
|
<artifactId>spring-security-ldap</artifactId>
|
||||||
|
<version>${spring.security.version}</version>
|
||||||
|
<exclusions>
|
||||||
|
<exclusion>
|
||||||
|
<groupId>org.springframework</groupId>
|
||||||
|
<artifactId>spring-core</artifactId>
|
||||||
|
</exclusion>
|
||||||
|
<exclusion>
|
||||||
|
<groupId>org.springframework</groupId>
|
||||||
|
<artifactId>spring-beans</artifactId>
|
||||||
|
</exclusion>
|
||||||
|
<exclusion>
|
||||||
|
<groupId>org.springframework</groupId>
|
||||||
|
<artifactId>spring-context</artifactId>
|
||||||
|
</exclusion>
|
||||||
|
<exclusion>
|
||||||
|
<groupId>org.springframework</groupId>
|
||||||
|
<artifactId>spring-tx</artifactId>
|
||||||
|
</exclusion>
|
||||||
|
</exclusions>
|
||||||
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.aspectj</groupId>
|
<groupId>org.aspectj</groupId>
|
||||||
<artifactId>aspectjweaver</artifactId>
|
<artifactId>aspectjweaver</artifactId>
|
||||||
|
@ -912,6 +935,12 @@
|
||||||
<version>0.3.1-SNAPSHOT</version>
|
<version>0.3.1-SNAPSHOT</version>
|
||||||
<type>nar</type>
|
<type>nar</type>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.apache.nifi</groupId>
|
||||||
|
<artifactId>nifi-ldap-iaa-providers-nar</artifactId>
|
||||||
|
<version>0.3.1-SNAPSHOT</version>
|
||||||
|
<type>nar</type>
|
||||||
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.apache.nifi</groupId>
|
<groupId>org.apache.nifi</groupId>
|
||||||
<artifactId>nifi-properties</artifactId>
|
<artifactId>nifi-properties</artifactId>
|
||||||
|
@ -1189,7 +1218,7 @@
|
||||||
<module name="OuterTypeFilename" />
|
<module name="OuterTypeFilename" />
|
||||||
<module name="LineLength">
|
<module name="LineLength">
|
||||||
<!-- needs extra, because Eclipse formatter ignores the ending left
|
<!-- needs extra, because Eclipse formatter ignores the ending left
|
||||||
brace -->
|
brace -->
|
||||||
<property name="max" value="200" />
|
<property name="max" value="200" />
|
||||||
<property name="ignorePattern" value="^package.*|^import.*|a href|href|http://|https://|ftp://" />
|
<property name="ignorePattern" value="^package.*|^import.*|a href|href|http://|https://|ftp://" />
|
||||||
</module>
|
</module>
|
||||||
|
@ -1279,11 +1308,11 @@
|
||||||
<profiles>
|
<profiles>
|
||||||
<profile>
|
<profile>
|
||||||
<!-- Checks style and licensing requirements. This is a good idea to run
|
<!-- Checks style and licensing requirements. This is a good idea to run
|
||||||
for contributions and for the release process. While it would be nice to
|
for contributions and for the release process. While it would be nice to
|
||||||
run always these plugins can considerably slow the build and have proven
|
run always these plugins can considerably slow the build and have proven
|
||||||
to create unstable builds in our multi-module project and when building using
|
to create unstable builds in our multi-module project and when building using
|
||||||
multiple threads. The stability issues seen with Checkstyle in multi-module
|
multiple threads. The stability issues seen with Checkstyle in multi-module
|
||||||
builds include false-positives and false negatives. -->
|
builds include false-positives and false negatives. -->
|
||||||
<id>contrib-check</id>
|
<id>contrib-check</id>
|
||||||
<build>
|
<build>
|
||||||
<plugins>
|
<plugins>
|
||||||
|
|
Loading…
Reference in New Issue