NIFI-10799 Add OIDC to Docker images for NiFi and NiFi Registry

This closes #6651

Signed-off-by: David Handermann <exceptionfactory@apache.org>
This commit is contained in:
Justin Rittenhouse 2022-11-10 22:06:46 -05:00 committed by exceptionfactory
parent 8807a9d377
commit de1d26d8bf
No known key found for this signature in database
GPG Key ID: 29B6A52D2AAE8DBA
6 changed files with 102 additions and 2 deletions

View File

@ -121,6 +121,12 @@ case ${AUTH} in
. "${scripts_dir}/secure.sh"
. "${scripts_dir}/update_login_providers.sh"
;;
oidc)
echo 'Enabling OIDC user authentication'
. "${scripts_dir}/secure.sh"
. "${scripts_dir}/update_oidc_properties.sh"
;;
esac
# Continuously provide logs so that 'docker logs' can produce them

View File

@ -0,0 +1,27 @@
#!/bin/sh -e
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
prop_replace 'nifi.security.user.oidc.discovery.url' "${NIFI_SECURITY_USER_OIDC_DISCOVERY_URL}"
prop_replace 'nifi.security.user.oidc.connect.timeout' "${NIFI_SECURITY_USER_OIDC_CONNECT_TIMEOUT}"
prop_replace 'nifi.security.user.oidc.read.timeout' "${NIFI_SECURITY_USER_OIDC_READ_TIMEOUT}"
prop_replace 'nifi.security.user.oidc.client.id' "${NIFI_SECURITY_USER_OIDC_CLIENT_ID}"
prop_replace 'nifi.security.user.oidc.client.secret' "${NIFI_SECURITY_USER_OIDC_CLIENT_SECRET}"
prop_replace 'nifi.security.user.oidc.preferred.jwsalgorithm' "${NIFI_SECURITY_USER_OIDC_PREFERRED_JWSALGORITHM}"
prop_replace 'nifi.security.user.oidc.additional.scopes' "${NIFI_SECURITY_USER_OIDC_ADDITIONAL_SCOPES}"
prop_replace 'nifi.security.user.oidc.claim.identifying.user' "${NIFI_SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER}"
prop_replace 'nifi.security.user.oidc.fallback.claims.identifying.user' "${NIFI_SECURITY_USER_OIDC_FALLBACK_CLAIMS_IDENTIFYING_USER}"
prop_replace 'nifi.security.user.oidc.truststore.strategy' "${NIFI_SECURITY_USER_OIDC_TRUSTSTORE_STRATEGY}"

View File

@ -40,6 +40,12 @@ case ${AUTH} in
. "${scripts_dir}/secure.sh"
. "${scripts_dir}/update_login_providers.sh"
;;
oidc)
echo 'Enabling OIDC user authentication'
. "${scripts_dir}/secure.sh"
. "${scripts_dir}/update_oidc_properties.sh"
;;
esac
. "${scripts_dir}/update_flow_provider.sh"
@ -53,4 +59,4 @@ nifi_registry_pid="$!"
trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT;
echo NiFi-Registry running with PID ${nifi_registry_pid}.
wait ${nifi_registry_pid}
wait ${nifi_registry_pid}

View File

@ -0,0 +1,27 @@
#!/bin/sh -e
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
prop_replace 'nifi.security.user.oidc.discovery.url' "${NIFI_SECURITY_USER_OIDC_DISCOVERY_URL}"
prop_replace 'nifi.security.user.oidc.connect.timeout' "${NIFI_SECURITY_USER_OIDC_CONNECT_TIMEOUT}"
prop_replace 'nifi.security.user.oidc.read.timeout' "${NIFI_SECURITY_USER_OIDC_READ_TIMEOUT}"
prop_replace 'nifi.security.user.oidc.client.id' "${NIFI_SECURITY_USER_OIDC_CLIENT_ID}"
prop_replace 'nifi.security.user.oidc.client.secret' "${NIFI_SECURITY_USER_OIDC_CLIENT_SECRET}"
prop_replace 'nifi.security.user.oidc.preferred.jwsalgorithm' "${NIFI_SECURITY_USER_OIDC_PREFERRED_JWSALGORITHM}"
prop_replace 'nifi.security.user.oidc.additional.scopes' "${NIFI_SECURITY_USER_OIDC_ADDITIONAL_SCOPES}"
prop_replace 'nifi.security.user.oidc.claim.identifying.user' "${NIFI_SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER}"
prop_replace 'nifi.security.user.oidc.fallback.claims.identifying.user' "${NIFI_SECURITY_USER_OIDC_FALLBACK_CLAIMS_IDENTIFYING_USER}"
prop_replace 'nifi.security.user.oidc.truststore.strategy' "${NIFI_SECURITY_USER_OIDC_TRUSTSTORE_STRATEGY}"

View File

@ -40,6 +40,13 @@ case ${AUTH} in
. "${scripts_dir}/secure.sh"
. "${scripts_dir}/update_login_providers.sh"
;;
oidc)
echo 'Enabling OIDC user authentication'
prop_replace 'nifi.registry.security.needClientAuth' 'false'
. "${scripts_dir}/secure.sh"
. "${scripts_dir}/update_oidc_properties.sh"
;;
esac
. "${scripts_dir}/update_flow_provider.sh"
@ -53,4 +60,4 @@ nifi_registry_pid="$!"
trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT;
echo NiFi-Registry running with PID ${nifi_registry_pid}.
wait ${nifi_registry_pid}
wait ${nifi_registry_pid}

View File

@ -0,0 +1,27 @@
#!/bin/sh -e
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
prop_replace 'nifi.registry.security.user.oidc.discovery.url' "${NIFI_REGISTRY_SECURITY_USER_OIDC_DISCOVERY_URL}"
prop_replace 'nifi.registry.security.user.oidc.connect.timeout' "${NIFI_REGISTRY_SECURITY_USER_OIDC_CONNECT_TIMEOUT}"
prop_replace 'nifi.registry.security.user.oidc.read.timeout' "${NIFI_REGISTRY_SECURITY_USER_OIDC_READ_TIMEOUT}"
prop_replace 'nifi.registry.security.user.oidc.client.id' "${NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_ID}"
prop_replace 'nifi.registry.security.user.oidc.client.secret' "${NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_SECRET}"
prop_replace 'nifi.registry.security.user.oidc.preferred.jwsalgorithm' "${NIFI_REGISTRY_SECURITY_USER_OIDC_PREFERRED_JWSALGORITHM}"
prop_replace 'nifi.registry.security.user.oidc.additional.scopes' "${NIFI_REGISTRY_SECURITY_USER_OIDC_ADDITIONAL_SCOPES}"
prop_replace 'nifi.registry.security.user.oidc.claim.identifying.user' "${NIFI_REGISTRY_SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER}"
prop_replace 'nifi.registry.security.user.oidc.fallback.claims.identifying.user' "${NIFI_REGISTRY_SECURITY_USER_OIDC_FALLBACK_CLAIMS_IDENTIFYING_USER}"
prop_replace 'nifi.registry.security.user.oidc.truststore.strategy' "${NIFI_REGISTRY_SECURITY_USER_OIDC_TRUSTSTORE_STRATEGY}"