From de1d26d8bfc17a762124c89751db8842004f4299 Mon Sep 17 00:00:00 2001 From: Justin Rittenhouse Date: Thu, 10 Nov 2022 22:06:46 -0500 Subject: [PATCH] NIFI-10799 Add OIDC to Docker images for NiFi and NiFi Registry This closes #6651 Signed-off-by: David Handermann --- nifi-docker/dockerhub/sh/start.sh | 6 +++++ .../dockerhub/sh/update_oidc_properties.sh | 27 +++++++++++++++++++ .../dockerhub/sh/start.sh | 8 +++++- .../dockerhub/sh/update_oidc_properties.sh | 27 +++++++++++++++++++ .../dockermaven/sh/start.sh | 9 ++++++- .../dockermaven/sh/update_oidc_properties.sh | 27 +++++++++++++++++++ 6 files changed, 102 insertions(+), 2 deletions(-) create mode 100644 nifi-docker/dockerhub/sh/update_oidc_properties.sh create mode 100644 nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/sh/update_oidc_properties.sh create mode 100644 nifi-registry/nifi-registry-docker-maven/dockermaven/sh/update_oidc_properties.sh diff --git a/nifi-docker/dockerhub/sh/start.sh b/nifi-docker/dockerhub/sh/start.sh index 4b377468ff..40b33a33ae 100755 --- a/nifi-docker/dockerhub/sh/start.sh +++ b/nifi-docker/dockerhub/sh/start.sh @@ -121,6 +121,12 @@ case ${AUTH} in . "${scripts_dir}/secure.sh" . "${scripts_dir}/update_login_providers.sh" ;; + oidc) + echo 'Enabling OIDC user authentication' + + . "${scripts_dir}/secure.sh" + . "${scripts_dir}/update_oidc_properties.sh" + ;; esac # Continuously provide logs so that 'docker logs' can produce them diff --git a/nifi-docker/dockerhub/sh/update_oidc_properties.sh b/nifi-docker/dockerhub/sh/update_oidc_properties.sh new file mode 100644 index 0000000000..827a40edba --- /dev/null +++ b/nifi-docker/dockerhub/sh/update_oidc_properties.sh @@ -0,0 +1,27 @@ +#!/bin/sh -e + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +prop_replace 'nifi.security.user.oidc.discovery.url' "${NIFI_SECURITY_USER_OIDC_DISCOVERY_URL}" +prop_replace 'nifi.security.user.oidc.connect.timeout' "${NIFI_SECURITY_USER_OIDC_CONNECT_TIMEOUT}" +prop_replace 'nifi.security.user.oidc.read.timeout' "${NIFI_SECURITY_USER_OIDC_READ_TIMEOUT}" +prop_replace 'nifi.security.user.oidc.client.id' "${NIFI_SECURITY_USER_OIDC_CLIENT_ID}" +prop_replace 'nifi.security.user.oidc.client.secret' "${NIFI_SECURITY_USER_OIDC_CLIENT_SECRET}" +prop_replace 'nifi.security.user.oidc.preferred.jwsalgorithm' "${NIFI_SECURITY_USER_OIDC_PREFERRED_JWSALGORITHM}" +prop_replace 'nifi.security.user.oidc.additional.scopes' "${NIFI_SECURITY_USER_OIDC_ADDITIONAL_SCOPES}" +prop_replace 'nifi.security.user.oidc.claim.identifying.user' "${NIFI_SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER}" +prop_replace 'nifi.security.user.oidc.fallback.claims.identifying.user' "${NIFI_SECURITY_USER_OIDC_FALLBACK_CLAIMS_IDENTIFYING_USER}" +prop_replace 'nifi.security.user.oidc.truststore.strategy' "${NIFI_SECURITY_USER_OIDC_TRUSTSTORE_STRATEGY}" diff --git a/nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/sh/start.sh b/nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/sh/start.sh index c65f3ea926..eba4ef217e 100755 --- a/nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/sh/start.sh +++ b/nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/sh/start.sh @@ -40,6 +40,12 @@ case ${AUTH} in . "${scripts_dir}/secure.sh" . "${scripts_dir}/update_login_providers.sh" ;; + oidc) + echo 'Enabling OIDC user authentication' + + . "${scripts_dir}/secure.sh" + . "${scripts_dir}/update_oidc_properties.sh" + ;; esac . "${scripts_dir}/update_flow_provider.sh" @@ -53,4 +59,4 @@ nifi_registry_pid="$!" trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT; echo NiFi-Registry running with PID ${nifi_registry_pid}. -wait ${nifi_registry_pid} \ No newline at end of file +wait ${nifi_registry_pid} diff --git a/nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/sh/update_oidc_properties.sh b/nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/sh/update_oidc_properties.sh new file mode 100644 index 0000000000..827a40edba --- /dev/null +++ b/nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/sh/update_oidc_properties.sh @@ -0,0 +1,27 @@ +#!/bin/sh -e + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +prop_replace 'nifi.security.user.oidc.discovery.url' "${NIFI_SECURITY_USER_OIDC_DISCOVERY_URL}" +prop_replace 'nifi.security.user.oidc.connect.timeout' "${NIFI_SECURITY_USER_OIDC_CONNECT_TIMEOUT}" +prop_replace 'nifi.security.user.oidc.read.timeout' "${NIFI_SECURITY_USER_OIDC_READ_TIMEOUT}" +prop_replace 'nifi.security.user.oidc.client.id' "${NIFI_SECURITY_USER_OIDC_CLIENT_ID}" +prop_replace 'nifi.security.user.oidc.client.secret' "${NIFI_SECURITY_USER_OIDC_CLIENT_SECRET}" +prop_replace 'nifi.security.user.oidc.preferred.jwsalgorithm' "${NIFI_SECURITY_USER_OIDC_PREFERRED_JWSALGORITHM}" +prop_replace 'nifi.security.user.oidc.additional.scopes' "${NIFI_SECURITY_USER_OIDC_ADDITIONAL_SCOPES}" +prop_replace 'nifi.security.user.oidc.claim.identifying.user' "${NIFI_SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER}" +prop_replace 'nifi.security.user.oidc.fallback.claims.identifying.user' "${NIFI_SECURITY_USER_OIDC_FALLBACK_CLAIMS_IDENTIFYING_USER}" +prop_replace 'nifi.security.user.oidc.truststore.strategy' "${NIFI_SECURITY_USER_OIDC_TRUSTSTORE_STRATEGY}" diff --git a/nifi-registry/nifi-registry-docker-maven/dockermaven/sh/start.sh b/nifi-registry/nifi-registry-docker-maven/dockermaven/sh/start.sh index c65f3ea926..2703395516 100755 --- a/nifi-registry/nifi-registry-docker-maven/dockermaven/sh/start.sh +++ b/nifi-registry/nifi-registry-docker-maven/dockermaven/sh/start.sh @@ -40,6 +40,13 @@ case ${AUTH} in . "${scripts_dir}/secure.sh" . "${scripts_dir}/update_login_providers.sh" ;; + oidc) + echo 'Enabling OIDC user authentication' + prop_replace 'nifi.registry.security.needClientAuth' 'false' + + . "${scripts_dir}/secure.sh" + . "${scripts_dir}/update_oidc_properties.sh" + ;; esac . "${scripts_dir}/update_flow_provider.sh" @@ -53,4 +60,4 @@ nifi_registry_pid="$!" trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT; echo NiFi-Registry running with PID ${nifi_registry_pid}. -wait ${nifi_registry_pid} \ No newline at end of file +wait ${nifi_registry_pid} diff --git a/nifi-registry/nifi-registry-docker-maven/dockermaven/sh/update_oidc_properties.sh b/nifi-registry/nifi-registry-docker-maven/dockermaven/sh/update_oidc_properties.sh new file mode 100644 index 0000000000..77819f69c5 --- /dev/null +++ b/nifi-registry/nifi-registry-docker-maven/dockermaven/sh/update_oidc_properties.sh @@ -0,0 +1,27 @@ +#!/bin/sh -e + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +prop_replace 'nifi.registry.security.user.oidc.discovery.url' "${NIFI_REGISTRY_SECURITY_USER_OIDC_DISCOVERY_URL}" +prop_replace 'nifi.registry.security.user.oidc.connect.timeout' "${NIFI_REGISTRY_SECURITY_USER_OIDC_CONNECT_TIMEOUT}" +prop_replace 'nifi.registry.security.user.oidc.read.timeout' "${NIFI_REGISTRY_SECURITY_USER_OIDC_READ_TIMEOUT}" +prop_replace 'nifi.registry.security.user.oidc.client.id' "${NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_ID}" +prop_replace 'nifi.registry.security.user.oidc.client.secret' "${NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_SECRET}" +prop_replace 'nifi.registry.security.user.oidc.preferred.jwsalgorithm' "${NIFI_REGISTRY_SECURITY_USER_OIDC_PREFERRED_JWSALGORITHM}" +prop_replace 'nifi.registry.security.user.oidc.additional.scopes' "${NIFI_REGISTRY_SECURITY_USER_OIDC_ADDITIONAL_SCOPES}" +prop_replace 'nifi.registry.security.user.oidc.claim.identifying.user' "${NIFI_REGISTRY_SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER}" +prop_replace 'nifi.registry.security.user.oidc.fallback.claims.identifying.user' "${NIFI_REGISTRY_SECURITY_USER_OIDC_FALLBACK_CLAIMS_IDENTIFYING_USER}" +prop_replace 'nifi.registry.security.user.oidc.truststore.strategy' "${NIFI_REGISTRY_SECURITY_USER_OIDC_TRUSTSTORE_STRATEGY}"