mirror of https://github.com/apache/nifi.git
NIFI-10799 Add OIDC to Docker images for NiFi and NiFi Registry
This closes #6651 Signed-off-by: David Handermann <exceptionfactory@apache.org>
This commit is contained in:
parent
8807a9d377
commit
de1d26d8bf
|
@ -121,6 +121,12 @@ case ${AUTH} in
|
||||||
. "${scripts_dir}/secure.sh"
|
. "${scripts_dir}/secure.sh"
|
||||||
. "${scripts_dir}/update_login_providers.sh"
|
. "${scripts_dir}/update_login_providers.sh"
|
||||||
;;
|
;;
|
||||||
|
oidc)
|
||||||
|
echo 'Enabling OIDC user authentication'
|
||||||
|
|
||||||
|
. "${scripts_dir}/secure.sh"
|
||||||
|
. "${scripts_dir}/update_oidc_properties.sh"
|
||||||
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# Continuously provide logs so that 'docker logs' can produce them
|
# Continuously provide logs so that 'docker logs' can produce them
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
# contributor license agreements. See the NOTICE file distributed with
|
||||||
|
# this work for additional information regarding copyright ownership.
|
||||||
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
# (the "License"); you may not use this file except in compliance with
|
||||||
|
# the License. You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
prop_replace 'nifi.security.user.oidc.discovery.url' "${NIFI_SECURITY_USER_OIDC_DISCOVERY_URL}"
|
||||||
|
prop_replace 'nifi.security.user.oidc.connect.timeout' "${NIFI_SECURITY_USER_OIDC_CONNECT_TIMEOUT}"
|
||||||
|
prop_replace 'nifi.security.user.oidc.read.timeout' "${NIFI_SECURITY_USER_OIDC_READ_TIMEOUT}"
|
||||||
|
prop_replace 'nifi.security.user.oidc.client.id' "${NIFI_SECURITY_USER_OIDC_CLIENT_ID}"
|
||||||
|
prop_replace 'nifi.security.user.oidc.client.secret' "${NIFI_SECURITY_USER_OIDC_CLIENT_SECRET}"
|
||||||
|
prop_replace 'nifi.security.user.oidc.preferred.jwsalgorithm' "${NIFI_SECURITY_USER_OIDC_PREFERRED_JWSALGORITHM}"
|
||||||
|
prop_replace 'nifi.security.user.oidc.additional.scopes' "${NIFI_SECURITY_USER_OIDC_ADDITIONAL_SCOPES}"
|
||||||
|
prop_replace 'nifi.security.user.oidc.claim.identifying.user' "${NIFI_SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER}"
|
||||||
|
prop_replace 'nifi.security.user.oidc.fallback.claims.identifying.user' "${NIFI_SECURITY_USER_OIDC_FALLBACK_CLAIMS_IDENTIFYING_USER}"
|
||||||
|
prop_replace 'nifi.security.user.oidc.truststore.strategy' "${NIFI_SECURITY_USER_OIDC_TRUSTSTORE_STRATEGY}"
|
|
@ -40,6 +40,12 @@ case ${AUTH} in
|
||||||
. "${scripts_dir}/secure.sh"
|
. "${scripts_dir}/secure.sh"
|
||||||
. "${scripts_dir}/update_login_providers.sh"
|
. "${scripts_dir}/update_login_providers.sh"
|
||||||
;;
|
;;
|
||||||
|
oidc)
|
||||||
|
echo 'Enabling OIDC user authentication'
|
||||||
|
|
||||||
|
. "${scripts_dir}/secure.sh"
|
||||||
|
. "${scripts_dir}/update_oidc_properties.sh"
|
||||||
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
. "${scripts_dir}/update_flow_provider.sh"
|
. "${scripts_dir}/update_flow_provider.sh"
|
||||||
|
@ -53,4 +59,4 @@ nifi_registry_pid="$!"
|
||||||
trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT;
|
trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT;
|
||||||
|
|
||||||
echo NiFi-Registry running with PID ${nifi_registry_pid}.
|
echo NiFi-Registry running with PID ${nifi_registry_pid}.
|
||||||
wait ${nifi_registry_pid}
|
wait ${nifi_registry_pid}
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
# contributor license agreements. See the NOTICE file distributed with
|
||||||
|
# this work for additional information regarding copyright ownership.
|
||||||
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
# (the "License"); you may not use this file except in compliance with
|
||||||
|
# the License. You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
prop_replace 'nifi.security.user.oidc.discovery.url' "${NIFI_SECURITY_USER_OIDC_DISCOVERY_URL}"
|
||||||
|
prop_replace 'nifi.security.user.oidc.connect.timeout' "${NIFI_SECURITY_USER_OIDC_CONNECT_TIMEOUT}"
|
||||||
|
prop_replace 'nifi.security.user.oidc.read.timeout' "${NIFI_SECURITY_USER_OIDC_READ_TIMEOUT}"
|
||||||
|
prop_replace 'nifi.security.user.oidc.client.id' "${NIFI_SECURITY_USER_OIDC_CLIENT_ID}"
|
||||||
|
prop_replace 'nifi.security.user.oidc.client.secret' "${NIFI_SECURITY_USER_OIDC_CLIENT_SECRET}"
|
||||||
|
prop_replace 'nifi.security.user.oidc.preferred.jwsalgorithm' "${NIFI_SECURITY_USER_OIDC_PREFERRED_JWSALGORITHM}"
|
||||||
|
prop_replace 'nifi.security.user.oidc.additional.scopes' "${NIFI_SECURITY_USER_OIDC_ADDITIONAL_SCOPES}"
|
||||||
|
prop_replace 'nifi.security.user.oidc.claim.identifying.user' "${NIFI_SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER}"
|
||||||
|
prop_replace 'nifi.security.user.oidc.fallback.claims.identifying.user' "${NIFI_SECURITY_USER_OIDC_FALLBACK_CLAIMS_IDENTIFYING_USER}"
|
||||||
|
prop_replace 'nifi.security.user.oidc.truststore.strategy' "${NIFI_SECURITY_USER_OIDC_TRUSTSTORE_STRATEGY}"
|
|
@ -40,6 +40,13 @@ case ${AUTH} in
|
||||||
. "${scripts_dir}/secure.sh"
|
. "${scripts_dir}/secure.sh"
|
||||||
. "${scripts_dir}/update_login_providers.sh"
|
. "${scripts_dir}/update_login_providers.sh"
|
||||||
;;
|
;;
|
||||||
|
oidc)
|
||||||
|
echo 'Enabling OIDC user authentication'
|
||||||
|
prop_replace 'nifi.registry.security.needClientAuth' 'false'
|
||||||
|
|
||||||
|
. "${scripts_dir}/secure.sh"
|
||||||
|
. "${scripts_dir}/update_oidc_properties.sh"
|
||||||
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
. "${scripts_dir}/update_flow_provider.sh"
|
. "${scripts_dir}/update_flow_provider.sh"
|
||||||
|
@ -53,4 +60,4 @@ nifi_registry_pid="$!"
|
||||||
trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT;
|
trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT;
|
||||||
|
|
||||||
echo NiFi-Registry running with PID ${nifi_registry_pid}.
|
echo NiFi-Registry running with PID ${nifi_registry_pid}.
|
||||||
wait ${nifi_registry_pid}
|
wait ${nifi_registry_pid}
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
# contributor license agreements. See the NOTICE file distributed with
|
||||||
|
# this work for additional information regarding copyright ownership.
|
||||||
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
# (the "License"); you may not use this file except in compliance with
|
||||||
|
# the License. You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
prop_replace 'nifi.registry.security.user.oidc.discovery.url' "${NIFI_REGISTRY_SECURITY_USER_OIDC_DISCOVERY_URL}"
|
||||||
|
prop_replace 'nifi.registry.security.user.oidc.connect.timeout' "${NIFI_REGISTRY_SECURITY_USER_OIDC_CONNECT_TIMEOUT}"
|
||||||
|
prop_replace 'nifi.registry.security.user.oidc.read.timeout' "${NIFI_REGISTRY_SECURITY_USER_OIDC_READ_TIMEOUT}"
|
||||||
|
prop_replace 'nifi.registry.security.user.oidc.client.id' "${NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_ID}"
|
||||||
|
prop_replace 'nifi.registry.security.user.oidc.client.secret' "${NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_SECRET}"
|
||||||
|
prop_replace 'nifi.registry.security.user.oidc.preferred.jwsalgorithm' "${NIFI_REGISTRY_SECURITY_USER_OIDC_PREFERRED_JWSALGORITHM}"
|
||||||
|
prop_replace 'nifi.registry.security.user.oidc.additional.scopes' "${NIFI_REGISTRY_SECURITY_USER_OIDC_ADDITIONAL_SCOPES}"
|
||||||
|
prop_replace 'nifi.registry.security.user.oidc.claim.identifying.user' "${NIFI_REGISTRY_SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER}"
|
||||||
|
prop_replace 'nifi.registry.security.user.oidc.fallback.claims.identifying.user' "${NIFI_REGISTRY_SECURITY_USER_OIDC_FALLBACK_CLAIMS_IDENTIFYING_USER}"
|
||||||
|
prop_replace 'nifi.registry.security.user.oidc.truststore.strategy' "${NIFI_REGISTRY_SECURITY_USER_OIDC_TRUSTSTORE_STRATEGY}"
|
Loading…
Reference in New Issue