From f7f001eb9ac604421cdcecc208563e60a9e9d627 Mon Sep 17 00:00:00 2001 From: Aldrin Piri Date: Tue, 28 Nov 2017 20:00:32 -0500 Subject: [PATCH] NIFI-4531: This closes #2372. Providing support for running NiFi Docker image with LDAP authentication provider. --- nifi-docker/dockerhub/Dockerfile | 4 +- nifi-docker/dockerhub/README.md | 52 +++++++++++++++---- nifi-docker/dockerhub/sh/common.sh | 3 +- nifi-docker/dockerhub/sh/secure.sh | 10 ++-- nifi-docker/dockerhub/sh/start.sh | 33 ++++++++---- .../dockerhub/sh/update_login_providers.sh | 47 +++++++++++++++++ 6 files changed, 122 insertions(+), 27 deletions(-) create mode 100755 nifi-docker/dockerhub/sh/update_login_providers.sh diff --git a/nifi-docker/dockerhub/Dockerfile b/nifi-docker/dockerhub/Dockerfile index 23418c046a..6074dd0e39 100644 --- a/nifi-docker/dockerhub/Dockerfile +++ b/nifi-docker/dockerhub/Dockerfile @@ -35,7 +35,9 @@ ADD sh/ /opt/nifi/scripts/ RUN groupadd -g ${GID} nifi || groupmod -n nifi `getent group ${GID} | cut -d: -f1` \ && useradd --shell /bin/bash -u ${UID} -g ${GID} -m nifi \ && mkdir -p ${NIFI_HOME}/conf/templates \ - && chown -R nifi:nifi ${NIFI_BASE_DIR} + && chown -R nifi:nifi ${NIFI_BASE_DIR} \ + && apt-get update \ + && apt-get install -y jq xmlstarlet USER nifi diff --git a/nifi-docker/dockerhub/README.md b/nifi-docker/dockerhub/README.md index 657bc6dd2e..d87765e96f 100644 --- a/nifi-docker/dockerhub/README.md +++ b/nifi-docker/dockerhub/README.md @@ -16,10 +16,10 @@ # Docker Image Quickstart ## Capabilities -This image currently supports running in standalone mode either unsecured or with Two-Way SSL. - -More capabilities will continue to be added and made available from the - +This image currently supports running in standalone mode either unsecured or with user authentication provided through: + * [Two-Way SSL with Client Certificates](http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security-configuration) + * [Lightweight Directory Access Protocol (LDAP)](http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider) + ## Building The Docker image can be built using the following command: @@ -74,6 +74,45 @@ Finally, this command makes use of a volume to provide certificates on the host -d \ apache/nifi:latest +### Standalone Instance, LDAP +In this configuration, the user will need to provide certificates and the associated configuration information. Optionally, +if the LDAP provider of interest is operating in LDAPS or START_TLS modes, certificates will additionally be needed. +Of particular note, is the `AUTH` environment variable which is set to `ldap`. Additionally, the user must provide a +DN as provided by the configured LDAP server in the `INITIAL_ADMIN_IDENTITY` environment variable. This value will be +used to seed the instance with an initial user with administrative privileges. Finally, this command makes use of a +volume to provide certificates on the host system to the container instance. + +#### For a minimal, connection to an LDAP server using SIMPLE authentication: + + docker run --name nifi \ + -v /User/dreynolds/certs/localhost:/opt/certs \ + -p 18443:8443 \ + -e AUTH=tls \ + -e KEYSTORE_PATH=/opt/certs/keystore.jks \ + -e KEYSTORE_TYPE=JKS \ + -e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \ + -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \ + -e TRUSTSTORE_PASSWORD=rHkWR1gDNW3R9hgbeRsT3OM3Ue0zwGtQqcFKJD2EXWE \ + -e TRUSTSTORE_TYPE=JKS \ + -e INITIAL_ADMIN_IDENTITY='cn=admin,dc=example,dc=org' \ + -e LDAP_AUTHENTICATION_STRATEGY='SIMPLE' \ + -e LDAP_MANAGER_DN='cn=admin,dc=example,dc=org' \ + -e LDAP_MANAGER_PASSWORD='password' \ + -e LDAP_USER_SEARCH_BASE='dc=example,dc=org' \ + -e LDAP_USER_SEARCH_FILTER='cn={0}' \ + -e LDAP_IDENTITY_STRATEGY='USE_DN' \ + -e LDAP_URL='ldap://ldap:389' \ + -d \ + apache/nifi:latest + +#### The following, optional environment variables may be added to the above command when connecting to a secure LDAP server configured with START_TLS or LDAPS + + -e LDAP_TLS_KEYSTORE: '' + -e LDAP_TLS_KEYSTORE_PASSWORD: '' + -e LDAP_TLS_KEYSTORE_TYPE: '' + -e LDAP_TLS_TRUSTSTORE: '' + -e LDAP_TLS_TRUSTSTORE_PASSWORD: '' + -e LDAP_TLS_TRUSTSTORE_TYPE: '' ## Configuration Information The following ports are specified by the Docker container for NiFi operation within the container and @@ -84,8 +123,3 @@ can be published to the host. | HTTP Port | nifi.web.http.port | 8080 | | HTTPS Port | nifi.web.https.port | 8443 | | Remote Input Socket Port | nifi.remote.input.socket.port | 10000 | - - - - - \ No newline at end of file diff --git a/nifi-docker/dockerhub/sh/common.sh b/nifi-docker/dockerhub/sh/common.sh index 5d252bc11c..a0a65501be 100755 --- a/nifi-docker/dockerhub/sh/common.sh +++ b/nifi-docker/dockerhub/sh/common.sh @@ -1,5 +1,4 @@ #!/bin/sh -e - # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. @@ -26,4 +25,4 @@ prop_replace () { # NIFI_HOME is defined by an ENV command in the backing Dockerfile export nifi_props_file=${NIFI_HOME}/conf/nifi.properties -export hostname=$(hostname) \ No newline at end of file +export hostname=$(hostname) diff --git a/nifi-docker/dockerhub/sh/secure.sh b/nifi-docker/dockerhub/sh/secure.sh index 93e82670a2..4609005396 100644 --- a/nifi-docker/dockerhub/sh/secure.sh +++ b/nifi-docker/dockerhub/sh/secure.sh @@ -15,7 +15,9 @@ # See the License for the specific language governing permissions and # limitations under the License. -[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh +scripts_dir='/opt/nifi/scripts' + +[ -f "${scripts_dir}/common.sh" ] && . "${scripts_dir}/common.sh" # Perform idempotent changes of configuration to support secure environments echo 'Configuring environment with SSL settings' @@ -28,13 +30,13 @@ fi : ${KEYSTORE_TYPE:?"Must specify the type of keystore (JKS, PKCS12, PEM) of the keystore being used."} : ${KEYSTORE_PASSWORD:?"Must specify the password of the keystore being used."} -: ${TRUSTSTORE_PATH:?"Must specify an absolute path to the truststore being used."} +: ${TRUSTSTORE_PATH:?"Must specify an absolute path to the truststore being used."} if [ ! -f "${TRUSTSTORE_PATH}" ]; then echo "Keystore file specified (${TRUSTSTORE_PATH}) does not exist." exit 1 fi -: ${TRUSTSTORE_TYPE:?"Need to set DEST non-empty"} -: ${TRUSTSTORE_PASSWORD:?"Need to set DEST non-empty"} +: ${TRUSTSTORE_TYPE:?"Must specify the type of truststore (JKS, PKCS12, PEM) of the truststore being used."} +: ${TRUSTSTORE_PASSWORD:?"Must specify the password of the truststore being used."} prop_replace 'nifi.security.keystore' "${KEYSTORE_PATH}" prop_replace 'nifi.security.keystoreType' "${KEYSTORE_TYPE}" diff --git a/nifi-docker/dockerhub/sh/start.sh b/nifi-docker/dockerhub/sh/start.sh index 178f30e4a6..df79ad6de7 100755 --- a/nifi-docker/dockerhub/sh/start.sh +++ b/nifi-docker/dockerhub/sh/start.sh @@ -15,29 +15,40 @@ # See the License for the specific language governing permissions and # limitations under the License. -[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh +scripts_dir='/opt/nifi/scripts' + +[ -f "${scripts_dir}/common.sh" ] && . "${scripts_dir}/common.sh" # Establish baseline properties -prop_replace 'nifi.web.http.port' '8080' -prop_replace 'nifi.web.http.host' "${hostname}" -prop_replace 'nifi.remote.input.host' "${hostname}" -prop_replace 'nifi.remote.input.socket.port' '10000' -prop_replace 'nifi.remote.input.secure' 'false' +prop_replace 'nifi.web.http.port' '8080' +prop_replace 'nifi.web.http.host' "${hostname}" +prop_replace 'nifi.remote.input.host' "${hostname}" +prop_replace 'nifi.remote.input.socket.port' '10000' +prop_replace 'nifi.remote.input.secure' 'false' # Check if we are secured or unsecured case ${AUTH} in tls) echo 'Enabling Two-Way SSL user authentication' - . /opt/nifi/scripts/secure.sh + . "${scripts_dir}/secure.sh" + ;; + ldap) + echo 'Enabling LDAP user authentication' + # Reference ldap-provider in properties + prop_replace 'nifi.security.user.login.identity.provider' 'ldap-provider' + prop_replace 'nifi.security.needClientAuth' 'WANT' + + . "${scripts_dir}/secure.sh" + . "${scripts_dir}/update_login_providers.sh" ;; esac -# Continuously provide logs so that 'docker logs' can produce them -tail -F ${NIFI_HOME}/logs/nifi-app.log & -${NIFI_HOME}/bin/nifi.sh run & +# Continuously provide logs so that 'docker logs' can produce them +tail -F "${NIFI_HOME}/logs/nifi-app.log" & +"${NIFI_HOME}/bin/nifi.sh" run & nifi_pid="$!" trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT; echo NiFi running with PID ${nifi_pid}. -wait ${nifi_pid} +wait ${nifi_pid} \ No newline at end of file diff --git a/nifi-docker/dockerhub/sh/update_login_providers.sh b/nifi-docker/dockerhub/sh/update_login_providers.sh new file mode 100755 index 0000000000..e124960eec --- /dev/null +++ b/nifi-docker/dockerhub/sh/update_login_providers.sh @@ -0,0 +1,47 @@ +#!/bin/sh -e + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +login_providers_file=${NIFI_HOME}/conf/login-identity-providers.xml +property_xpath='//loginIdentityProviders/provider/property' + +# Update a given property in the login-identity-providers file if a value is specified +edit_property() { + property_name=$1 + property_value=$2 + + if [ -n "${property_value}" ]; then + xmlstarlet ed --inplace -u "${property_xpath}[@name='${property_name}']" -v "${property_value}" "${login_providers_file}" + fi +} + +# Remove comments to enable the ldap-provider +sed -i '/To enable the ldap-provider remove/d' "${login_providers_file}" + +edit_property 'Authentication Strategy' "${LDAP_AUTHENTICATION_STRATEGY}" +edit_property 'Manager DN' "${LDAP_MANAGER_DN}" +edit_property 'Manager Password' "${LDAP_MANAGER_PASSWORD}" +edit_property 'TLS - Keystore' "${LDAP_TLS_KEYSTORE}" +edit_property 'TLS - Keystore Password' "${LDAP_TLS_KEYSTORE_PASSWORD}" +edit_property 'TLS - Keystore Type' "${LDAP_TLS_KEYSTORE_TYPE}" +edit_property 'TLS - Truststore' "${LDAP_TLS_TRUSTSTORE}" +edit_property 'TLS - Truststore Password' "${LDAP_TLS_TRUSTSTORE_PASSWORD}" +edit_property 'TLS - Truststore Type' "${LDAP_TLS_TRUSTSTORE_TYPE}" +edit_property 'TLS - Protocol' "${LDAP_TLS_PROTOCOL}" +edit_property 'Url' "${LDAP_URL}" +edit_property 'User Search Base' "${LDAP_USER_SEARCH_BASE}" +edit_property 'User Search Filter' "${LDAP_USER_SEARCH_FILTER}" +edit_property 'Identity Strategy' "${LDAP_IDENTITY_STRATEGY}" \ No newline at end of file