mirror of https://github.com/apache/nifi.git
NIFI-4531: This closes #2372.
Providing support for running NiFi Docker image with LDAP authentication provider.
This commit is contained in:
parent
c832a2ed7c
commit
f7f001eb9a
|
@ -35,7 +35,9 @@ ADD sh/ /opt/nifi/scripts/
|
||||||
RUN groupadd -g ${GID} nifi || groupmod -n nifi `getent group ${GID} | cut -d: -f1` \
|
RUN groupadd -g ${GID} nifi || groupmod -n nifi `getent group ${GID} | cut -d: -f1` \
|
||||||
&& useradd --shell /bin/bash -u ${UID} -g ${GID} -m nifi \
|
&& useradd --shell /bin/bash -u ${UID} -g ${GID} -m nifi \
|
||||||
&& mkdir -p ${NIFI_HOME}/conf/templates \
|
&& mkdir -p ${NIFI_HOME}/conf/templates \
|
||||||
&& chown -R nifi:nifi ${NIFI_BASE_DIR}
|
&& chown -R nifi:nifi ${NIFI_BASE_DIR} \
|
||||||
|
&& apt-get update \
|
||||||
|
&& apt-get install -y jq xmlstarlet
|
||||||
|
|
||||||
USER nifi
|
USER nifi
|
||||||
|
|
||||||
|
|
|
@ -16,10 +16,10 @@
|
||||||
# Docker Image Quickstart
|
# Docker Image Quickstart
|
||||||
|
|
||||||
## Capabilities
|
## Capabilities
|
||||||
This image currently supports running in standalone mode either unsecured or with Two-Way SSL.
|
This image currently supports running in standalone mode either unsecured or with user authentication provided through:
|
||||||
|
* [Two-Way SSL with Client Certificates](http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security-configuration)
|
||||||
More capabilities will continue to be added and made available from the
|
* [Lightweight Directory Access Protocol (LDAP)](http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider)
|
||||||
|
|
||||||
## Building
|
## Building
|
||||||
The Docker image can be built using the following command:
|
The Docker image can be built using the following command:
|
||||||
|
|
||||||
|
@ -74,6 +74,45 @@ Finally, this command makes use of a volume to provide certificates on the host
|
||||||
-d \
|
-d \
|
||||||
apache/nifi:latest
|
apache/nifi:latest
|
||||||
|
|
||||||
|
### Standalone Instance, LDAP
|
||||||
|
In this configuration, the user will need to provide certificates and the associated configuration information. Optionally,
|
||||||
|
if the LDAP provider of interest is operating in LDAPS or START_TLS modes, certificates will additionally be needed.
|
||||||
|
Of particular note, is the `AUTH` environment variable which is set to `ldap`. Additionally, the user must provide a
|
||||||
|
DN as provided by the configured LDAP server in the `INITIAL_ADMIN_IDENTITY` environment variable. This value will be
|
||||||
|
used to seed the instance with an initial user with administrative privileges. Finally, this command makes use of a
|
||||||
|
volume to provide certificates on the host system to the container instance.
|
||||||
|
|
||||||
|
#### For a minimal, connection to an LDAP server using SIMPLE authentication:
|
||||||
|
|
||||||
|
docker run --name nifi \
|
||||||
|
-v /User/dreynolds/certs/localhost:/opt/certs \
|
||||||
|
-p 18443:8443 \
|
||||||
|
-e AUTH=tls \
|
||||||
|
-e KEYSTORE_PATH=/opt/certs/keystore.jks \
|
||||||
|
-e KEYSTORE_TYPE=JKS \
|
||||||
|
-e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \
|
||||||
|
-e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
|
||||||
|
-e TRUSTSTORE_PASSWORD=rHkWR1gDNW3R9hgbeRsT3OM3Ue0zwGtQqcFKJD2EXWE \
|
||||||
|
-e TRUSTSTORE_TYPE=JKS \
|
||||||
|
-e INITIAL_ADMIN_IDENTITY='cn=admin,dc=example,dc=org' \
|
||||||
|
-e LDAP_AUTHENTICATION_STRATEGY='SIMPLE' \
|
||||||
|
-e LDAP_MANAGER_DN='cn=admin,dc=example,dc=org' \
|
||||||
|
-e LDAP_MANAGER_PASSWORD='password' \
|
||||||
|
-e LDAP_USER_SEARCH_BASE='dc=example,dc=org' \
|
||||||
|
-e LDAP_USER_SEARCH_FILTER='cn={0}' \
|
||||||
|
-e LDAP_IDENTITY_STRATEGY='USE_DN' \
|
||||||
|
-e LDAP_URL='ldap://ldap:389' \
|
||||||
|
-d \
|
||||||
|
apache/nifi:latest
|
||||||
|
|
||||||
|
#### The following, optional environment variables may be added to the above command when connecting to a secure LDAP server configured with START_TLS or LDAPS
|
||||||
|
|
||||||
|
-e LDAP_TLS_KEYSTORE: ''
|
||||||
|
-e LDAP_TLS_KEYSTORE_PASSWORD: ''
|
||||||
|
-e LDAP_TLS_KEYSTORE_TYPE: ''
|
||||||
|
-e LDAP_TLS_TRUSTSTORE: ''
|
||||||
|
-e LDAP_TLS_TRUSTSTORE_PASSWORD: ''
|
||||||
|
-e LDAP_TLS_TRUSTSTORE_TYPE: ''
|
||||||
|
|
||||||
## Configuration Information
|
## Configuration Information
|
||||||
The following ports are specified by the Docker container for NiFi operation within the container and
|
The following ports are specified by the Docker container for NiFi operation within the container and
|
||||||
|
@ -84,8 +123,3 @@ can be published to the host.
|
||||||
| HTTP Port | nifi.web.http.port | 8080 |
|
| HTTP Port | nifi.web.http.port | 8080 |
|
||||||
| HTTPS Port | nifi.web.https.port | 8443 |
|
| HTTPS Port | nifi.web.https.port | 8443 |
|
||||||
| Remote Input Socket Port | nifi.remote.input.socket.port | 10000 |
|
| Remote Input Socket Port | nifi.remote.input.socket.port | 10000 |
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
#!/bin/sh -e
|
#!/bin/sh -e
|
||||||
|
|
||||||
# Licensed to the Apache Software Foundation (ASF) under one or more
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
# contributor license agreements. See the NOTICE file distributed with
|
# contributor license agreements. See the NOTICE file distributed with
|
||||||
# this work for additional information regarding copyright ownership.
|
# this work for additional information regarding copyright ownership.
|
||||||
|
@ -26,4 +25,4 @@ prop_replace () {
|
||||||
|
|
||||||
# NIFI_HOME is defined by an ENV command in the backing Dockerfile
|
# NIFI_HOME is defined by an ENV command in the backing Dockerfile
|
||||||
export nifi_props_file=${NIFI_HOME}/conf/nifi.properties
|
export nifi_props_file=${NIFI_HOME}/conf/nifi.properties
|
||||||
export hostname=$(hostname)
|
export hostname=$(hostname)
|
||||||
|
|
|
@ -15,7 +15,9 @@
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh
|
scripts_dir='/opt/nifi/scripts'
|
||||||
|
|
||||||
|
[ -f "${scripts_dir}/common.sh" ] && . "${scripts_dir}/common.sh"
|
||||||
|
|
||||||
# Perform idempotent changes of configuration to support secure environments
|
# Perform idempotent changes of configuration to support secure environments
|
||||||
echo 'Configuring environment with SSL settings'
|
echo 'Configuring environment with SSL settings'
|
||||||
|
@ -28,13 +30,13 @@ fi
|
||||||
: ${KEYSTORE_TYPE:?"Must specify the type of keystore (JKS, PKCS12, PEM) of the keystore being used."}
|
: ${KEYSTORE_TYPE:?"Must specify the type of keystore (JKS, PKCS12, PEM) of the keystore being used."}
|
||||||
: ${KEYSTORE_PASSWORD:?"Must specify the password of the keystore being used."}
|
: ${KEYSTORE_PASSWORD:?"Must specify the password of the keystore being used."}
|
||||||
|
|
||||||
: ${TRUSTSTORE_PATH:?"Must specify an absolute path to the truststore being used."}
|
: ${TRUSTSTORE_PATH:?"Must specify an absolute path to the truststore being used."}
|
||||||
if [ ! -f "${TRUSTSTORE_PATH}" ]; then
|
if [ ! -f "${TRUSTSTORE_PATH}" ]; then
|
||||||
echo "Keystore file specified (${TRUSTSTORE_PATH}) does not exist."
|
echo "Keystore file specified (${TRUSTSTORE_PATH}) does not exist."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
: ${TRUSTSTORE_TYPE:?"Need to set DEST non-empty"}
|
: ${TRUSTSTORE_TYPE:?"Must specify the type of truststore (JKS, PKCS12, PEM) of the truststore being used."}
|
||||||
: ${TRUSTSTORE_PASSWORD:?"Need to set DEST non-empty"}
|
: ${TRUSTSTORE_PASSWORD:?"Must specify the password of the truststore being used."}
|
||||||
|
|
||||||
prop_replace 'nifi.security.keystore' "${KEYSTORE_PATH}"
|
prop_replace 'nifi.security.keystore' "${KEYSTORE_PATH}"
|
||||||
prop_replace 'nifi.security.keystoreType' "${KEYSTORE_TYPE}"
|
prop_replace 'nifi.security.keystoreType' "${KEYSTORE_TYPE}"
|
||||||
|
|
|
@ -15,29 +15,40 @@
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh
|
scripts_dir='/opt/nifi/scripts'
|
||||||
|
|
||||||
|
[ -f "${scripts_dir}/common.sh" ] && . "${scripts_dir}/common.sh"
|
||||||
|
|
||||||
# Establish baseline properties
|
# Establish baseline properties
|
||||||
prop_replace 'nifi.web.http.port' '8080'
|
prop_replace 'nifi.web.http.port' '8080'
|
||||||
prop_replace 'nifi.web.http.host' "${hostname}"
|
prop_replace 'nifi.web.http.host' "${hostname}"
|
||||||
prop_replace 'nifi.remote.input.host' "${hostname}"
|
prop_replace 'nifi.remote.input.host' "${hostname}"
|
||||||
prop_replace 'nifi.remote.input.socket.port' '10000'
|
prop_replace 'nifi.remote.input.socket.port' '10000'
|
||||||
prop_replace 'nifi.remote.input.secure' 'false'
|
prop_replace 'nifi.remote.input.secure' 'false'
|
||||||
|
|
||||||
# Check if we are secured or unsecured
|
# Check if we are secured or unsecured
|
||||||
case ${AUTH} in
|
case ${AUTH} in
|
||||||
tls)
|
tls)
|
||||||
echo 'Enabling Two-Way SSL user authentication'
|
echo 'Enabling Two-Way SSL user authentication'
|
||||||
. /opt/nifi/scripts/secure.sh
|
. "${scripts_dir}/secure.sh"
|
||||||
|
;;
|
||||||
|
ldap)
|
||||||
|
echo 'Enabling LDAP user authentication'
|
||||||
|
# Reference ldap-provider in properties
|
||||||
|
prop_replace 'nifi.security.user.login.identity.provider' 'ldap-provider'
|
||||||
|
prop_replace 'nifi.security.needClientAuth' 'WANT'
|
||||||
|
|
||||||
|
. "${scripts_dir}/secure.sh"
|
||||||
|
. "${scripts_dir}/update_login_providers.sh"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# Continuously provide logs so that 'docker logs' can produce them
|
# Continuously provide logs so that 'docker logs' can produce them
|
||||||
tail -F ${NIFI_HOME}/logs/nifi-app.log &
|
tail -F "${NIFI_HOME}/logs/nifi-app.log" &
|
||||||
${NIFI_HOME}/bin/nifi.sh run &
|
"${NIFI_HOME}/bin/nifi.sh" run &
|
||||||
nifi_pid="$!"
|
nifi_pid="$!"
|
||||||
|
|
||||||
trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT;
|
trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT;
|
||||||
|
|
||||||
echo NiFi running with PID ${nifi_pid}.
|
echo NiFi running with PID ${nifi_pid}.
|
||||||
wait ${nifi_pid}
|
wait ${nifi_pid}
|
|
@ -0,0 +1,47 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
# contributor license agreements. See the NOTICE file distributed with
|
||||||
|
# this work for additional information regarding copyright ownership.
|
||||||
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
# (the "License"); you may not use this file except in compliance with
|
||||||
|
# the License. You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
login_providers_file=${NIFI_HOME}/conf/login-identity-providers.xml
|
||||||
|
property_xpath='//loginIdentityProviders/provider/property'
|
||||||
|
|
||||||
|
# Update a given property in the login-identity-providers file if a value is specified
|
||||||
|
edit_property() {
|
||||||
|
property_name=$1
|
||||||
|
property_value=$2
|
||||||
|
|
||||||
|
if [ -n "${property_value}" ]; then
|
||||||
|
xmlstarlet ed --inplace -u "${property_xpath}[@name='${property_name}']" -v "${property_value}" "${login_providers_file}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Remove comments to enable the ldap-provider
|
||||||
|
sed -i '/To enable the ldap-provider remove/d' "${login_providers_file}"
|
||||||
|
|
||||||
|
edit_property 'Authentication Strategy' "${LDAP_AUTHENTICATION_STRATEGY}"
|
||||||
|
edit_property 'Manager DN' "${LDAP_MANAGER_DN}"
|
||||||
|
edit_property 'Manager Password' "${LDAP_MANAGER_PASSWORD}"
|
||||||
|
edit_property 'TLS - Keystore' "${LDAP_TLS_KEYSTORE}"
|
||||||
|
edit_property 'TLS - Keystore Password' "${LDAP_TLS_KEYSTORE_PASSWORD}"
|
||||||
|
edit_property 'TLS - Keystore Type' "${LDAP_TLS_KEYSTORE_TYPE}"
|
||||||
|
edit_property 'TLS - Truststore' "${LDAP_TLS_TRUSTSTORE}"
|
||||||
|
edit_property 'TLS - Truststore Password' "${LDAP_TLS_TRUSTSTORE_PASSWORD}"
|
||||||
|
edit_property 'TLS - Truststore Type' "${LDAP_TLS_TRUSTSTORE_TYPE}"
|
||||||
|
edit_property 'TLS - Protocol' "${LDAP_TLS_PROTOCOL}"
|
||||||
|
edit_property 'Url' "${LDAP_URL}"
|
||||||
|
edit_property 'User Search Base' "${LDAP_USER_SEARCH_BASE}"
|
||||||
|
edit_property 'User Search Filter' "${LDAP_USER_SEARCH_FILTER}"
|
||||||
|
edit_property 'Identity Strategy' "${LDAP_IDENTITY_STRATEGY}"
|
Loading…
Reference in New Issue