NIFI-4531: This closes #2372.

Providing support for running NiFi Docker image with LDAP authentication provider.
This commit is contained in:
Aldrin Piri 2017-11-28 20:00:32 -05:00 committed by joewitt
parent c832a2ed7c
commit f7f001eb9a
6 changed files with 122 additions and 27 deletions

View File

@ -35,7 +35,9 @@ ADD sh/ /opt/nifi/scripts/
RUN groupadd -g ${GID} nifi || groupmod -n nifi `getent group ${GID} | cut -d: -f1` \ RUN groupadd -g ${GID} nifi || groupmod -n nifi `getent group ${GID} | cut -d: -f1` \
&& useradd --shell /bin/bash -u ${UID} -g ${GID} -m nifi \ && useradd --shell /bin/bash -u ${UID} -g ${GID} -m nifi \
&& mkdir -p ${NIFI_HOME}/conf/templates \ && mkdir -p ${NIFI_HOME}/conf/templates \
&& chown -R nifi:nifi ${NIFI_BASE_DIR} && chown -R nifi:nifi ${NIFI_BASE_DIR} \
&& apt-get update \
&& apt-get install -y jq xmlstarlet
USER nifi USER nifi

View File

@ -16,10 +16,10 @@
# Docker Image Quickstart # Docker Image Quickstart
## Capabilities ## Capabilities
This image currently supports running in standalone mode either unsecured or with Two-Way SSL. This image currently supports running in standalone mode either unsecured or with user authentication provided through:
* [Two-Way SSL with Client Certificates](http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security-configuration)
More capabilities will continue to be added and made available from the * [Lightweight Directory Access Protocol (LDAP)](http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider)
## Building ## Building
The Docker image can be built using the following command: The Docker image can be built using the following command:
@ -74,6 +74,45 @@ Finally, this command makes use of a volume to provide certificates on the host
-d \ -d \
apache/nifi:latest apache/nifi:latest
### Standalone Instance, LDAP
In this configuration, the user will need to provide certificates and the associated configuration information. Optionally,
if the LDAP provider of interest is operating in LDAPS or START_TLS modes, certificates will additionally be needed.
Of particular note, is the `AUTH` environment variable which is set to `ldap`. Additionally, the user must provide a
DN as provided by the configured LDAP server in the `INITIAL_ADMIN_IDENTITY` environment variable. This value will be
used to seed the instance with an initial user with administrative privileges. Finally, this command makes use of a
volume to provide certificates on the host system to the container instance.
#### For a minimal, connection to an LDAP server using SIMPLE authentication:
docker run --name nifi \
-v /User/dreynolds/certs/localhost:/opt/certs \
-p 18443:8443 \
-e AUTH=tls \
-e KEYSTORE_PATH=/opt/certs/keystore.jks \
-e KEYSTORE_TYPE=JKS \
-e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \
-e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
-e TRUSTSTORE_PASSWORD=rHkWR1gDNW3R9hgbeRsT3OM3Ue0zwGtQqcFKJD2EXWE \
-e TRUSTSTORE_TYPE=JKS \
-e INITIAL_ADMIN_IDENTITY='cn=admin,dc=example,dc=org' \
-e LDAP_AUTHENTICATION_STRATEGY='SIMPLE' \
-e LDAP_MANAGER_DN='cn=admin,dc=example,dc=org' \
-e LDAP_MANAGER_PASSWORD='password' \
-e LDAP_USER_SEARCH_BASE='dc=example,dc=org' \
-e LDAP_USER_SEARCH_FILTER='cn={0}' \
-e LDAP_IDENTITY_STRATEGY='USE_DN' \
-e LDAP_URL='ldap://ldap:389' \
-d \
apache/nifi:latest
#### The following, optional environment variables may be added to the above command when connecting to a secure LDAP server configured with START_TLS or LDAPS
-e LDAP_TLS_KEYSTORE: ''
-e LDAP_TLS_KEYSTORE_PASSWORD: ''
-e LDAP_TLS_KEYSTORE_TYPE: ''
-e LDAP_TLS_TRUSTSTORE: ''
-e LDAP_TLS_TRUSTSTORE_PASSWORD: ''
-e LDAP_TLS_TRUSTSTORE_TYPE: ''
## Configuration Information ## Configuration Information
The following ports are specified by the Docker container for NiFi operation within the container and The following ports are specified by the Docker container for NiFi operation within the container and
@ -84,8 +123,3 @@ can be published to the host.
| HTTP Port | nifi.web.http.port | 8080 | | HTTP Port | nifi.web.http.port | 8080 |
| HTTPS Port | nifi.web.https.port | 8443 | | HTTPS Port | nifi.web.https.port | 8443 |
| Remote Input Socket Port | nifi.remote.input.socket.port | 10000 | | Remote Input Socket Port | nifi.remote.input.socket.port | 10000 |

View File

@ -1,5 +1,4 @@
#!/bin/sh -e #!/bin/sh -e
# Licensed to the Apache Software Foundation (ASF) under one or more # Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with # contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership. # this work for additional information regarding copyright ownership.
@ -26,4 +25,4 @@ prop_replace () {
# NIFI_HOME is defined by an ENV command in the backing Dockerfile # NIFI_HOME is defined by an ENV command in the backing Dockerfile
export nifi_props_file=${NIFI_HOME}/conf/nifi.properties export nifi_props_file=${NIFI_HOME}/conf/nifi.properties
export hostname=$(hostname) export hostname=$(hostname)

View File

@ -15,7 +15,9 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh scripts_dir='/opt/nifi/scripts'
[ -f "${scripts_dir}/common.sh" ] && . "${scripts_dir}/common.sh"
# Perform idempotent changes of configuration to support secure environments # Perform idempotent changes of configuration to support secure environments
echo 'Configuring environment with SSL settings' echo 'Configuring environment with SSL settings'
@ -28,13 +30,13 @@ fi
: ${KEYSTORE_TYPE:?"Must specify the type of keystore (JKS, PKCS12, PEM) of the keystore being used."} : ${KEYSTORE_TYPE:?"Must specify the type of keystore (JKS, PKCS12, PEM) of the keystore being used."}
: ${KEYSTORE_PASSWORD:?"Must specify the password of the keystore being used."} : ${KEYSTORE_PASSWORD:?"Must specify the password of the keystore being used."}
: ${TRUSTSTORE_PATH:?"Must specify an absolute path to the truststore being used."} : ${TRUSTSTORE_PATH:?"Must specify an absolute path to the truststore being used."}
if [ ! -f "${TRUSTSTORE_PATH}" ]; then if [ ! -f "${TRUSTSTORE_PATH}" ]; then
echo "Keystore file specified (${TRUSTSTORE_PATH}) does not exist." echo "Keystore file specified (${TRUSTSTORE_PATH}) does not exist."
exit 1 exit 1
fi fi
: ${TRUSTSTORE_TYPE:?"Need to set DEST non-empty"} : ${TRUSTSTORE_TYPE:?"Must specify the type of truststore (JKS, PKCS12, PEM) of the truststore being used."}
: ${TRUSTSTORE_PASSWORD:?"Need to set DEST non-empty"} : ${TRUSTSTORE_PASSWORD:?"Must specify the password of the truststore being used."}
prop_replace 'nifi.security.keystore' "${KEYSTORE_PATH}" prop_replace 'nifi.security.keystore' "${KEYSTORE_PATH}"
prop_replace 'nifi.security.keystoreType' "${KEYSTORE_TYPE}" prop_replace 'nifi.security.keystoreType' "${KEYSTORE_TYPE}"

View File

@ -15,29 +15,40 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh scripts_dir='/opt/nifi/scripts'
[ -f "${scripts_dir}/common.sh" ] && . "${scripts_dir}/common.sh"
# Establish baseline properties # Establish baseline properties
prop_replace 'nifi.web.http.port' '8080' prop_replace 'nifi.web.http.port' '8080'
prop_replace 'nifi.web.http.host' "${hostname}" prop_replace 'nifi.web.http.host' "${hostname}"
prop_replace 'nifi.remote.input.host' "${hostname}" prop_replace 'nifi.remote.input.host' "${hostname}"
prop_replace 'nifi.remote.input.socket.port' '10000' prop_replace 'nifi.remote.input.socket.port' '10000'
prop_replace 'nifi.remote.input.secure' 'false' prop_replace 'nifi.remote.input.secure' 'false'
# Check if we are secured or unsecured # Check if we are secured or unsecured
case ${AUTH} in case ${AUTH} in
tls) tls)
echo 'Enabling Two-Way SSL user authentication' echo 'Enabling Two-Way SSL user authentication'
. /opt/nifi/scripts/secure.sh . "${scripts_dir}/secure.sh"
;;
ldap)
echo 'Enabling LDAP user authentication'
# Reference ldap-provider in properties
prop_replace 'nifi.security.user.login.identity.provider' 'ldap-provider'
prop_replace 'nifi.security.needClientAuth' 'WANT'
. "${scripts_dir}/secure.sh"
. "${scripts_dir}/update_login_providers.sh"
;; ;;
esac esac
# Continuously provide logs so that 'docker logs' can produce them # Continuously provide logs so that 'docker logs' can produce them
tail -F ${NIFI_HOME}/logs/nifi-app.log & tail -F "${NIFI_HOME}/logs/nifi-app.log" &
${NIFI_HOME}/bin/nifi.sh run & "${NIFI_HOME}/bin/nifi.sh" run &
nifi_pid="$!" nifi_pid="$!"
trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT; trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT;
echo NiFi running with PID ${nifi_pid}. echo NiFi running with PID ${nifi_pid}.
wait ${nifi_pid} wait ${nifi_pid}

View File

@ -0,0 +1,47 @@
#!/bin/sh -e
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
login_providers_file=${NIFI_HOME}/conf/login-identity-providers.xml
property_xpath='//loginIdentityProviders/provider/property'
# Update a given property in the login-identity-providers file if a value is specified
edit_property() {
property_name=$1
property_value=$2
if [ -n "${property_value}" ]; then
xmlstarlet ed --inplace -u "${property_xpath}[@name='${property_name}']" -v "${property_value}" "${login_providers_file}"
fi
}
# Remove comments to enable the ldap-provider
sed -i '/To enable the ldap-provider remove/d' "${login_providers_file}"
edit_property 'Authentication Strategy' "${LDAP_AUTHENTICATION_STRATEGY}"
edit_property 'Manager DN' "${LDAP_MANAGER_DN}"
edit_property 'Manager Password' "${LDAP_MANAGER_PASSWORD}"
edit_property 'TLS - Keystore' "${LDAP_TLS_KEYSTORE}"
edit_property 'TLS - Keystore Password' "${LDAP_TLS_KEYSTORE_PASSWORD}"
edit_property 'TLS - Keystore Type' "${LDAP_TLS_KEYSTORE_TYPE}"
edit_property 'TLS - Truststore' "${LDAP_TLS_TRUSTSTORE}"
edit_property 'TLS - Truststore Password' "${LDAP_TLS_TRUSTSTORE_PASSWORD}"
edit_property 'TLS - Truststore Type' "${LDAP_TLS_TRUSTSTORE_TYPE}"
edit_property 'TLS - Protocol' "${LDAP_TLS_PROTOCOL}"
edit_property 'Url' "${LDAP_URL}"
edit_property 'User Search Base' "${LDAP_USER_SEARCH_BASE}"
edit_property 'User Search Filter' "${LDAP_USER_SEARCH_FILTER}"
edit_property 'Identity Strategy' "${LDAP_IDENTITY_STRATEGY}"