Return-Path: X-Original-To: apmail-nifi-commits-archive@minotaur.apache.org Delivered-To: apmail-nifi-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CAF4E18B78 for ; Mon, 23 Nov 2015 20:47:39 +0000 (UTC) Received: (qmail 80576 invoked by uid 500); 23 Nov 2015 20:47:39 -0000 Delivered-To: apmail-nifi-commits-archive@nifi.apache.org Received: (qmail 80549 invoked by uid 500); 23 Nov 2015 20:47:39 -0000 Mailing-List: contact commits-help@nifi.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@nifi.apache.org Delivered-To: mailing list commits@nifi.apache.org Received: (qmail 80539 invoked by uid 99); 23 Nov 2015 20:47:39 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Nov 2015 20:47:39 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 9F0CD2C1F56 for ; Mon, 23 Nov 2015 20:47:39 +0000 (UTC) Date: Mon, 23 Nov 2015 20:47:39 +0000 (UTC) From: "ASF subversion and git services (JIRA)" To: commits@nifi.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (NIFI-655) Provide support for multiple authentication mechanisms MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/NIFI-655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15022988#comment-15022988 ] ASF subversion and git services commented on NIFI-655: ------------------------------------------------------ Commit aaf14c45c96077c0075af8f3442e392b717244c1 in nifi's branch refs/heads/NIFI-655 from [~mcgilman] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=aaf14c4 ] NIFI-655: - Refactoring web security to use Spring Security Java Configuration. - Introducing security in Web UI in order to get JWT. NIFI-655: - Setting up the resources (js/css) for the login page. NIFI-655: - Adding support for configuring anonymous roles. - Addressing checkstyle violations. NIFI-655: - Moving to token api to web-api. - Creating an LoginProvider API for user/pass based authentication. - Creating a module for funneling access to the authorized useres. NIFI-655: - Moving away from usage of DN to identity throughout the application (from the user db to the authorization provider). - Updating the authorized users schema to support login users. - Creating an extension point for authentication of users based on username/password. NIFI-655: - Creating an endpoint for returning the identity of the current user. - Updating the LoginAuthenticationFilter. NIFI-655: - Moving NiFi registration to the login page. - Running the authentication filters in a different order to ensure we can disambiguate each case. - Starting to layout each case... Forbidden, Login, Create User, Create NiFi Account. NIFI-655: - Addressing checkstyle issues. NIFI-655: - Making nf-storage available in the login page. - Requiring use of local storage. - Ignoring security for GET requests when obtaining the login configuration. NIFI-655: - Adding a new endpoint to obtain the status of a user registration. - Updated the login page loading to ensure all possible states work. NIFI-655: - Ensuring we know the necessary state before we attempt to render the login page. - Building the proxy chain in the JWT authentication filter. - Only rendering the login when appropriate. NIFI-655: - Starting to style the login page. - Added simple 'login' support by identifying username/password. Issuing JWT token coming... - Added logout support - Rendering the username when appropriate. NIFI-655: - Extracting certificate validation into a utility class. - Fixing checkstyle issues. - Cleaning up the web security context. - Removing proxy chain checking where possible. NIFI-655: - Starting to add support for registration. - Creating registration form. NIFI-655: - Starting to implement the JWT service. - Parsing JWT on client side in order to render who the user currently is when logged in. NIFI-655: - Allowing the user to link back to the log in page from the new account page. - Renaming DN to identity where possible. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Adding more/better support for logging out. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Adding a few new exceptions for the login identity provider. NIFI-655: - Disabling log in by default initially. - Restoring authorization service unit test. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Updating packages for log in filters. - Handling new registration exceptions. - Code clean up. NIFI-655: - Removing registration support. - Removing file based implementation. NIFI-655: - Removing file based implementation. NIFI-655: - Removing unused spring configuration files. NIFI-655: - Making the auto wiring more explicit. NIFI-655: - Removing unused dependencies. NIFI-655: - Removing unused filter. NIFI-655: - Updating the login API authenticate method to use a richer set of exceptions. - UI code clean. NIFI-655: - Ensuring the login identity provider is able to switch context classloaders via the standard NAR mechanisms. NIFI-655: - Initial commit of the LDAP based identity providers. - Fixed issue when attempting to log into a NiFi that does not support new account requests. NIFI-655: - Allowing the ldap provider to specify if client authentication is required/desired. NIFI-655: - Persisting keys to sign user tokens. - Allowing the identity provider to specify the token expiration. - Code clean up. NIFI-655: - Ensuring identities are unique in the key table. NIFI-655: - Adding support for specifying the user search base and user search filter in the active directory provider. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Adding automatic client side token renewal. NIFI-655: - Ensuring the logout link is rendered when appropriate. NIFI-655: - Adding configuration options for referrals and connect/read timeouts NIFI-655: - Added an endpoint for access details including configuration, creating tokens, and checking status. - Updated DTOs and client side to utilize new endpoints. NIFI-655: - Refactoring certificate extraction and validation. - Refactoring how expiration is specified in the login identity providers. - Adding unit tests for the access endpoints. - Code clean up. NIFI-655: - Keeping token expiration between 1 minute and 12 hours. NIFI-655: - Using the user identity provided by the login identity provider. NIFI-655: - Fixed typo in error message for unrecognized authentication strategy. Signed-off-by: Matt Gilman NIFI-655. - Added logback-test.xml configuration resource for nifi-web-security. Signed-off-by: Matt Gilman NIFI-655. - Added issuer field to LoginAuthenticationToken. - Updated AccessResource to pass identity provider class name when creating LoginAuthenticationTokens. - Began refactoring JWT logic from request parsing logic in JwtService. - Added unit tests for JWT logic. Signed-off-by: Matt Gilman NIFI-655. - Changed issuer field to use FQ class name because some classes return an empty string for getSimpleName(). - Finished refactoring JWT logic from request parsing logic in JwtService. - Updated AccessResource and JwtAuthenticationFilter to call new JwtService methods decoupled from request header parsing. - Added extensive unit tests for JWT logic. Signed-off-by: Matt Gilman NIFI-655: - Refactoring key service to expose the key id. - Handling client side expiration better. - Removing specialized active directory provider and abstract ldap provider. NIFI-655. - Updated JwtService and JwtServiceTest to use Key POJO instead of raw String key from KeyService. Signed-off-by: Matt Gilman NIFI-655: - Fixing typo when loading the ldap connect timeout. - Providing a better experience for session expiration. - Using ellipsis for lengthly user name. - Adding an issuer to the authentication response so the LIP can specify the appropriate value. NIFI-655: - Showing a logging in notification during the log in process. NIFI-655: - Removing unnecessary class. NIFI-655: - Fixing checkstyle issues. - Showing the progress spinner while submitting account justification. NIFI-655: - Removing deprecated authentication strategy. - Renaming TLS to START_TLS. - Allowing the protocol to be configured. NIFI-655: - Fixing issue detecting the presence of DN column NIFI-655: - Pre-populating the login-identity-providers.xml file with necessary properties and documentation. - Renaming the Authentication Duration property name. NIFI-655: - Updating documentation for the failure response codes. NIFI-655: - Ensuring the user identity is not too long. NIFI-655: - Updating default authentication expiration to 12 hours. NIFI-655: - Remaining on the login form when there is any unsuccessful login attempt. - Fixing checkstyle issues. > Provide support for multiple authentication mechanisms > ------------------------------------------------------ > > Key: NIFI-655 > URL: https://issues.apache.org/jira/browse/NIFI-655 > Project: Apache NiFi > Issue Type: New Feature > Components: Configuration, Core Framework, Core UI, Documentation & Website > Reporter: Mark Payne > Assignee: Matt Gilman > Fix For: 0.4.0 > > > NiFi provides a pluggable authorization mechanism but authentication is done only via browser certificates. We should offer support for multiple authentication mechanisms. A feature proposal has been created [1]. > Important implementations to support include Active Directory, LDAP, and Kerberos. > [1] https://cwiki.apache.org/confluence/display/NIFI/Pluggable+Authentication -- This message was sent by Atlassian JIRA (v6.3.4#6332)