nifi-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bbe...@apache.org
Subject nifi-registry git commit: NIFIREG-60 NiFi Proxy Identity Support
Date Fri, 01 Dec 2017 21:43:23 GMT
Repository: nifi-registry
Updated Branches:
  refs/heads/master 81a1a360c -> cc3820990


NIFIREG-60 NiFi Proxy Identity Support

Adds the ability to configure NiFi Identities to act as proxies for
FileAccessPolicyProvider in authorizers.xml

This closes #45.

Signed-off-by: Bryan Bende <bbende@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/nifi-registry/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi-registry/commit/cc382099
Tree: http://git-wip-us.apache.org/repos/asf/nifi-registry/tree/cc382099
Diff: http://git-wip-us.apache.org/repos/asf/nifi-registry/diff/cc382099

Branch: refs/heads/master
Commit: cc3820990eecc5422f1328ecf17642e2a992944a
Parents: 81a1a36
Author: Kevin Doran <kdoran.apache@gmail.com>
Authored: Wed Nov 29 19:47:50 2017 -0500
Committer: Bryan Bende <bbende@apache.org>
Committed: Fri Dec 1 16:43:04 2017 -0500

----------------------------------------------------------------------
 .../file/FileAccessPolicyProvider.java          | 80 +++++++++++---------
 .../authorization/file/FileAuthorizer.java      |  6 +-
 .../file/FileUserGroupProvider.java             |  4 +-
 .../ldap/tenants/LdapUserGroupProvider.java     |  2 +-
 .../properties/util/IdentityMappingUtil.java    |  2 +-
 .../src/main/resources/conf/authorizers.xml     | 29 +++----
 .../resources/conf/secure-file/authorizers.xml  | 21 +++--
 .../conf/secure-kerberos/authorizers.xml        | 17 ++---
 .../conf/secure-kerberos/identity-providers.xml |  4 +-
 .../resources/conf/secure-ldap/authorizers.xml  | 21 +++--
 .../conf/secure-ldap/identity-providers.xml     |  2 +-
 11 files changed, 97 insertions(+), 91 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/cc382099/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAccessPolicyProvider.java
----------------------------------------------------------------------
diff --git a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAccessPolicyProvider.java
b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAccessPolicyProvider.java
index 2a71c5e..8c3cab2 100644
--- a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAccessPolicyProvider.java
+++ b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAccessPolicyProvider.java
@@ -34,6 +34,7 @@ import org.apache.nifi.registry.security.authorization.exception.UninheritableAu
 import org.apache.nifi.registry.security.authorization.file.generated.Authorizations;
 import org.apache.nifi.registry.security.authorization.file.generated.Policies;
 import org.apache.nifi.registry.security.authorization.file.generated.Policy;
+import org.apache.nifi.registry.security.authorization.resource.ResourceType;
 import org.apache.nifi.registry.security.exception.SecurityProviderCreationException;
 import org.apache.nifi.registry.security.exception.SecurityProviderDestructionException;
 import org.apache.nifi.registry.util.PropertyValue;
@@ -69,10 +70,13 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Comparator;
 import java.util.Date;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicReference;
+import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvider {
@@ -126,16 +130,17 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
             new ResourceActionPair("/proxy", WRITE_CODE)
     };
 
-    static final String PROP_NODE_IDENTITY_PREFIX = "Node Identity ";
+    static final String PROP_NIFI_IDENTITY_PREFIX = "NiFi Identity ";
     static final String PROP_USER_GROUP_PROVIDER = "User Group Provider";
     static final String PROP_AUTHORIZATIONS_FILE = "Authorizations File";
     static final String PROP_INITIAL_ADMIN_IDENTITY = "Initial Admin Identity";
-    static final Pattern NODE_IDENTITY_PATTERN = Pattern.compile(PROP_NODE_IDENTITY_PREFIX
+ "\\S+");
+    static final Pattern NIFI_IDENTITY_PATTERN = Pattern.compile(PROP_NIFI_IDENTITY_PREFIX
+ "\\S+");
 
     private Schema authorizationsSchema;
     private NiFiRegistryProperties properties;
     private File authorizationsFile;
     private String initialAdminIdentity;
+    private Set<String> nifiIdentities;
     private List<IdentityMapping> identityMappings;
 
     private UserGroupProvider userGroupProvider;
@@ -179,21 +184,21 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
                 saveAuthorizations(new Authorizations());
             }
 
-            // extract the identity mappings from nifi.properties if any are provided
+            // extract the identity mappings from nifi-registry.properties if any are provided
             identityMappings = Collections.unmodifiableList(IdentityMappingUtil.getIdentityMappings(properties));
 
             // get the value of the initial admin identity
             final PropertyValue initialAdminIdentityProp = configurationContext.getProperty(PROP_INITIAL_ADMIN_IDENTITY);
             initialAdminIdentity = initialAdminIdentityProp.isSet() ? IdentityMappingUtil.mapIdentity(initialAdminIdentityProp.getValue(),
identityMappings) : null;
 
-//            // extract any node identities
-//            nodeIdentities = new HashSet<>();
-//            for (Map.Entry<String,String> entry : configurationContext.getProperties().entrySet())
{
-//                Matcher matcher = NODE_IDENTITY_PATTERN.matcher(entry.getKey());
-//                if (matcher.matches() && !StringUtils.isBlank(entry.getValue()))
{
-//                    nodeIdentities.add(IdentityMappingUtil.mapIdentity(entry.getValue(),
identityMappings));
-//                }
-//            }
+            // extract any nifi identities
+            nifiIdentities = new HashSet<>();
+            for (Map.Entry<String,String> entry : configurationContext.getProperties().entrySet())
{
+                Matcher matcher = NIFI_IDENTITY_PATTERN.matcher(entry.getKey());
+                if (matcher.matches() && !StringUtils.isBlank(entry.getValue()))
{
+                    nifiIdentities.add(IdentityMappingUtil.mapIdentity(entry.getValue(),
identityMappings));
+                }
+            }
 
             // load the authorizations
             load();
@@ -474,11 +479,20 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
         final AuthorizationsHolder authorizationsHolder = new AuthorizationsHolder(authorizations);
         final boolean emptyAuthorizations = authorizationsHolder.getAllPolicies().isEmpty();
         final boolean hasInitialAdminIdentity = (initialAdminIdentity != null &&
!StringUtils.isBlank(initialAdminIdentity));
+        final boolean hasNiFiIdentities = (nifiIdentities != null && !nifiIdentities.isEmpty());
 
         // if we are starting fresh then we might need to populate an initial admin
-        if (emptyAuthorizations && hasInitialAdminIdentity) {
-            logger.info("Populating authorizations for Initial Admin: " + initialAdminIdentity);
-            populateInitialAdmin(authorizations);
+        if (emptyAuthorizations) {
+            if (hasInitialAdminIdentity) {
+               logger.info("Populating authorizations for Initial Admin: " + initialAdminIdentity);
+               populateInitialAdmin(authorizations);
+            }
+
+            if (hasNiFiIdentities) {
+                logger.info("Populating proxy authorizations for NiFi clients: [{}]", StringUtils.join(nifiIdentities,
";"));
+                populateNiFiIdentities(authorizations);
+            }
+
             saveAndRefreshHolder(authorizations);
         } else {
             this.authorizationsHolder.set(authorizationsHolder);
@@ -516,28 +530,22 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
         }
     }
 
-//    /**
-//     * Creates a user for each node and gives the nodes write permission to /proxy.
-//     *
-//     * @param authorizations the overall authorizations
-//     */
-//    private void populateNodes(Authorizations authorizations) {
-//        for (String nodeIdentity : nodeIdentities) {
-//            final User node = userGroupProvider.getUserByIdentity(nodeIdentity);
-//            if (node == null) {
-//                throw new AuthorizerCreationException("Unable to locate node " + nodeIdentity
+ " to seed policies.");
-//            }
-//
-//            // grant access to the proxy resource
-//            addUserToAccessPolicy(authorizations, ResourceType.Proxy.getValue(), node.getIdentifier(),
WRITE_CODE);
-//
-//            // grant the user read/write access data of the root group
-//            if (rootGroupId != null) {
-//                addUserToAccessPolicy(authorizations, ResourceType.Data.getValue() + ResourceType.ProcessGroup.getValue()
+ "/" + rootGroupId, node.getIdentifier(), READ_CODE);
-//                addUserToAccessPolicy(authorizations, ResourceType.Data.getValue() + ResourceType.ProcessGroup.getValue()
+ "/" + rootGroupId, node.getIdentifier(), WRITE_CODE);
-//            }
-//        }
-//    }
+    /**
+     * Creates a user for each NiFi client and gives each one write permission to /proxy.
+     *
+     * @param authorizations the overall authorizations
+     */
+    private void populateNiFiIdentities(Authorizations authorizations) {
+        for (String nifiIdentity : nifiIdentities) {
+            final User node = userGroupProvider.getUserByIdentity(nifiIdentity);
+            if (node == null) {
+                throw new SecurityProviderCreationException("Unable to locate node " + nifiIdentity
+ " to seed policies.");
+            }
+
+            // grant access to the proxy resource
+            addUserToAccessPolicy(authorizations, ResourceType.Proxy.getValue(), node.getIdentifier(),
WRITE_CODE);
+        }
+    }
 
 
     /**

http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/cc382099/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAuthorizer.java
----------------------------------------------------------------------
diff --git a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAuthorizer.java
b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAuthorizer.java
index 1fe7f45..ad59eb6 100644
--- a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAuthorizer.java
+++ b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAuthorizer.java
@@ -122,12 +122,12 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
             accessPolicyProperties.put(FileAuthorizer.PROP_LEGACY_AUTHORIZED_USERS_FILE,
configurationProperties.get(FileAuthorizer.PROP_LEGACY_AUTHORIZED_USERS_FILE));
         }
 
-        // ensure all node identities are seeded into the user provider
+        // ensure all nifi identities are seeded into the user provider
         configurationProperties.forEach((property, value) -> {
-            final Matcher matcher = FileAccessPolicyProvider.NODE_IDENTITY_PATTERN.matcher(property);
+            final Matcher matcher = FileAccessPolicyProvider.NIFI_IDENTITY_PATTERN.matcher(property);
             if (matcher.matches()) {
                 accessPolicyProperties.put(property, value);
-                userGroupProperties.put(property.replace(FileAccessPolicyProvider.PROP_NODE_IDENTITY_PREFIX,
FileUserGroupProvider.PROP_INITIAL_USER_IDENTITY_PREFIX), value);
+                userGroupProperties.put(property.replace(FileAccessPolicyProvider.PROP_NIFI_IDENTITY_PREFIX,
FileUserGroupProvider.PROP_INITIAL_USER_IDENTITY_PREFIX), value);
             }
         });
 

http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/cc382099/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileUserGroupProvider.java
----------------------------------------------------------------------
diff --git a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileUserGroupProvider.java
b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileUserGroupProvider.java
index b15e599..e12816a 100644
--- a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileUserGroupProvider.java
+++ b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileUserGroupProvider.java
@@ -150,10 +150,10 @@ public class FileUserGroupProvider implements ConfigurableUserGroupProvider
{
 
             final File tenantsFileDirectory = tenantsFile.getAbsoluteFile().getParentFile();
 
-            // extract the identity mappings from nifi.properties if any are provided
+            // extract the identity mappings from nifi-registry.properties if any are provided
             identityMappings = Collections.unmodifiableList(IdentityMappingUtil.getIdentityMappings(properties));
 
-            // extract any node identities
+            // extract any nifi identities
             initialUserIdentities = new HashSet<>();
             for (Map.Entry<String,String> entry : configurationContext.getProperties().entrySet())
{
                 Matcher matcher = INITIAL_USER_IDENTITY_PATTERN.matcher(entry.getKey());

http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/cc382099/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/ldap/tenants/LdapUserGroupProvider.java
----------------------------------------------------------------------
diff --git a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/ldap/tenants/LdapUserGroupProvider.java
b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/ldap/tenants/LdapUserGroupProvider.java
index f04fdcc..976d575 100644
--- a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/ldap/tenants/LdapUserGroupProvider.java
+++ b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/ldap/tenants/LdapUserGroupProvider.java
@@ -331,7 +331,7 @@ public class LdapUserGroupProvider implements UserGroupProvider {
             pageSize = rawPageSize.asInteger();
         }
 
-        // extract the identity mappings from nifi.properties if any are provided
+        // extract the identity mappings from nifi-registry.properties if any are provided
         identityMappings = Collections.unmodifiableList(IdentityMappingUtil.getIdentityMappings(properties));
 
         // set the base environment is necessary

http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/cc382099/nifi-registry-properties/src/main/java/org/apache/nifi/registry/properties/util/IdentityMappingUtil.java
----------------------------------------------------------------------
diff --git a/nifi-registry-properties/src/main/java/org/apache/nifi/registry/properties/util/IdentityMappingUtil.java
b/nifi-registry-properties/src/main/java/org/apache/nifi/registry/properties/util/IdentityMappingUtil.java
index fcd827b..3c9208c 100644
--- a/nifi-registry-properties/src/main/java/org/apache/nifi/registry/properties/util/IdentityMappingUtil.java
+++ b/nifi-registry-properties/src/main/java/org/apache/nifi/registry/properties/util/IdentityMappingUtil.java
@@ -70,7 +70,7 @@ public class IdentityMappingUtil {
             }
         }
 
-        // sort the list by the key so users can control the ordering in nifi.properties
+        // sort the list by the key so users can control the ordering in nifi-registry.properties
         Collections.sort(mappings, new Comparator<IdentityMapping>() {
             @Override
             public int compare(IdentityMapping m1, IdentityMapping m2) {

http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/cc382099/nifi-registry-resources/src/main/resources/conf/authorizers.xml
----------------------------------------------------------------------
diff --git a/nifi-registry-resources/src/main/resources/conf/authorizers.xml b/nifi-registry-resources/src/main/resources/conf/authorizers.xml
index c3cad80..c879d28 100644
--- a/nifi-registry-resources/src/main/resources/conf/authorizers.xml
+++ b/nifi-registry-resources/src/main/resources/conf/authorizers.xml
@@ -15,7 +15,7 @@
 -->
 <!--
     This file lists the userGroupProviders, accessPolicyProviders, and authorizers to use
when running securely. In order
-    to use a specific authorizer it must be configured here and its identifier must be specified
in the nifi.properties file.
+    to use a specific authorizer it must be configured here and its identifier must be specified
in the nifi-registry.properties file.
     If the authorizer is a managedAuthorizer, it may need to be configured with an accessPolicyProvider
and an userGroupProvider.
     This file allows for configuration of them, but they must be configured in order:
 
@@ -37,7 +37,7 @@
             each property must be unique, for example: "Initial User Identity A", "Initial
User Identity B",
             "Initial User Identity C" or "Initial User Identity 1", "Initial User Identity
2", "Initial User Identity 3"
 
-            NOTE: Any identity mapping rules specified in nifi.properties will also be applied
to the user identities,
+            NOTE: Any identity mapping rules specified in nifi-registry.properties will also
be applied to the user identities,
             so the values should be the unmapped identities (i.e. full DN from a certificate).
     -->
     <userGroupProvider>
@@ -101,7 +101,7 @@
             group membership will not be calculated through the groups. Will rely on group
member being defined
             through 'User Group Name Attribute' if set.
 
-        NOTE: Any identity mapping rules specified in nifi.properties will also be applied
to the user identities.
+        NOTE: Any identity mapping rules specified in nifi-registry.properties will also
be applied to the user identities.
             Group names are not mapped.
     -->
     <!-- To enable the ldap-user-group-provider remove 2 lines. This is 1 of 2.
@@ -154,8 +154,8 @@
             each property must be unique, for example: "User Group Provider A", "User Group
Provider B",
             "User Group Provider C" or "User Group Provider 1", "User Group Provider 2",
"User Group Provider 3"
 
-            NOTE: Any identity mapping rules specified in nifi.properties are not applied
in this implementation. This behavior
-            would need to be applied by the base implementation.
+            NOTE: Any identity mapping rules specified in nifi-registry.properties are not
applied in this implementation. This
+            behavior would need to be applied by the base implementation.
     -->
     <!-- To enable the composite-user-group-provider remove 2 lines. This is 1 of 2.
     <userGroupProvider>
@@ -176,8 +176,8 @@
             each property must be unique, for example: "User Group Provider A", "User Group
Provider B",
             "User Group Provider C" or "User Group Provider 1", "User Group Provider 2",
"User Group Provider 3"
 
-            NOTE: Any identity mapping rules specified in nifi.properties are not applied
in this implementation. This behavior
-            would need to be applied by the base implementation.
+            NOTE: Any identity mapping rules specified in nifi-registry.properties are not
applied in this implementation. This
+            behavior would need to be applied by the base implementation.
     -->
     <!-- To enable the composite-configurable-user-group-provider remove 2 lines. This
is 1 of 2.
     <userGroupProvider>
@@ -202,15 +202,16 @@
             a DN when using certificates or LDAP. This property will only be used when there
             are no other policies defined.
 
-            NOTE: Any identity mapping rules specified in nifi.properties will also be applied
to the initial admin identity,
+            NOTE: Any identity mapping rules specified in nifi-registry.properties will also
be applied to the initial admin identity,
             so the value should be the unmapped identity. This identity must be found in
the configured User Group Provider.
 
-        - Node Identity [unique key] - The identity of a NiFi cluster node. When clustered,
a property for each node
-            should be defined, so that every node knows about every other node. If not clustered
these properties can be ignored.
-            The name of each property must be unique, for example for a three node cluster:
-            "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1",
"Node Identity 2", "Node Identity 3"
+        - NiFi Identity [unique key] - The identity of a NiFi node that will have access
to this NiFi Registry and will be able
+            to act as a proxy on behalf of a NiFi Registry end user. A property should be
created for the identity of every NiFi
+            node that needs to access this NiFi Registry. The name of each property must
be unique, for example for three
+            NiFi clients:
+            "NiFi Identity A", "NiFi Identity B", "NiFi Identity C" or "NiFi Identity 1",
"NiFi Identity 2", "NiFi Identity 3"
 
-            NOTE: Any identity mapping rules specified in nifi.properties will also be applied
to the node identities,
+            NOTE: Any identity mapping rules specified in nifi-registry.properties will also
be applied to the nifi identities,
             so the values should be the unmapped identities (i.e. full DN from a certificate).
This identity must be found
             in the configured User Group Provider.
     -->
@@ -221,7 +222,7 @@
         <property name="Authorizations File">./conf/authorizations.xml</property>
         <property name="Initial Admin Identity"><!-- CN=abc, OU=xyz --></property>
 
-        <!--<property name="Node Identity 1"></property>-->
+        <!--<property name="NiFi Identity 1"></property>-->
     </accessPolicyProvider>
 
     <!--

http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/cc382099/nifi-registry-web-api/src/test/resources/conf/secure-file/authorizers.xml
----------------------------------------------------------------------
diff --git a/nifi-registry-web-api/src/test/resources/conf/secure-file/authorizers.xml b/nifi-registry-web-api/src/test/resources/conf/secure-file/authorizers.xml
index 1f92793..e20a22d 100644
--- a/nifi-registry-web-api/src/test/resources/conf/secure-file/authorizers.xml
+++ b/nifi-registry-web-api/src/test/resources/conf/secure-file/authorizers.xml
@@ -17,7 +17,7 @@
   -->
 <!--
     This file lists the userGroupProviders, accessPolicyProviders, and authorizers to use
when running securely. In order
-    to use a specific authorizer it must be configured here and its identifier must be specified
in the nifi.properties file.
+    to use a specific authorizer it must be configured here and its identifier must be specified
in the nifi-registry.properties file.
     If the authorizer is a managedAuthorizer, it may need to be configured with an accessPolicyProvider
and an userGroupProvider.
     This file allows for configuration of them, but they must be configured in order:
 
@@ -39,7 +39,7 @@
             each property must be unique, for example: "Initial User Identity A", "Initial
User Identity B",
             "Initial User Identity C" or "Initial User Identity 1", "Initial User Identity
2", "Initial User Identity 3"
 
-            NOTE: Any identity mapping rules specified in nifi.properties will also be applied
to the user identities,
+            NOTE: Any identity mapping rules specified in nifi-registry.properties will also
be applied to the user identities,
             so the values should be the unmapped identities (i.e. full DN from a certificate).
     -->
     <userGroupProvider>
@@ -56,7 +56,7 @@
             each property must be unique, for example: "User Group Provider A", "User Group
Provider B",
             "User Group Provider C" or "User Group Provider 1", "User Group Provider 2",
"User Group Provider 3"
 
-            NOTE: Any identity mapping rules specified in nifi.properties are not applied
in this implementation. This behavior
+            NOTE: Any identity mapping rules specified in nifi-registry.properties are not
applied in this implementation. This behavior
             would need to be applied by the base implementation.
     -->
     <!-- To enable the composite-user-group-provider remove 2 lines. This is 1 of 2.
@@ -78,7 +78,7 @@
             each property must be unique, for example: "User Group Provider A", "User Group
Provider B",
             "User Group Provider C" or "User Group Provider 1", "User Group Provider 2",
"User Group Provider 3"
 
-            NOTE: Any identity mapping rules specified in nifi.properties are not applied
in this implementation. This behavior
+            NOTE: Any identity mapping rules specified in nifi-registry.properties are not
applied in this implementation. This behavior
             would need to be applied by the base implementation.
     -->
     <!-- To enable the composite-configurable-user-group-provider remove 2 lines. This
is 1 of 2.
@@ -104,15 +104,14 @@
             a DN when using certificates or LDAP. This property will only be used when there
             are no other policies defined.
 
-            NOTE: Any identity mapping rules specified in nifi.properties will also be applied
to the initial admin identity,
+            NOTE: Any identity mapping rules specified in nifi-registry.properties will also
be applied to the initial admin identity,
             so the value should be the unmapped identity. This identity must be found in
the configured User Group Provider.
 
-        - Node Identity [unique key] - The identity of a NiFi cluster node. When clustered,
a property for each node
-            should be defined, so that every node knows about every other node. If not clustered
these properties can be ignored.
-            The name of each property must be unique, for example for a three node cluster:
-            "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1",
"Node Identity 2", "Node Identity 3"
+        - NiFi Identity [unique key] - The identity of a NiFi node that will have access
to this NiFi Registry and will be able
+            to act as a proxy on behalf of a NiFi Registry end user. A property should be
created for the identity of every NiFi
+            node that needs to access this NiFi Registry.
 
-            NOTE: Any identity mapping rules specified in nifi.properties will also be applied
to the node identities,
+            NOTE: Any identity mapping rules specified in nifi-registry.properties will also
be applied to the nifi identities,
             so the values should be the unmapped identities (i.e. full DN from a certificate).
This identity must be found
             in the configured User Group Provider.
     -->
@@ -123,7 +122,7 @@
         <property name="Authorizations File">./target/test-classes/conf/secure-file/authorizations.xml</property>
         <property name="Initial Admin Identity">CN=user1, OU=nifi</property>
 
-        <!--<property name="Node Identity 1"></property>-->
+        <!--<property name="NiFi Identity 1"></property>-->
     </accessPolicyProvider>
 
     <!--

http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/cc382099/nifi-registry-web-api/src/test/resources/conf/secure-kerberos/authorizers.xml
----------------------------------------------------------------------
diff --git a/nifi-registry-web-api/src/test/resources/conf/secure-kerberos/authorizers.xml
b/nifi-registry-web-api/src/test/resources/conf/secure-kerberos/authorizers.xml
index 6b42fa2..d548696 100644
--- a/nifi-registry-web-api/src/test/resources/conf/secure-kerberos/authorizers.xml
+++ b/nifi-registry-web-api/src/test/resources/conf/secure-kerberos/authorizers.xml
@@ -17,7 +17,7 @@
   -->
 <!--
     This file lists the userGroupProviders, accessPolicyProviders, and authorizers to use
when running securely. In order
-    to use a specific authorizer it must be configured here and its identifier must be specified
in the nifi.properties file.
+    to use a specific authorizer it must be configured here and its identifier must be specified
in the nifi-registry.properties file.
     If the authorizer is a managedAuthorizer, it may need to be configured with an accessPolicyProvider
and an userGroupProvider.
     This file allows for configuration of them, but they must be configured in order:
 
@@ -39,7 +39,7 @@
             each property must be unique, for example: "Initial User Identity A", "Initial
User Identity B",
             "Initial User Identity C" or "Initial User Identity 1", "Initial User Identity
2", "Initial User Identity 3"
 
-            NOTE: Any identity mapping rules specified in nifi.properties will also be applied
to the user identities,
+            NOTE: Any identity mapping rules specified in nifi-registry.properties will also
be applied to the user identities,
             so the values should be the unmapped identities (i.e. full DN from a certificate).
     -->
     <userGroupProvider>
@@ -63,15 +63,14 @@
             a DN when using certificates or LDAP. This property will only be used when there
             are no other policies defined.
 
-            NOTE: Any identity mapping rules specified in nifi.properties will also be applied
to the initial admin identity,
+            NOTE: Any identity mapping rules specified in nifi-registry.properties will also
be applied to the initial admin identity,
             so the value should be the unmapped identity. This identity must be found in
the configured User Group Provider.
 
-        - Node Identity [unique key] - The identity of a NiFi cluster node. When clustered,
a property for each node
-            should be defined, so that every node knows about every other node. If not clustered
these properties can be ignored.
-            The name of each property must be unique, for example for a three node cluster:
-            "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1",
"Node Identity 2", "Node Identity 3"
+        - NiFi Identity [unique key] - The identity of a NiFi node that will have access
to this NiFi Registry and will be able
+            to act as a proxy on behalf of a NiFi Registry end user. A property should be
created for the identity of every NiFi
+            node that needs to access this NiFi Registry.
 
-            NOTE: Any identity mapping rules specified in nifi.properties will also be applied
to the node identities,
+            NOTE: Any identity mapping rules specified in nifi-registry.properties will also
be applied to the nifi identities,
             so the values should be the unmapped identities (i.e. full DN from a certificate).
This identity must be found
             in the configured User Group Provider.
     -->
@@ -82,7 +81,7 @@
         <property name="Authorizations File">./target/test-classes/conf/secure-kerberos/authorizations.xml</property>
         <property name="Initial Admin Identity">kerberosUser@LOCALHOST</property>
 
-        <!--<property name="Node Identity 1"></property>-->
+        <!--<property name="NiFi Identity 1"></property>-->
     </accessPolicyProvider>
 
     <!--

http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/cc382099/nifi-registry-web-api/src/test/resources/conf/secure-kerberos/identity-providers.xml
----------------------------------------------------------------------
diff --git a/nifi-registry-web-api/src/test/resources/conf/secure-kerberos/identity-providers.xml
b/nifi-registry-web-api/src/test/resources/conf/secure-kerberos/identity-providers.xml
index 85f1957..cd101ea 100644
--- a/nifi-registry-web-api/src/test/resources/conf/secure-kerberos/identity-providers.xml
+++ b/nifi-registry-web-api/src/test/resources/conf/secure-kerberos/identity-providers.xml
@@ -17,8 +17,8 @@
   -->
 <!--
     This file lists the login identity providers to use when running securely. In order
-    to use a specific provider it must be configured here and it's identifier
-    must be specified in the nifi.properties file.
+    to use a specific provider it must be configured here and its identifier
+    must be specified in the nifi-registry.properties file.
 -->
 <identityProviders>
 

http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/cc382099/nifi-registry-web-api/src/test/resources/conf/secure-ldap/authorizers.xml
----------------------------------------------------------------------
diff --git a/nifi-registry-web-api/src/test/resources/conf/secure-ldap/authorizers.xml b/nifi-registry-web-api/src/test/resources/conf/secure-ldap/authorizers.xml
index ca472cc..0a7fd4d 100644
--- a/nifi-registry-web-api/src/test/resources/conf/secure-ldap/authorizers.xml
+++ b/nifi-registry-web-api/src/test/resources/conf/secure-ldap/authorizers.xml
@@ -17,7 +17,7 @@
   -->
 <!--
     This file lists the userGroupProviders, accessPolicyProviders, and authorizers to use
when running securely. In order
-    to use a specific authorizer it must be configured here and its identifier must be specified
in the nifi.properties file.
+    to use a specific authorizer it must be configured here and its identifier must be specified
in the nifi-registry.properties file.
     If the authorizer is a managedAuthorizer, it may need to be configured with an accessPolicyProvider
and an userGroupProvider.
     This file allows for configuration of them, but they must be configured in order:
 
@@ -39,7 +39,7 @@
             each property must be unique, for example: "Initial User Identity A", "Initial
User Identity B",
             "Initial User Identity C" or "Initial User Identity 1", "Initial User Identity
2", "Initial User Identity 3"
 
-            NOTE: Any identity mapping rules specified in nifi.properties will also be applied
to the user identities,
+            NOTE: Any identity mapping rules specified in nifi-registry.properties will also
be applied to the user identities,
             so the values should be the unmapped identities (i.e. full DN from a certificate).
     -->
     <!-- To enable the file-user-group-provider remove 2 lines. This is 1 of 2.
@@ -105,7 +105,7 @@
             group membership will not be calculated through the groups. Will rely on group
member being defined
             through 'User Group Name Attribute' if set.
 
-        NOTE: Any identity mapping rules specified in nifi.properties will also be applied
to the user identities.
+        NOTE: Any identity mapping rules specified in nifi-registry.properties will also
be applied to the user identities.
             Group names are not mapped.
     -->
     <userGroupProvider>
@@ -158,7 +158,7 @@
             each property must be unique, for example: "User Group Provider A", "User Group
Provider B",
             "User Group Provider C" or "User Group Provider 1", "User Group Provider 2",
"User Group Provider 3"
 
-            NOTE: Any identity mapping rules specified in nifi.properties are not applied
in this implementation. This behavior
+            NOTE: Any identity mapping rules specified in nifi-registry.properties are not
applied in this implementation. This behavior
             would need to be applied by the base implementation.
     -->
     <!-- To enable the composite-user-group-provider remove 2 lines. This is 1 of 2.
@@ -180,7 +180,7 @@
             each property must be unique, for example: "User Group Provider A", "User Group
Provider B",
             "User Group Provider C" or "User Group Provider 1", "User Group Provider 2",
"User Group Provider 3"
 
-            NOTE: Any identity mapping rules specified in nifi.properties are not applied
in this implementation. This behavior
+            NOTE: Any identity mapping rules specified in nifi-registry.properties are not
applied in this implementation. This behavior
             would need to be applied by the base implementation.
     -->
     <!-- To enable the composite-configurable-user-group-provider remove 2 lines. This
is 1 of 2.
@@ -206,15 +206,14 @@
             a DN when using certificates or LDAP. This property will only be used when there
             are no other policies defined.
 
-            NOTE: Any identity mapping rules specified in nifi.properties will also be applied
to the initial admin identity,
+            NOTE: Any identity mapping rules specified in nifi-registry.properties will also
be applied to the initial admin identity,
             so the value should be the unmapped identity. This identity must be found in
the configured User Group Provider.
 
-        - Node Identity [unique key] - The identity of a NiFi cluster node. When clustered,
a property for each node
-            should be defined, so that every node knows about every other node. If not clustered
these properties can be ignored.
-            The name of each property must be unique, for example for a three node cluster:
-            "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1",
"Node Identity 2", "Node Identity 3"
+        - NiFi Identity [unique key] - The identity of a NiFi node that will have access
to this NiFi Registry and will be able
+            to act as a proxy on behalf of a NiFi Registry end user. A property should be
created for the identity of every NiFi
+            node that needs to access this NiFi Registry.
 
-            NOTE: Any identity mapping rules specified in nifi.properties will also be applied
to the node identities,
+            NOTE: Any identity mapping rules specified in nifi-registry.properties will also
be applied to the nifi identities,
             so the values should be the unmapped identities (i.e. full DN from a certificate).
This identity must be found
             in the configured User Group Provider.
     -->

http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/cc382099/nifi-registry-web-api/src/test/resources/conf/secure-ldap/identity-providers.xml
----------------------------------------------------------------------
diff --git a/nifi-registry-web-api/src/test/resources/conf/secure-ldap/identity-providers.xml
b/nifi-registry-web-api/src/test/resources/conf/secure-ldap/identity-providers.xml
index 280a975..90c7777 100644
--- a/nifi-registry-web-api/src/test/resources/conf/secure-ldap/identity-providers.xml
+++ b/nifi-registry-web-api/src/test/resources/conf/secure-ldap/identity-providers.xml
@@ -18,7 +18,7 @@
 <!--
     This file lists the login identity providers to use when running securely. In order
     to use a specific provider it must be configured here and it's identifier
-    must be specified in the nifi.properties file.
+    must be specified in the nifi-registry.properties file.
 -->
 <identityProviders>
     <!--


Mime
View raw message