nifi-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [nifi] mcgilman commented on issue #3602: NIFI-5839 Applied identity mapping to user lookups and group members
Date Fri, 16 Aug 2019 21:22:55 GMT
mcgilman commented on issue #3602: NIFI-5839 Applied identity mapping to user lookups and group
members
URL: https://github.com/apache/nifi/pull/3602#issuecomment-522155731
 
 
   @dtmo Thanks for creating this PR! I recently ran into the same problem and was going to
post a PR (it's not quite ready yet) with a slightly different solution when I came across
this. I took a slightly different approach and wanted to discuss here.
   
   While we could leverage the user/group mappings to transform the values for this use case
within the `LdapUserGroupProvider`, the mappings are meant to be applied to the identities
and names that come out of a given (any) provider and the identity of the user upon authentication.
The comparison happening in this scenario is happening within the `LdapUserGroupProvider`
only. The value that associates a user with a group and/or a group with a user comes from
an attribute in the group or user respectively. The directory server will not be performing
any mappings to associate these two entries. The reason why this is problematic today is that
the directory servers may or may not enforce case.
   
   I would like to suggest that we do not use the mappings to transform the values to support
this scenario. If a user did not care to map the user identities or group names, but the did
have this problem, they would need to create mapping entries in `nifi.properties` just to
support their `LdapUserGroupProvider` configuration. This could potentially affect other providers
(if configured to possibly use a composite provider) and when users authenticate. I would
like to consider introducing a new property for the `LdapUserGroupProvider` that can conditionally
set whether group membership decisions are case sensitive or not. This should hopefully lessen
the already confusion configuration and limit the potential effects of this change.
   
   I should have a PR ready for consideration soon. When I do, I'll link it here. Thanks.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message