nifi-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nathan Gough (Jira)" <j...@apache.org>
Subject [jira] [Comment Edited] (NIFI-7870) Fix anonymous access control for advanced UI resources
Date Wed, 21 Oct 2020 17:36:00 GMT

    [ https://issues.apache.org/jira/browse/NIFI-7870?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17205871#comment-17205871
] 

Nathan Gough edited comment on NIFI-7870 at 10/21/20, 5:35 PM:
---------------------------------------------------------------

Sounds like this may be more complicated than first anticipated. Upon investigation, it appears
that the advanced UI static assets are not accessible due to another change in -NIFI-7170- which
was intended to disable anonymous access to API endpoints. This was not intended to block
access to static assets.--

When using LDAP, OIDC and perhaps other authentication mechanisms other than X509, a 'HTTP
401 Unauthorized' is returned for advanced UI static assets, which results in the Content-Type
being returned as 'text/plain' (an error message) instead of the expected 'application/javascript'
Content-Type. The server will show:
{code:java}
2020-10-01 19:30:38,159 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Attempting
request for (<anonymous>) GET https://localhost:8443/nifi-jolt-transform-json-ui-1.12.1/app/transformjson/transformjson.service.js
(source ip: 172.17.0.1)
2020-10-01 19:30:38,159 WARN [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Rejecting
access to web api: Anonymous authentication has not been configured.{code}
 

This is because the NiFi UI does not include the JWT for requests to static assets, but authentication
is being checked as anonymous authentication is now disabled by default. So, a 401 is returned.

The current workaround is to enable anonymous authentication which will allow access to static
assets for advanced UI's (javascript etc):
 nifi.security.allow.anonymous.authentication=true.

A fix for this will likely involve a combination of explicitly allowing access to advanced
UI static assets for UI's bundled with NiFi, and for external custom UI's, anonymous authentication
will need to be enabled.

We expect that this will be a temporary change, with the long term goal of refactoring/redesigning
some of these security features in a future release/a NiFi 2.0 release.

Also related is NIFI-7849


was (Author: thenatog):
Sounds like this may be more complicated than first anticipated. Upon investigation, it appears
that the advanced UI static assets are not accessible due to another change in -NIFI-7170- which
was intended to disable anonymous access to API endpoints. This was not intended to block
access to static assets.--

When using LDAP, OIDC and perhaps other authentication mechanisms other than X509, a 'HTTP
401 Unauthorized' is returned for advanced UI static assets, which results in the Content-Type
being returned as 'text/plain' (an error message) instead of the expected 'application/javascript'
Content-Type. The server will show:


{code:java}
2020-10-01 19:30:38,159 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Attempting
request for (<anonymous>) GET https://localhost:8443/nifi-jolt-transform-json-ui-1.12.1/app/transformjson/transformjson.service.js
(source ip: 172.17.0.1)
2020-10-01 19:30:38,159 WARN [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Rejecting
access to web api: Anonymous authentication has not been configured.{code}
 

This is because the NiFi UI does not include the JWT for requests to static assets, but authentication
is being checked as anonymous authentication is now disabled by default. So, a 401 is returned.

The current workaround is to enable anonymous authentication which will allow access to static
assets for advanced UI's (javascript etc):
nifi.security.allow.anonymous.authentication=true.

A fix for this will likely involve a combination of explicitly allowing access to advanced
UI static assets for UI's bundled with NiFi, and for external custom UI's, anonymous authentication
will need to be enabled.

We expect that this will be a temporary change, with the long term goal of refactoring/redesigning
some of these security features in a future release/a NiFi 2.0 release.

Also related is NIFI-7489

> Fix anonymous access control for advanced UI resources
> ------------------------------------------------------
>
>                 Key: NIFI-7870
>                 URL: https://issues.apache.org/jira/browse/NIFI-7870
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core UI
>    Affects Versions: 1.12.0, 1.12.1
>            Reporter: Nathan Gough
>            Assignee: Nathan Gough
>            Priority: Critical
>              Labels: UI, content-type, header, security
>
> -The X-Content-Type header was added in NiFi 1.12.0, which blocks resources in the browser
if they do not have the content type added. It appears that some 'advanced UI' resources do
not have the content type applied to their resources and are blocked from loading.-
> On further inspection, it appears that explicitly disallowing anonymous access has resulted
in some static resources in the NiFi advanced UI's WAR checking whether the anonymous user
should be able to access them. The anonymous access was intended to be used on the NiFi API
endpoints, and not static resources.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message