This is an automated email from the ASF dual-hosted git repository.
exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new de1d26d8bf NIFI-10799 Add OIDC to Docker images for NiFi and NiFi
Registry
de1d26d8bf is described below
commit de1d26d8bfc17a762124c89751db8842004f4299
Author: Justin Rittenhouse <[email protected]>
AuthorDate: Thu Nov 10 22:06:46 2022 -0500
NIFI-10799 Add OIDC to Docker images for NiFi and NiFi Registry
This closes #6651
Signed-off-by: David Handermann <[email protected]>
---
nifi-docker/dockerhub/sh/start.sh | 6 +++++
nifi-docker/dockerhub/sh/update_oidc_properties.sh | 27 ++++++++++++++++++++++
.../nifi-registry-docker/dockerhub/sh/start.sh | 8 ++++++-
.../dockerhub/sh/update_oidc_properties.sh | 27 ++++++++++++++++++++++
.../dockermaven/sh/start.sh | 9 +++++++-
.../dockermaven/sh/update_oidc_properties.sh | 27 ++++++++++++++++++++++
6 files changed, 102 insertions(+), 2 deletions(-)
diff --git a/nifi-docker/dockerhub/sh/start.sh
b/nifi-docker/dockerhub/sh/start.sh
index 4b377468ff..40b33a33ae 100755
--- a/nifi-docker/dockerhub/sh/start.sh
+++ b/nifi-docker/dockerhub/sh/start.sh
@@ -121,6 +121,12 @@ case ${AUTH} in
. "${scripts_dir}/secure.sh"
. "${scripts_dir}/update_login_providers.sh"
;;
+ oidc)
+ echo 'Enabling OIDC user authentication'
+
+ . "${scripts_dir}/secure.sh"
+ . "${scripts_dir}/update_oidc_properties.sh"
+ ;;
esac
# Continuously provide logs so that 'docker logs' can produce them
diff --git a/nifi-docker/dockerhub/sh/update_oidc_properties.sh
b/nifi-docker/dockerhub/sh/update_oidc_properties.sh
new file mode 100644
index 0000000000..827a40edba
--- /dev/null
+++ b/nifi-docker/dockerhub/sh/update_oidc_properties.sh
@@ -0,0 +1,27 @@
+#!/bin/sh -e
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+prop_replace 'nifi.security.user.oidc.discovery.url'
"${NIFI_SECURITY_USER_OIDC_DISCOVERY_URL}"
+prop_replace 'nifi.security.user.oidc.connect.timeout'
"${NIFI_SECURITY_USER_OIDC_CONNECT_TIMEOUT}"
+prop_replace 'nifi.security.user.oidc.read.timeout'
"${NIFI_SECURITY_USER_OIDC_READ_TIMEOUT}"
+prop_replace 'nifi.security.user.oidc.client.id'
"${NIFI_SECURITY_USER_OIDC_CLIENT_ID}"
+prop_replace 'nifi.security.user.oidc.client.secret'
"${NIFI_SECURITY_USER_OIDC_CLIENT_SECRET}"
+prop_replace 'nifi.security.user.oidc.preferred.jwsalgorithm'
"${NIFI_SECURITY_USER_OIDC_PREFERRED_JWSALGORITHM}"
+prop_replace 'nifi.security.user.oidc.additional.scopes'
"${NIFI_SECURITY_USER_OIDC_ADDITIONAL_SCOPES}"
+prop_replace 'nifi.security.user.oidc.claim.identifying.user'
"${NIFI_SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER}"
+prop_replace 'nifi.security.user.oidc.fallback.claims.identifying.user'
"${NIFI_SECURITY_USER_OIDC_FALLBACK_CLAIMS_IDENTIFYING_USER}"
+prop_replace 'nifi.security.user.oidc.truststore.strategy'
"${NIFI_SECURITY_USER_OIDC_TRUSTSTORE_STRATEGY}"
diff --git
a/nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/sh/start.sh
b/nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/sh/start.sh
index c65f3ea926..eba4ef217e 100755
---
a/nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/sh/start.sh
+++
b/nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/sh/start.sh
@@ -40,6 +40,12 @@ case ${AUTH} in
. "${scripts_dir}/secure.sh"
. "${scripts_dir}/update_login_providers.sh"
;;
+ oidc)
+ echo 'Enabling OIDC user authentication'
+
+ . "${scripts_dir}/secure.sh"
+ . "${scripts_dir}/update_oidc_properties.sh"
+ ;;
esac
. "${scripts_dir}/update_flow_provider.sh"
@@ -53,4 +59,4 @@ nifi_registry_pid="$!"
trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT
EXIT;
echo NiFi-Registry running with PID ${nifi_registry_pid}.
-wait ${nifi_registry_pid}
\ No newline at end of file
+wait ${nifi_registry_pid}
diff --git
a/nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/sh/update_oidc_properties.sh
b/nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/sh/update_oidc_properties.sh
new file mode 100644
index 0000000000..827a40edba
--- /dev/null
+++
b/nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/sh/update_oidc_properties.sh
@@ -0,0 +1,27 @@
+#!/bin/sh -e
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+prop_replace 'nifi.security.user.oidc.discovery.url'
"${NIFI_SECURITY_USER_OIDC_DISCOVERY_URL}"
+prop_replace 'nifi.security.user.oidc.connect.timeout'
"${NIFI_SECURITY_USER_OIDC_CONNECT_TIMEOUT}"
+prop_replace 'nifi.security.user.oidc.read.timeout'
"${NIFI_SECURITY_USER_OIDC_READ_TIMEOUT}"
+prop_replace 'nifi.security.user.oidc.client.id'
"${NIFI_SECURITY_USER_OIDC_CLIENT_ID}"
+prop_replace 'nifi.security.user.oidc.client.secret'
"${NIFI_SECURITY_USER_OIDC_CLIENT_SECRET}"
+prop_replace 'nifi.security.user.oidc.preferred.jwsalgorithm'
"${NIFI_SECURITY_USER_OIDC_PREFERRED_JWSALGORITHM}"
+prop_replace 'nifi.security.user.oidc.additional.scopes'
"${NIFI_SECURITY_USER_OIDC_ADDITIONAL_SCOPES}"
+prop_replace 'nifi.security.user.oidc.claim.identifying.user'
"${NIFI_SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER}"
+prop_replace 'nifi.security.user.oidc.fallback.claims.identifying.user'
"${NIFI_SECURITY_USER_OIDC_FALLBACK_CLAIMS_IDENTIFYING_USER}"
+prop_replace 'nifi.security.user.oidc.truststore.strategy'
"${NIFI_SECURITY_USER_OIDC_TRUSTSTORE_STRATEGY}"
diff --git a/nifi-registry/nifi-registry-docker-maven/dockermaven/sh/start.sh
b/nifi-registry/nifi-registry-docker-maven/dockermaven/sh/start.sh
index c65f3ea926..2703395516 100755
--- a/nifi-registry/nifi-registry-docker-maven/dockermaven/sh/start.sh
+++ b/nifi-registry/nifi-registry-docker-maven/dockermaven/sh/start.sh
@@ -40,6 +40,13 @@ case ${AUTH} in
. "${scripts_dir}/secure.sh"
. "${scripts_dir}/update_login_providers.sh"
;;
+ oidc)
+ echo 'Enabling OIDC user authentication'
+ prop_replace 'nifi.registry.security.needClientAuth' 'false'
+
+ . "${scripts_dir}/secure.sh"
+ . "${scripts_dir}/update_oidc_properties.sh"
+ ;;
esac
. "${scripts_dir}/update_flow_provider.sh"
@@ -53,4 +60,4 @@ nifi_registry_pid="$!"
trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT
EXIT;
echo NiFi-Registry running with PID ${nifi_registry_pid}.
-wait ${nifi_registry_pid}
\ No newline at end of file
+wait ${nifi_registry_pid}
diff --git
a/nifi-registry/nifi-registry-docker-maven/dockermaven/sh/update_oidc_properties.sh
b/nifi-registry/nifi-registry-docker-maven/dockermaven/sh/update_oidc_properties.sh
new file mode 100644
index 0000000000..77819f69c5
--- /dev/null
+++
b/nifi-registry/nifi-registry-docker-maven/dockermaven/sh/update_oidc_properties.sh
@@ -0,0 +1,27 @@
+#!/bin/sh -e
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+prop_replace 'nifi.registry.security.user.oidc.discovery.url'
"${NIFI_REGISTRY_SECURITY_USER_OIDC_DISCOVERY_URL}"
+prop_replace 'nifi.registry.security.user.oidc.connect.timeout'
"${NIFI_REGISTRY_SECURITY_USER_OIDC_CONNECT_TIMEOUT}"
+prop_replace 'nifi.registry.security.user.oidc.read.timeout'
"${NIFI_REGISTRY_SECURITY_USER_OIDC_READ_TIMEOUT}"
+prop_replace 'nifi.registry.security.user.oidc.client.id'
"${NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_ID}"
+prop_replace 'nifi.registry.security.user.oidc.client.secret'
"${NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_SECRET}"
+prop_replace 'nifi.registry.security.user.oidc.preferred.jwsalgorithm'
"${NIFI_REGISTRY_SECURITY_USER_OIDC_PREFERRED_JWSALGORITHM}"
+prop_replace 'nifi.registry.security.user.oidc.additional.scopes'
"${NIFI_REGISTRY_SECURITY_USER_OIDC_ADDITIONAL_SCOPES}"
+prop_replace 'nifi.registry.security.user.oidc.claim.identifying.user'
"${NIFI_REGISTRY_SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER}"
+prop_replace
'nifi.registry.security.user.oidc.fallback.claims.identifying.user'
"${NIFI_REGISTRY_SECURITY_USER_OIDC_FALLBACK_CLAIMS_IDENTIFYING_USER}"
+prop_replace 'nifi.registry.security.user.oidc.truststore.strategy'
"${NIFI_REGISTRY_SECURITY_USER_OIDC_TRUSTSTORE_STRATEGY}"
