This is an automated email from the ASF dual-hosted git repository.
joewitt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new 43cc2b4aaa NIFI-13297 Removed Kerberos SPENGO Authentication This
closes #8879
43cc2b4aaa is described below
commit 43cc2b4aaadd2f3689b5f4b48fa8b43ceddb4579
Author: exceptionfactory <[email protected]>
AuthorDate: Fri May 24 15:58:36 2024 -0500
NIFI-13297 Removed Kerberos SPENGO Authentication
This closes #8879
Signed-off-by: Joseph Witt <[email protected]>
---
.../java/org/apache/nifi/util/NiFiProperties.java | 41 -----------
.../src/main/asciidoc/administration-guide.adoc | 58 +--------------
.../src/test/resources/nifi.properties | 5 --
.../src/test/resources/nifi.properties | 5 --
.../nifi-framework/nifi-resources/pom.xml | 3 -
.../src/main/resources/conf/nifi.properties | 5 --
.../nifi-framework/nifi-web/nifi-web-api/pom.xml | 6 --
.../org/apache/nifi/web/api/AccessResource.java | 82 ---------------------
.../src/main/resources/nifi-web-api-context.xml | 1 -
.../test/resources/site-to-site/nifi.properties | 3 -
.../nifi-web/nifi-web-security/pom.xml | 4 -
.../AuthenticationSecurityConfiguration.java | 1 -
...erberosAuthenticationSecurityConfiguration.java | 46 ------------
.../configuration/WebSecurityConfiguration.java | 1 -
.../AlternateKerberosUserDetailsService.java | 32 --------
.../web/security/kerberos/KerberosService.java | 77 -------------------
.../spring/KerberosServiceFactoryBean.java | 86 ----------------------
.../src/main/webapp/js/nf/canvas/nf-canvas.js | 35 ++++-----
nifi-framework-bundle/pom.xml | 5 --
.../resources/conf/clustered/node1/nifi.properties | 5 --
.../resources/conf/clustered/node2/nifi.properties | 5 --
.../test/resources/conf/default/nifi.properties | 5 --
.../test/resources/conf/pythonic/nifi.properties | 9 ---
23 files changed, 14 insertions(+), 506 deletions(-)
diff --git
a/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
b/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
index 8932760b14..4b4bb77d8d 100644
---
a/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
+++
b/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
@@ -281,9 +281,6 @@ public class NiFiProperties extends ApplicationProperties {
public static final String KERBEROS_KRB5_FILE = "nifi.kerberos.krb5.file";
public static final String KERBEROS_SERVICE_PRINCIPAL =
"nifi.kerberos.service.principal";
public static final String KERBEROS_SERVICE_KEYTAB_LOCATION =
"nifi.kerberos.service.keytab.location";
- public static final String KERBEROS_SPNEGO_PRINCIPAL =
"nifi.kerberos.spnego.principal";
- public static final String KERBEROS_SPNEGO_KEYTAB_LOCATION =
"nifi.kerberos.spnego.keytab.location";
- public static final String KERBEROS_AUTHENTICATION_EXPIRATION =
"nifi.kerberos.spnego.authentication.expiration";
// state management
public static final String STATE_MANAGEMENT_CONFIG_FILE =
"nifi.state.management.configuration.file";
@@ -982,43 +979,6 @@ public class NiFiProperties extends ApplicationProperties {
}
}
- public String getKerberosSpnegoPrincipal() {
- final String spengoPrincipal = getProperty(KERBEROS_SPNEGO_PRINCIPAL);
- if (!StringUtils.isBlank(spengoPrincipal)) {
- return spengoPrincipal.trim();
- } else {
- return null;
- }
- }
-
- public String getKerberosSpnegoKeytabLocation() {
- final String keytabLocation =
getProperty(KERBEROS_SPNEGO_KEYTAB_LOCATION);
- if (!StringUtils.isBlank(keytabLocation)) {
- return keytabLocation.trim();
- } else {
- return null;
- }
- }
-
- public String getKerberosAuthenticationExpiration() {
- final String authenticationExpirationString =
getProperty(KERBEROS_AUTHENTICATION_EXPIRATION,
DEFAULT_KERBEROS_AUTHENTICATION_EXPIRATION);
- if (!StringUtils.isBlank(authenticationExpirationString)) {
- return authenticationExpirationString.trim();
- } else {
- return null;
- }
- }
-
- /**
- * Returns true if the Kerberos service principal and keytab location
- * properties are populated.
- *
- * @return true if Kerberos service support is enabled
- */
- public boolean isKerberosSpnegoSupportEnabled() {
- return !StringUtils.isBlank(getKerberosSpnegoPrincipal()) &&
!StringUtils.isBlank(getKerberosSpnegoKeytabLocation());
- }
-
/**
* Returns true if the login identity provider has been configured.
*
@@ -1402,7 +1362,6 @@ public class NiFiProperties extends ApplicationProperties
{
*/
public boolean isClientAuthRequiredForRestApi() {
return !isLoginIdentityProviderEnabled()
- && !isKerberosSpnegoSupportEnabled()
&& !isOidcEnabled()
&& !isKnoxSsoEnabled()
&& !isSamlEnabled()
diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc
b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index 92a3119ea5..fe111c9732 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -3176,57 +3176,6 @@ link:https://nginx.org/[Nginx] supports session affinity
in the upstream module
link:https://nginx.org/en/docs/http/ngx_http_upstream_module.html#sticky[sticky]
directive. The *sticky* directive
supports different strategies, including *cookie* and *route* options.
-[[kerberos_service]]
-== Kerberos Service
-NiFi can be configured to use Kerberos SPNEGO (or "Kerberos Service") for
authentication. In this scenario, users will hit the REST endpoint
`/access/kerberos` and the server will respond with a `401` status code and the
challenge response header `WWW-Authenticate: Negotiate`. This communicates to
the browser to use the GSS-API and load the user's Kerberos ticket and provide
it as a Base64-encoded header value in the subsequent request. It will be of
the form `Authorization: Negotiate YI [...]
-
-NiFi will only respond to Kerberos SPNEGO negotiation over an HTTPS
connection, as unsecured requests are never authenticated.
-
-The following properties must be set in _nifi.properties_ to enable Kerberos
service authentication.
-
-|====
-|*Property*|*Required*|*Description*
-|`Service Principal`|true|The service principal used by NiFi to communicate
with the KDC
-|`Keytab Location`|true|The file path to the keytab containing the service
principal
-|====
-
-See <<kerberos_properties>> for complete documentation.
-
-[[kerberos_service_notes]]
-=== Notes
-
-* Kerberos is case-sensitive in many places and the error messages (or lack
thereof) may not be sufficiently explanatory. Check the case sensitivity of the
service principal in your configuration files. Convention is
`HTTP/fully.qualified.domain@REALM`.
-* Browsers have varying levels of restriction when dealing with SPNEGO
negotiations. Some will provide the local Kerberos ticket to any domain that
requests it, while others explicitly specify the trusted domains in advance via
an allow list. See
link:http://docs.spring.io/autorepo/docs/spring-security-kerberos/1.0.2.BUILD-SNAPSHOT/reference/htmlsingle/#browserspnegoconfig[Spring
Security Kerberos - Reference Documentation: Appendix E. Configure browsers
for SPNEGO Negotiation^] for comm [...]
-* Some browsers (legacy IE) do not support recent encryption algorithms such
as AES, and are restricted to legacy algorithms (DES). This should be noted
when generating keytabs.
-* The KDC must be configured and a service principal defined for NiFi and a
keytab exported. Comprehensive instructions for Kerberos server configuration
and administration are beyond the scope of this document (see
link:http://web.mit.edu/kerberos/krb5-current/doc/admin/index.html[MIT Kerberos
Admin Guide^]), but an example is below:
-
-
-Adding a service principal for a server at `nifi.nifi.apache.org` and
exporting the keytab from the KDC:
-
-....
-root@kdc:/etc/krb5kdc# kadmin.local
-Authenticating as principal admin/[email protected] with password.
-kadmin.local: listprincs
-K/[email protected]
-admin/[email protected]
-...
-kadmin.local: addprinc -randkey HTTP/nifi.nifi.apache.org
-WARNING: no policy specified for HTTP/[email protected];
defaulting to no policy
-Principal "HTTP/[email protected]" created.
-kadmin.local: ktadd -k /http-nifi.keytab HTTP/nifi.nifi.apache.org
-Entry for principal HTTP/nifi.nifi.apache.org with kvno 2, encryption type
des3-cbc-sha1 added to keytab WRFILE:/http-nifi.keytab.
-Entry for principal HTTP/nifi.nifi.apache.org with kvno 2, encryption type
des-cbc-crc added to keytab WRFILE:/http-nifi.keytab.
-kadmin.local: listprincs
-HTTP/[email protected]
-K/[email protected]
-admin/[email protected]
-...
-kadmin.local: q
-root@kdc:~# ll /http*
--rw------- 1 root root 162 Mar 14 21:43 /http-nifi.keytab
-root@kdc:~#
-....
-
[[analytics_framework]]
== Analytics Framework
NiFi has an internal analytics framework which can be enabled to predict back
pressure occurrence, given the configured settings for threshold on a queue.
The model used by default for prediction is an ordinary least squares (OLS)
linear regression. It uses recent observations from a queue (either number of
objects or content size over time) and calculates a regression line for that
data. The line's equation is then used to determine the next value that will be
reached within a given ti [...]
@@ -4142,18 +4091,13 @@ Changing this property *requires* setting
`jute.maxbuffer` on ZooKeeper servers.
|====
|*Property*|*Description*
|`nifi.kerberos.krb5.file`*|The location of the krb5 file, if used. It is
blank by default. At this time, only a single krb5 file is allowed to
-be specified per NiFi instance, so this property is configured here to support
SPNEGO and service principals rather than in individual Processors.
+be specified per NiFi instance, so this property is configured here to support
service principals rather than in individual Processors.
If necessary the krb5 file can support multiple realms.
Example: `/etc/krb5.conf`
|`nifi.kerberos.service.principal`*|The name of the NiFi Kerberos service
principal, if used. It is blank by default. Note that this property is for NiFi
to authenticate as a client other systems.
Example: `nifi/nifi.example.com` or `nifi/[email protected]`
|`nifi.kerberos.service.keytab.location`*|The file path of the NiFi Kerberos
keytab, if used. It is blank by default. Note that this property is for NiFi to
authenticate as a client other systems.
Example: `/etc/nifi.keytab`
-|`nifi.kerberos.spnego.principal`*|The name of the NiFi Kerberos service
principal, if used. It is blank by default. Note that this property is used to
authenticate NiFi users.
-Example: `HTTP/nifi.example.com` or `HTTP/[email protected]`
-|`nifi.kerberos.spnego.keytab.location`*|The file path of the NiFi Kerberos
keytab, if used. It is blank by default. Note that this property is used to
authenticate NiFi users.
-Example: `/etc/http-nifi.keytab`
-|`nifi.kerberos.spengo.authentication.expiration`*|The expiration duration of
a successful Kerberos user authentication, if used. The default value is `12
hours`.
|====
[[analytics_properties]]
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-framework-nar-utils/src/test/resources/nifi.properties
b/nifi-framework-bundle/nifi-framework/nifi-framework-nar-utils/src/test/resources/nifi.properties
index 475301e95e..2bde216284 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-framework-nar-utils/src/test/resources/nifi.properties
+++
b/nifi-framework-bundle/nifi-framework/nifi-framework-nar-utils/src/test/resources/nifi.properties
@@ -177,8 +177,3 @@ nifi.kerberos.krb5.file=
# kerberos service principal #
nifi.kerberos.service.principal=
nifi.kerberos.service.keytab.location=
-
-# kerberos spnego principal #
-nifi.kerberos.spnego.principal=
-nifi.kerberos.spnego.keytab.location=
-nifi.kerberos.spnego.authentication.expiration=12 hours
\ No newline at end of file
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-nar-utils/src/test/resources/nifi.properties
b/nifi-framework-bundle/nifi-framework/nifi-nar-utils/src/test/resources/nifi.properties
index d1c7cc5bee..c553a7890a 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-nar-utils/src/test/resources/nifi.properties
+++
b/nifi-framework-bundle/nifi-framework/nifi-nar-utils/src/test/resources/nifi.properties
@@ -177,8 +177,3 @@ nifi.kerberos.krb5.file=
# kerberos service principal #
nifi.kerberos.service.principal=
nifi.kerberos.service.keytab.location=
-
-# kerberos spnego principal #
-nifi.kerberos.spnego.principal=
-nifi.kerberos.spnego.keytab.location=
-nifi.kerberos.spnego.authentication.expiration=12 hours
\ No newline at end of file
diff --git a/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
b/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
index db4502c77d..0bbe502d04 100644
--- a/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
+++ b/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
@@ -241,9 +241,6 @@
<nifi.kerberos.krb5.file> </nifi.kerberos.krb5.file>
<nifi.kerberos.service.principal />
<nifi.kerberos.service.keytab.location />
- <nifi.kerberos.spnego.principal />
- <nifi.kerberos.spnego.keytab.location />
- <nifi.kerberos.spnego.authentication.expiration>12
hours</nifi.kerberos.spnego.authentication.expiration>
<!-- nifi.properties: analytics properties -->
<nifi.analytics.predict.enabled>false</nifi.analytics.predict.enabled>
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties
b/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties
index 72de9d3f22..9c54843e41 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties
+++
b/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties
@@ -321,11 +321,6 @@ nifi.kerberos.krb5.file=${nifi.kerberos.krb5.file}
nifi.kerberos.service.principal=${nifi.kerberos.service.principal}
nifi.kerberos.service.keytab.location=${nifi.kerberos.service.keytab.location}
-# kerberos spnego principal #
-nifi.kerberos.spnego.principal=${nifi.kerberos.spnego.principal}
-nifi.kerberos.spnego.keytab.location=${nifi.kerberos.spnego.keytab.location}
-nifi.kerberos.spnego.authentication.expiration=${nifi.kerberos.spnego.authentication.expiration}
-
# analytics properties #
nifi.analytics.predict.enabled=${nifi.analytics.predict.enabled}
nifi.analytics.predict.interval=${nifi.analytics.predict.interval}
diff --git a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/pom.xml
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/pom.xml
index 5a6d4d11ab..ff2d7a06a1 100644
--- a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/pom.xml
+++ b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/pom.xml
@@ -556,12 +556,6 @@
<version>2.0.0-SNAPSHOT</version>
<scope>test</scope>
</dependency>
- <dependency>
- <groupId>org.springframework.security.kerberos</groupId>
- <artifactId>spring-security-kerberos-core</artifactId>
- <version>1.0.1.RELEASE</version>
- <scope>provided</scope> <!-- expected to be provided by parent
classloader -->
- </dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
index e2a0cba657..c27ca5e0b3 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
@@ -23,7 +23,6 @@ import java.time.Instant;
import java.util.Collections;
import java.util.Optional;
import java.util.UUID;
-import java.util.concurrent.TimeUnit;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.media.Content;
@@ -57,7 +56,6 @@ import org.apache.nifi.authorization.user.NiFiUser;
import org.apache.nifi.authorization.user.NiFiUserDetails;
import org.apache.nifi.authorization.user.NiFiUserUtils;
import org.apache.nifi.authorization.util.IdentityMappingUtil;
-import org.apache.nifi.util.FormatUtils;
import org.apache.nifi.web.api.dto.AccessConfigurationDTO;
import org.apache.nifi.web.api.dto.AccessStatusDTO;
import org.apache.nifi.web.api.dto.AccessTokenExpirationDTO;
@@ -71,7 +69,6 @@ import org.apache.nifi.web.security.UntrustedProxyException;
import org.apache.nifi.web.security.cookie.ApplicationCookieName;
import org.apache.nifi.web.security.jwt.provider.BearerTokenProvider;
import org.apache.nifi.web.security.jwt.revocation.JwtLogoutListener;
-import org.apache.nifi.web.security.kerberos.KerberosService;
import org.apache.nifi.web.security.knox.KnoxService;
import org.apache.nifi.web.security.logout.LogoutRequest;
import org.apache.nifi.web.security.logout.LogoutRequestManager;
@@ -112,7 +109,6 @@ public class AccessResource extends ApplicationResource {
private BearerTokenProvider bearerTokenProvider;
private BearerTokenResolver bearerTokenResolver;
private KnoxService knoxService;
- private KerberosService kerberosService;
private LogoutRequestManager logoutRequestManager;
/**
@@ -296,80 +292,6 @@ public class AccessResource extends ApplicationResource {
return generateOkResponse(entity).build();
}
- /**
- * Creates a token for accessing the REST API via Kerberos ticket exchange
/ SPNEGO negotiation.
- *
- * @param httpServletRequest the servlet request
- * @return A JWT (string)
- */
- @POST
- @Consumes(MediaType.TEXT_PLAIN)
- @Produces(MediaType.TEXT_PLAIN)
- @Path("/kerberos")
- @Operation(
- summary = "Creates a token for accessing the REST API via Kerberos
ticket exchange / SPNEGO negotiation",
- description = "The token returned is formatted as a JSON Web Token
(JWT). The token is base64 encoded and comprised of three parts. The header, " +
- "the body, and the signature. The expiration of the token
is a contained within the body. The token can be used in the Authorization
header " +
- "in the format 'Authorization: Bearer <token>'. It is also
stored in the browser as a cookie.",
- responses = @ApiResponse(content = @Content(schema =
@Schema(implementation = String.class)))
- )
- @ApiResponses(
- value = {
- @ApiResponse(responseCode = "400", description = "NiFi was
unable to complete the request because it was invalid. The request should not
be retried without modification."),
- @ApiResponse(
- responseCode = "401", description = "NiFi was
unable to complete the request because it did not contain a valid Kerberos " +
- "ticket in the Authorization header. Retry this
request after initializing a ticket with kinit and " +
- "ensuring your browser is configured to support
SPNEGO."
- ),
- @ApiResponse(responseCode = "409", description = "The
request was valid but NiFi was not in the appropriate state to process it."),
- @ApiResponse(responseCode = "500", description = "Unable
to create access token because an unexpected error occurred.")
- }
- )
- public Response createAccessTokenFromTicket(@Context final
HttpServletRequest httpServletRequest, @Context final HttpServletResponse
httpServletResponse) {
-
- // only support access tokens when communicating over HTTPS
- if (!httpServletRequest.isSecure()) {
- throw new AuthenticationNotSupportedException("Access tokens are
only issued over HTTPS.");
- }
-
- // If Kerberos Service Principal and keytab location not configured,
throws exception
- if (!properties.isKerberosSpnegoSupportEnabled() || kerberosService ==
null) {
- final String message = "Kerberos ticket login not supported by
this NiFi.";
- logger.debug(message);
- return
Response.status(Response.Status.CONFLICT).entity(message).build();
- }
-
- String authorizationHeaderValue =
httpServletRequest.getHeader(KerberosService.AUTHORIZATION_HEADER_NAME);
-
- if (!kerberosService.isValidKerberosHeader(authorizationHeaderValue)) {
- return
generateNotAuthorizedResponse().header(KerberosService.AUTHENTICATION_CHALLENGE_HEADER_NAME,
KerberosService.AUTHORIZATION_NEGOTIATE).build();
- } else {
- try {
- // attempt to authenticate
- Authentication authentication =
kerberosService.validateKerberosTicket(httpServletRequest);
-
- if (authentication == null) {
- throw new IllegalArgumentException("Request is not HTTPS
or Kerberos ticket missing or malformed");
- }
-
- final String expirationFromProperties =
properties.getKerberosAuthenticationExpiration();
- final long expirationDuration =
Math.round(FormatUtils.getPreciseTimeDuration(expirationFromProperties,
TimeUnit.MILLISECONDS));
- final Instant expiration =
Instant.now().plusMillis(expirationDuration);
-
- final String rawIdentity = authentication.getName();
- final String mappedIdentity =
IdentityMappingUtil.mapIdentity(rawIdentity,
IdentityMappingUtil.getIdentityMappings(properties));
-
- final LoginAuthenticationToken loginAuthenticationToken = new
LoginAuthenticationToken(mappedIdentity, expiration, Collections.emptySet());
- final String token =
bearerTokenProvider.getBearerToken(loginAuthenticationToken);
- final URI uri = URI.create(generateResourceUri("access",
"kerberos"));
- setBearerToken(httpServletResponse, token);
- return generateCreatedResponse(uri, token).build();
- } catch (final AuthenticationException e) {
- throw new AccessDeniedException(e.getMessage(), e);
- }
- }
- }
-
/**
* Creates a token for accessing the REST API via username/password stored
as a cookie in the browser.
*
@@ -608,10 +530,6 @@ public class AccessResource extends ApplicationResource {
this.jwtLogoutListener = jwtLogoutListener;
}
- public void setKerberosService(KerberosService kerberosService) {
- this.kerberosService = kerberosService;
- }
-
public void setX509AuthenticationProvider(X509AuthenticationProvider
x509AuthenticationProvider) {
this.x509AuthenticationProvider = x509AuthenticationProvider;
}
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/resources/nifi-web-api-context.xml
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/resources/nifi-web-api-context.xml
index b9daceaca2..6c74a66397 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/resources/nifi-web-api-context.xml
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/resources/nifi-web-api-context.xml
@@ -616,7 +616,6 @@
<property name="jwtLogoutListener" ref="jwtLogoutListener"/>
<property name="bearerTokenProvider" ref="bearerTokenProvider"/>
<property name="bearerTokenResolver" ref="bearerTokenResolver"/>
- <property name="kerberosService" ref="kerberosService"/>
<property name="properties" ref="nifiProperties"/>
<property name="clusterCoordinator" ref="clusterCoordinator"/>
<property name="requestReplicator" ref="requestReplicator" />
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/site-to-site/nifi.properties
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/site-to-site/nifi.properties
index ade760a297..7caa4a91d2 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/site-to-site/nifi.properties
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/site-to-site/nifi.properties
@@ -163,6 +163,3 @@ nifi.zookeeper.root.node=${nifi.zookeeper.root.node}
nifi.kerberos.krb5.file=${nifi.kerberos.krb5.file}
nifi.kerberos.service.principal=${nifi.kerberos.service.principal}
nifi.kerberos.service.keytab.location=${nifi.kerberos.service.keytab.location}
-nifi.kerberos.spnego.principal=${nifi.kerberos.spnego.principal}
-nifi.kerberos.spnego.keytab.location=${nifi.kerberos.spnego.keytab.location}
-nifi.kerberos.spnego.authentication.expiration=${nifi.kerberos.spnego.authentication.expiration}
\ No newline at end of file
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
index 6c1a73cbc6..0209d3fe22 100644
--- a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
+++ b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
@@ -250,10 +250,6 @@
<artifactId>commons-codec</artifactId>
<version>${org.apache.commons.codec.version}</version>
</dependency>
- <dependency>
- <groupId>org.springframework.security.kerberos</groupId>
- <artifactId>spring-security-kerberos-core</artifactId>
- </dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-resource-server</artifactId>
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/AuthenticationSecurityConfiguration.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/AuthenticationSecurityConfiguration.java
index da18a01ec1..a0f5fccb9a 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/AuthenticationSecurityConfiguration.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/AuthenticationSecurityConfiguration.java
@@ -37,7 +37,6 @@ import
org.springframework.security.authentication.AuthenticationManager;
ClientRegistrationConfiguration.class,
JwtAuthenticationSecurityConfiguration.class,
JwtDecoderConfiguration.class,
- KerberosAuthenticationSecurityConfiguration.class,
KnoxAuthenticationSecurityConfiguration.class,
OidcSecurityConfiguration.class,
SamlAuthenticationSecurityConfiguration.class,
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/KerberosAuthenticationSecurityConfiguration.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/KerberosAuthenticationSecurityConfiguration.java
deleted file mode 100644
index 5c07df4899..0000000000
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/KerberosAuthenticationSecurityConfiguration.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.configuration;
-
-import org.apache.nifi.util.NiFiProperties;
-import org.apache.nifi.web.security.kerberos.KerberosService;
-import org.apache.nifi.web.security.spring.KerberosServiceFactoryBean;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-
-/**
- * Kerberos Configuration for Authentication Security
- */
-@Configuration
-public class KerberosAuthenticationSecurityConfiguration {
- private final NiFiProperties niFiProperties;
-
- @Autowired
- public KerberosAuthenticationSecurityConfiguration(
- final NiFiProperties niFiProperties
- ) {
- this.niFiProperties = niFiProperties;
- }
-
- @Bean
- public KerberosService kerberosService() throws Exception {
- final KerberosServiceFactoryBean kerberosServiceFactoryBean = new
KerberosServiceFactoryBean();
- kerberosServiceFactoryBean.setProperties(niFiProperties);
- return kerberosServiceFactoryBean.getObject();
- }
-}
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/WebSecurityConfiguration.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/WebSecurityConfiguration.java
index 410fcb3168..9fe3c55709 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/WebSecurityConfiguration.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/WebSecurityConfiguration.java
@@ -115,7 +115,6 @@ public class WebSecurityConfiguration {
"/access",
"/access/config",
"/access/token",
- "/access/kerberos",
"/access/knox/callback",
"/access/knox/request",
"/access/logout/complete",
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/kerberos/AlternateKerberosUserDetailsService.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/kerberos/AlternateKerberosUserDetailsService.java
deleted file mode 100644
index 4d072e67f3..0000000000
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/kerberos/AlternateKerberosUserDetailsService.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.kerberos;
-
-import org.springframework.security.core.authority.AuthorityUtils;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.security.core.userdetails.UsernameNotFoundException;
-
-/* Potential refactoring is documented in NIFI-1637 */
-public class AlternateKerberosUserDetailsService implements UserDetailsService
{
-
- @Override
- public UserDetails loadUserByUsername(String username) throws
UsernameNotFoundException {
- return new User(username, "notUsed", true, true, true, true,
AuthorityUtils.createAuthorityList("ROLE_USER"));
- }
-}
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/kerberos/KerberosService.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/kerberos/KerberosService.java
deleted file mode 100644
index 6595a216d0..0000000000
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/kerberos/KerberosService.java
+++ /dev/null
@@ -1,77 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.kerberos;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.security.authentication.AuthenticationDetailsSource;
-import org.springframework.security.core.Authentication;
-import
org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider;
-import
org.springframework.security.kerberos.authentication.KerberosServiceRequestToken;
-import
org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
-
-import jakarta.servlet.http.HttpServletRequest;
-import java.nio.charset.StandardCharsets;
-import java.util.Base64;
-
-/**
- *
- */
-public class KerberosService {
-
- private static final Logger logger =
LoggerFactory.getLogger(KerberosService.class);
-
- public static final String AUTHORIZATION_HEADER_NAME = "Authorization";
- public static final String AUTHENTICATION_CHALLENGE_HEADER_NAME =
"WWW-Authenticate";
- public static final String AUTHORIZATION_NEGOTIATE = "Negotiate";
-
- private static final Base64.Decoder decoder = Base64.getDecoder();
-
- private KerberosServiceAuthenticationProvider
kerberosServiceAuthenticationProvider;
- private final AuthenticationDetailsSource<HttpServletRequest, ?>
authenticationDetailsSource = new WebAuthenticationDetailsSource();
-
- public void
setKerberosServiceAuthenticationProvider(KerberosServiceAuthenticationProvider
kerberosServiceAuthenticationProvider) {
- this.kerberosServiceAuthenticationProvider =
kerberosServiceAuthenticationProvider;
- }
-
- public Authentication validateKerberosTicket(HttpServletRequest request) {
- // Only support Kerberos login when running securely
- if (!request.isSecure()) {
- return null;
- }
-
- String header = request.getHeader(AUTHORIZATION_HEADER_NAME);
-
- if (isValidKerberosHeader(header)) {
- if (logger.isDebugEnabled()) {
- logger.debug("Received Negotiate Header for request " +
request.getRequestURL() + ": " + header);
- }
- byte[] base64Token = header.substring(header.indexOf(" ") +
1).getBytes(StandardCharsets.UTF_8);
- byte[] kerberosTicket = decoder.decode(base64Token);
- KerberosServiceRequestToken authenticationRequest = new
KerberosServiceRequestToken(kerberosTicket);
-
authenticationRequest.setDetails(authenticationDetailsSource.buildDetails(request));
-
- return
kerberosServiceAuthenticationProvider.authenticate(authenticationRequest);
- } else {
- return null;
- }
- }
-
- public boolean isValidKerberosHeader(String header) {
- return header != null && (header.startsWith("Negotiate ") ||
header.startsWith("Kerberos "));
- }
-}
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/KerberosServiceFactoryBean.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/KerberosServiceFactoryBean.java
deleted file mode 100644
index 3ea7f5df50..0000000000
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/KerberosServiceFactoryBean.java
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.spring;
-
-import org.apache.nifi.util.NiFiProperties;
-import
org.apache.nifi.web.security.kerberos.AlternateKerberosUserDetailsService;
-import org.apache.nifi.web.security.kerberos.KerberosService;
-import org.springframework.beans.factory.FactoryBean;
-import org.springframework.core.io.FileSystemResource;
-import
org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider;
-import
org.springframework.security.kerberos.authentication.KerberosTicketValidator;
-import
org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig;
-import
org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator;
-
-import java.io.File;
-
-public class KerberosServiceFactoryBean implements
FactoryBean<KerberosService> {
-
- private KerberosService kerberosService = null;
- private NiFiProperties properties = null;
-
- @Override
- public KerberosService getObject() throws Exception {
- if (kerberosService == null &&
properties.isKerberosSpnegoSupportEnabled()) {
- final File krb5ConfigFile =
properties.getKerberosConfigurationFile();
- if (krb5ConfigFile != null) {
- final GlobalSunJaasKerberosConfig krb5Config = new
GlobalSunJaasKerberosConfig();
-
krb5Config.setKrbConfLocation(krb5ConfigFile.getAbsolutePath());
- krb5Config.afterPropertiesSet();
- }
-
- kerberosService = new KerberosService();
-
kerberosService.setKerberosServiceAuthenticationProvider(createKerberosServiceAuthenticationProvider());
- }
-
- return kerberosService;
- }
-
- @Override
- public Class<?> getObjectType() {
- return KerberosService.class;
- }
-
- @Override
- public boolean isSingleton() {
- return true;
- }
-
- public void setProperties(NiFiProperties properties) {
- this.properties = properties;
- }
-
- private KerberosServiceAuthenticationProvider
createKerberosServiceAuthenticationProvider() throws Exception {
- KerberosServiceAuthenticationProvider
kerberosServiceAuthenticationProvider = new
KerberosServiceAuthenticationProvider();
-
kerberosServiceAuthenticationProvider.setTicketValidator(createTicketValidator());
-
kerberosServiceAuthenticationProvider.setUserDetailsService(createAlternateKerberosUserDetailsService());
- kerberosServiceAuthenticationProvider.afterPropertiesSet();
- return kerberosServiceAuthenticationProvider;
- }
-
- private AlternateKerberosUserDetailsService
createAlternateKerberosUserDetailsService() {
- return new AlternateKerberosUserDetailsService();
- }
-
- private KerberosTicketValidator createTicketValidator() throws Exception {
- SunJaasKerberosTicketValidator ticketValidator = new
SunJaasKerberosTicketValidator();
-
ticketValidator.setServicePrincipal(properties.getKerberosSpnegoPrincipal());
- ticketValidator.setKeyTabLocation(new
FileSystemResource(properties.getKerberosSpnegoKeytabLocation()));
- ticketValidator.afterPropertiesSet();
- return ticketValidator;
- }
-}
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-canvas.js
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-canvas.js
index e31afa850a..1105f6bd84 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-canvas.js
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-canvas.js
@@ -115,7 +115,6 @@
accessTokenExpiration: '../nifi-api/access/token/expiration',
currentUser: '../nifi-api/flow/current-user',
controllerBulletins: '../nifi-api/flow/controller/bulletins',
- kerberos: '../nifi-api/access/kerberos',
revision: '../nifi-api/flow/revision',
banners: '../nifi-api/flow/banners'
}
@@ -913,7 +912,7 @@
* Initialize NiFi.
*/
init: function () {
- // attempt kerberos/oidc/saml authentication
+ // attempt oidc/saml authentication
var ticketExchange = $.Deferred(function (deferred) {
var successfulAuthentication = function (jwt) {
// Use Expiration from JWT for tracking authentication
status
@@ -928,27 +927,19 @@
deferred.resolve();
} else {
$.ajax({
- type: 'POST',
- url: config.urls.kerberos,
- dataType: 'text'
- }).done(function (jwt) {
- successfulAuthentication(jwt);
+ type: 'GET',
+ url: config.urls.accessTokenExpiration,
+ dataType: 'json'
+ }).done(function (accessTokenExpirationEntity) {
+ var accessTokenExpiration =
accessTokenExpirationEntity.accessTokenExpiration;
+ // Convert ISO 8601 string to session expiration in
seconds
+ var expiration =
Date.parse(accessTokenExpiration.expiration);
+ var expirationSeconds = expiration / 1000;
+ var sessionExpiration = Math.round(expirationSeconds);
+ nfAuthorizationStorage.setToken(sessionExpiration);
+ deferred.resolve();
}).fail(function () {
- $.ajax({
- type: 'GET',
- url: config.urls.accessTokenExpiration,
- dataType: 'json'
- }).done(function (accessTokenExpirationEntity) {
- var accessTokenExpiration =
accessTokenExpirationEntity.accessTokenExpiration;
- // Convert ISO 8601 string to session expiration
in seconds
- var expiration =
Date.parse(accessTokenExpiration.expiration);
- var expirationSeconds = expiration / 1000;
- var sessionExpiration =
Math.round(expirationSeconds);
- nfAuthorizationStorage.setToken(sessionExpiration);
- deferred.resolve();
- }).fail(function () {
- deferred.reject();
- });
+ deferred.reject();
});
}
}).promise();
diff --git a/nifi-framework-bundle/pom.xml b/nifi-framework-bundle/pom.xml
index 0dca4798e7..b58bdc6165 100644
--- a/nifi-framework-bundle/pom.xml
+++ b/nifi-framework-bundle/pom.xml
@@ -269,11 +269,6 @@
</exclusion>
</exclusions>
</dependency>
- <dependency>
- <groupId>org.springframework.security.kerberos</groupId>
- <artifactId>spring-security-kerberos-core</artifactId>
- <version>1.0.1.RELEASE</version>
- </dependency>
<!-- Override OpenSAML to version 4 for Spring Security SAML -->
<dependency>
<groupId>org.opensaml</groupId>
diff --git
a/nifi-system-tests/nifi-system-test-suite/src/test/resources/conf/clustered/node1/nifi.properties
b/nifi-system-tests/nifi-system-test-suite/src/test/resources/conf/clustered/node1/nifi.properties
index d914e8e643..86dddcdd12 100644
---
a/nifi-system-tests/nifi-system-test-suite/src/test/resources/conf/clustered/node1/nifi.properties
+++
b/nifi-system-tests/nifi-system-test-suite/src/test/resources/conf/clustered/node1/nifi.properties
@@ -248,8 +248,3 @@ nifi.kerberos.krb5.file=
# kerberos service principal #
nifi.kerberos.service.principal=
nifi.kerberos.service.keytab.location=
-
-# kerberos spnego principal #
-nifi.kerberos.spnego.principal=
-nifi.kerberos.spnego.keytab.location=
-nifi.kerberos.spnego.authentication.expiration=12 hours
diff --git
a/nifi-system-tests/nifi-system-test-suite/src/test/resources/conf/clustered/node2/nifi.properties
b/nifi-system-tests/nifi-system-test-suite/src/test/resources/conf/clustered/node2/nifi.properties
index 5bb68875e7..11e379e482 100644
---
a/nifi-system-tests/nifi-system-test-suite/src/test/resources/conf/clustered/node2/nifi.properties
+++
b/nifi-system-tests/nifi-system-test-suite/src/test/resources/conf/clustered/node2/nifi.properties
@@ -248,8 +248,3 @@ nifi.kerberos.krb5.file=
# kerberos service principal #
nifi.kerberos.service.principal=
nifi.kerberos.service.keytab.location=
-
-# kerberos spnego principal #
-nifi.kerberos.spnego.principal=
-nifi.kerberos.spnego.keytab.location=
-nifi.kerberos.spnego.authentication.expiration=12 hours
diff --git
a/nifi-system-tests/nifi-system-test-suite/src/test/resources/conf/default/nifi.properties
b/nifi-system-tests/nifi-system-test-suite/src/test/resources/conf/default/nifi.properties
index b2f1a05240..a076776bbb 100644
---
a/nifi-system-tests/nifi-system-test-suite/src/test/resources/conf/default/nifi.properties
+++
b/nifi-system-tests/nifi-system-test-suite/src/test/resources/conf/default/nifi.properties
@@ -249,8 +249,3 @@ nifi.kerberos.krb5.file=
# kerberos service principal #
nifi.kerberos.service.principal=
nifi.kerberos.service.keytab.location=
-
-# kerberos spnego principal #
-nifi.kerberos.spnego.principal=
-nifi.kerberos.spnego.keytab.location=
-nifi.kerberos.spnego.authentication.expiration=12 hours
diff --git
a/nifi-system-tests/nifi-system-test-suite/src/test/resources/conf/pythonic/nifi.properties
b/nifi-system-tests/nifi-system-test-suite/src/test/resources/conf/pythonic/nifi.properties
index d0efbde51d..0b05dcdd36 100644
---
a/nifi-system-tests/nifi-system-test-suite/src/test/resources/conf/pythonic/nifi.properties
+++
b/nifi-system-tests/nifi-system-test-suite/src/test/resources/conf/pythonic/nifi.properties
@@ -253,12 +253,3 @@ nifi.kerberos.krb5.file=
# kerberos service principal #
nifi.kerberos.service.principal=
nifi.kerberos.service.keytab.location=
-
-# kerberos spnego principal #
-nifi.kerberos.spnego.principal=
-nifi.kerberos.spnego.keytab.location=
-nifi.kerberos.spnego.authentication.expiration=12 hours
-
-# external properties files for variable registry
-# supports a comma delimited list of file locations
-nifi.variable.registry.properties=
