Bryan Bende created NIFI-2517:
---------------------------------
Summary: Apply ordering to DNs from certificates
Key: NIFI-2517
URL: https://issues.apache.org/jira/browse/NIFI-2517
Project: Apache NiFi
Issue Type: Improvement
Affects Versions: 0.7.0, 1.0.0
Reporter: Bryan Bende
Priority: Minor
Currently when a user authenticates to NiFi with a certificate, the DN is
extracted with the following code from SubjectDnX509PrincipalExtractor:
{code}
public Object extractPrincipal(X509Certificate cert) {
return cert.getSubjectDN().getName().trim();
}
{code}
This string ends up being the user identity that needs to line up with
policies.
It is not guaranteed that the subject DN from a certificate will always be in a
known format. For example, one cert can put the CN before the OU, and another
can put the OU before the CN. Different tools can also display the same DN in
different orders, such as openssl vs keytool.
NiFi should be able to apply a re-ordering of the DNs so that after passing
through the X509 authentication code, the app can then assume the DN is in a
known order. We should also consider how this interacts with the identity
mapping concept introduced in 1.0.0.
In addition we are currently using getSubjectDN() from X509 certificate and the
Java Doc says:
{code}
* <strong>Denigrated</strong>, replaced by {@linkplain
* #getSubjectX500Principal()}. This method returns the {@code subject}
* as an implementation specific Principal object, which should not be
* relied upon by portable code.
{code}
So we may want to look at moving away from that method.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
