[jira] [Commented] (NIFI-8782) Add Rate-Limiting for Access Token Requests

Wed, 14 Jul 2021 11:33:06 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-8782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17380798#comment-17380798
 ] 

ASF subversion and git services commented on NIFI-8782:
-------------------------------------------------------

Commit c668d3df1baa4dd40f727aaa2bc1fab697520913 in nifi's branch 
refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=c668d3d ]

NIFI-8782 Added Rate-Limiting for Access Token Requests

- Added Jetty DoSFilter configured for /access/token
- Added nifi.web.max.access.token.requests.per.second property with default 
value of 25

Signed-off-by: Nathan Gough <[email protected]>

This closes #5215.


> Add Rate-Limiting for Access Token Requests
> -------------------------------------------
>
>                 Key: NIFI-8782
>                 URL: https://issues.apache.org/jira/browse/NIFI-8782
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core UI, Security
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Minor
>              Labels: authentication, jetty, security
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> The NiFi Jetty Server currently relies on the Jetty [Denial of Service 
> Filter|https://www.eclipse.org/jetty/documentation/jetty-9/index.html#dos-filter]
>  to provide configurable rate-limiting for HTTP requests. The DoSFilter 
> applies to all requests and setting to the limit too low can cause unexpected 
> problems during system administration or data transfer.
> When configured with a Login Identity Provider, Access Token requests support 
> authenticating users against the specified provider. The number of Access 
> Token requests from a given remote address should be minimal and predictable 
> based on the expected number of authorized users. Introducing a separate 
> configuration property and targeted filter for Access Token requests will 
> allow the NiFi Jetty Server to reject excessive numbers of authentication 
> attempts while permitting higher numbers of requests to other resources.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to