gresockj commented on a change in pull request #5277:
URL: https://github.com/apache/nifi/pull/5277#discussion_r686943054
##########
File path:
nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/AbstractKerberosUser.java
##########
@@ -157,18 +193,30 @@ public synchronized void logout() throws LoginException {
public synchronized boolean checkTGTAndRelogin() throws LoginException {
final KerberosTicket tgt = getTGT();
if (tgt == null) {
- LOGGER.debug("TGT was not found");
+ LOGGER.debug("TGT for {} was not found, performing logout/login",
principal);
+ logout();
+ login();
+ return true;
}
if (tgt != null && System.currentTimeMillis() < getRefreshTime(tgt)) {
- LOGGER.debug("TGT was found, but has not reached expiration
window");
+ LOGGER.debug("TGT for {} was found , but has not reached
expiration window", principal);
Review comment:
Extra space before comma
##########
File path:
nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/src/main/java/org/apache/nifi/kerberos/KerberosKeytabUserService.java
##########
@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.kerberos;
+
+import org.apache.nifi.annotation.behavior.Restricted;
+import org.apache.nifi.annotation.behavior.Restriction;
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.RequiredPermission;
+import org.apache.nifi.components.resource.ResourceCardinality;
+import org.apache.nifi.components.resource.ResourceType;
+import org.apache.nifi.controller.ConfigurationContext;
+import org.apache.nifi.expression.ExpressionLanguageScope;
+import org.apache.nifi.security.krb.KerberosKeytabUser;
+import org.apache.nifi.security.krb.KerberosUser;
+
+import java.util.Collections;
+import java.util.List;
+
+@CapabilityDescription("Provides a mechanism for creating a KerberosUser from
a principal and keytab that other components are able to use in order to "
+ + "perform authentication using Kerberos. By encapsulating this
information into a Controller Service and allowing other components to make use
of it "
+ + "(as opposed to specifying the principal and keytab directly in the
processor) an administrator is able to choose which users are allowed to "
+ + "use which keytabs and principals. This provides a more robust
security model for multi-tenant use cases.")
+@Tags({"Kerberos", "Keytab", "Principal", "Credentials", "Authentication",
"Security"})
+@Restricted(restrictions = {
+ @Restriction(requiredPermission = RequiredPermission.ACCESS_KEYTAB,
explanation = "Allows user to define a Keytab and principal that can then be
used by other components.")
+})
+public class KerberosKeytabUserService extends AbstractKerberosUserService
implements SelfContainedKerberosUserService {
+
+ static final PropertyDescriptor KEYTAB = new PropertyDescriptor.Builder()
+ .name("Kerberos Keytab")
+ .description("Kerberos keytab associated with the principal.")
+ .identifiesExternalResource(ResourceCardinality.SINGLE,
ResourceType.FILE)
+
.expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
+ .required(true)
+ .build();
+
+ private volatile String keytab;
+
+ @Override
+ protected List<PropertyDescriptor> getAdditionalProperties() {
+ return Collections.singletonList(KEYTAB);
+ }
+
+ @Override
+ protected void setAdditionalConfiguredValues(ConfigurationContext context)
{
Review comment:
Could be final
##########
File path:
nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/AbstractKerberosUser.java
##########
@@ -157,18 +193,30 @@ public synchronized void logout() throws LoginException {
public synchronized boolean checkTGTAndRelogin() throws LoginException {
final KerberosTicket tgt = getTGT();
if (tgt == null) {
- LOGGER.debug("TGT was not found");
+ LOGGER.debug("TGT for {} was not found, performing logout/login",
principal);
+ logout();
+ login();
+ return true;
}
if (tgt != null && System.currentTimeMillis() < getRefreshTime(tgt)) {
- LOGGER.debug("TGT was found, but has not reached expiration
window");
+ LOGGER.debug("TGT for {} was found , but has not reached
expiration window", principal);
return false;
}
- LOGGER.debug("Performing relogin for {}", new Object[]{principal});
- logout();
- login();
- return true;
+ try {
+ tgt.refresh();
+ LOGGER.debug("TGT for {} was refreshed", principal);
+ return true;
+ } catch (RefreshFailedException e) {
Review comment:
Could be final exception
##########
File path:
nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/src/main/java/org/apache/nifi/kerberos/KerberosTicketCacheUserService.java
##########
@@ -0,0 +1,71 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.kerberos;
+
+import org.apache.nifi.annotation.behavior.Restricted;
+import org.apache.nifi.annotation.behavior.Restriction;
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.RequiredPermission;
+import org.apache.nifi.components.resource.ResourceCardinality;
+import org.apache.nifi.components.resource.ResourceType;
+import org.apache.nifi.controller.ConfigurationContext;
+import org.apache.nifi.expression.ExpressionLanguageScope;
+import org.apache.nifi.security.krb.KerberosTicketCacheUser;
+import org.apache.nifi.security.krb.KerberosUser;
+
+import java.util.Collections;
+import java.util.List;
+
+@CapabilityDescription("Provides a mechanism for creating a KerberosUser from
a principal and ticket cache that other components " +
+ "are able to use in order to perform authentication using Kerberos. By
encapsulating this information into a Controller Service " +
+ "and allowing other components to make use of it an administrator is
able to choose which users are allowed to use which ticket " +
+ "caches and principals. This provides a more robust security model for
multi-tenant use cases.")
+@Tags({"Kerberos", "Ticket", "Cache", "Principal", "Credentials",
"Authentication", "Security"})
+@Restricted(restrictions = {
+ @Restriction(requiredPermission =
RequiredPermission.ACCESS_TICKET_CACHE,
+ explanation = "Allows user to define a ticket cache and
principal that can then be used by other components.")
+})
+public class KerberosTicketCacheUserService extends
AbstractKerberosUserService implements SelfContainedKerberosUserService {
+
+ static final PropertyDescriptor TICKET_CACHE_FILE = new
PropertyDescriptor.Builder()
+ .name("Kerberos Ticket Cache File")
+ .description("Kerberos ticket cache associated with the
principal.")
+ .identifiesExternalResource(ResourceCardinality.SINGLE,
ResourceType.FILE)
+
.expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
+ .required(true)
+ .build();
+
+ private volatile String ticketCache;
+
+ @Override
+ protected List<PropertyDescriptor> getAdditionalProperties() {
+ return Collections.singletonList(TICKET_CACHE_FILE);
+ }
+
+ @Override
+ protected void setAdditionalConfiguredValues(ConfigurationContext context)
{
Review comment:
Could be final
##########
File path:
nifi-nar-bundles/nifi-standard-services/nifi-kerberos-user-service-bundle/nifi-kerberos-user-service/src/main/java/org/apache/nifi/kerberos/KerberosPasswordUserService.java
##########
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.kerberos;
+
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.controller.ConfigurationContext;
+import org.apache.nifi.processor.util.StandardValidators;
+import org.apache.nifi.security.krb.KerberosPasswordUser;
+import org.apache.nifi.security.krb.KerberosUser;
+
+import java.util.Collections;
+import java.util.List;
+
+@CapabilityDescription("Provides a mechanism for creating a KerberosUser from
a principal and password that other " +
+ "components are able to use in order to perform authentication using
Kerberos.")
+@Tags({"Kerberos", "Password", "Principal", "Credentials", "Authentication",
"Security"})
+public class KerberosPasswordUserService extends AbstractKerberosUserService {
+
+ static final PropertyDescriptor PASSWORD = new PropertyDescriptor.Builder()
+ .name("Kerberos Password")
+ .description("Kerberos password associated with the principal.")
+ .addValidator(StandardValidators.NON_EMPTY_VALIDATOR)
+ .required(true)
+ .sensitive(true)
+ .build();
+
+ private volatile String password;
+
+ @Override
+ protected List<PropertyDescriptor> getAdditionalProperties() {
+ return Collections.singletonList(PASSWORD);
+ }
+
+ @Override
+ protected void setAdditionalConfiguredValues(ConfigurationContext context)
{
Review comment:
Could be final
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
