exceptionfactory commented on code in PR #7839:
URL: https://github.com/apache/nifi/pull/7839#discussion_r1348130679
##########
nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/README.md:
##########
@@ -124,6 +124,39 @@ The following, optional environment variables may be added
to the above command
-e LDAP_TLS_TRUSTSTORE_PASSWORD: ''
-e LDAP_TLS_TRUSTSTORE_TYPE: ''
+### Standalone Instance secured with HTTPS and OpenID Authentication
+In this configuration, the user will need to provide certificates and
associated configuration information.
+Of particular note, is the `AUTH` environment variable which is set to `oidc`.
Additionally, the user must provide a
+in the `INITIAL_ADMIN_IDENTITY` environment variable. This value will be used
to seed the instance with an initial
+user with administrative privileges.
+
+### For a minimal, connection to an OpenID server
+
+ docker run --name nifi-registry \
+ -v $(pwd)/certs/localhost:/opt/certs \
+ -p 18443:18443 \
+ -e AUTH=oidc \
+ -e KEYSTORE_PATH=/opt/certs/keystore.jks \
+ -e KEYSTORE_TYPE=JKS \
Review Comment:
PKCS12 is the preferred format and the default starting from Java 9 on, so
this example should be adjusted.
```suggestion
-e KEYSTORE_PATH=/opt/certs/keystore.p12 \
-e KEYSTORE_TYPE=PKCS12 \
```
##########
nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/README.md:
##########
@@ -124,6 +124,39 @@ The following, optional environment variables may be added
to the above command
-e LDAP_TLS_TRUSTSTORE_PASSWORD: ''
-e LDAP_TLS_TRUSTSTORE_TYPE: ''
+### Standalone Instance secured with HTTPS and OpenID Authentication
+In this configuration, the user will need to provide certificates and
associated configuration information.
+Of particular note, is the `AUTH` environment variable which is set to `oidc`.
Additionally, the user must provide a
+in the `INITIAL_ADMIN_IDENTITY` environment variable. This value will be used
to seed the instance with an initial
+user with administrative privileges.
+
+### For a minimal, connection to an OpenID server
+
+ docker run --name nifi-registry \
+ -v $(pwd)/certs/localhost:/opt/certs \
+ -p 18443:18443 \
+ -e AUTH=oidc \
+ -e KEYSTORE_PATH=/opt/certs/keystore.jks \
+ -e KEYSTORE_TYPE=JKS \
+ -e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \
Review Comment:
Recommend using `PLACEHOLDER` instead of some random value.
```suggestion
-e KEYSTORE_PASSWORD=PLACEHOLDER \
```
##########
nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/README.md:
##########
@@ -124,6 +124,39 @@ The following, optional environment variables may be added
to the above command
-e LDAP_TLS_TRUSTSTORE_PASSWORD: ''
-e LDAP_TLS_TRUSTSTORE_TYPE: ''
+### Standalone Instance secured with HTTPS and OpenID Authentication
+In this configuration, the user will need to provide certificates and
associated configuration information.
+Of particular note, is the `AUTH` environment variable which is set to `oidc`.
Additionally, the user must provide a
+in the `INITIAL_ADMIN_IDENTITY` environment variable. This value will be used
to seed the instance with an initial
+user with administrative privileges.
+
+### For a minimal, connection to an OpenID server
+
+ docker run --name nifi-registry \
+ -v $(pwd)/certs/localhost:/opt/certs \
+ -p 18443:18443 \
+ -e AUTH=oidc \
+ -e KEYSTORE_PATH=/opt/certs/keystore.jks \
+ -e KEYSTORE_TYPE=JKS \
+ -e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \
+ -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
+ -e TRUSTSTORE_PASSWORD=rHkWR1gDNW3R9hgbeRsT3OM3Ue0zwGtQqcFKJD2EXWE \
+ -e TRUSTSTORE_TYPE=JKS \
+ -e INITIAL_ADMIN_IDENTITY='test' \
+ -e
NIFI_REGISTRY_SECURITY_USER_OIDC_DISCOVERY_URL=http://OPENID_SERVER_URL/auth/realms/OPENID_REALM/.well-known/openid-configuration
\
+ -e NIFI_REGISTRY_SECURITY_USER_OIDC_CONNECT_TIMEOUT=10000 \
+ -e NIFI_REGISTRY_SECURITY_USER_OIDC_READ_TIMEOUT=10000 \
+ -e NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_ID=nifi \
Review Comment:
```suggestion
-e NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_ID=CLIENT_ID \
```
##########
nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/README.md:
##########
@@ -124,6 +124,39 @@ The following, optional environment variables may be added
to the above command
-e LDAP_TLS_TRUSTSTORE_PASSWORD: ''
-e LDAP_TLS_TRUSTSTORE_TYPE: ''
+### Standalone Instance secured with HTTPS and OpenID Authentication
+In this configuration, the user will need to provide certificates and
associated configuration information.
+Of particular note, is the `AUTH` environment variable which is set to `oidc`.
Additionally, the user must provide a
+in the `INITIAL_ADMIN_IDENTITY` environment variable. This value will be used
to seed the instance with an initial
+user with administrative privileges.
+
+### For a minimal, connection to an OpenID server
+
+ docker run --name nifi-registry \
+ -v $(pwd)/certs/localhost:/opt/certs \
+ -p 18443:18443 \
+ -e AUTH=oidc \
+ -e KEYSTORE_PATH=/opt/certs/keystore.jks \
+ -e KEYSTORE_TYPE=JKS \
+ -e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \
+ -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
+ -e TRUSTSTORE_PASSWORD=rHkWR1gDNW3R9hgbeRsT3OM3Ue0zwGtQqcFKJD2EXWE \
+ -e TRUSTSTORE_TYPE=JKS \
+ -e INITIAL_ADMIN_IDENTITY='test' \
+ -e
NIFI_REGISTRY_SECURITY_USER_OIDC_DISCOVERY_URL=http://OPENID_SERVER_URL/auth/realms/OPENID_REALM/.well-known/openid-configuration
\
+ -e NIFI_REGISTRY_SECURITY_USER_OIDC_CONNECT_TIMEOUT=10000 \
+ -e NIFI_REGISTRY_SECURITY_USER_OIDC_READ_TIMEOUT=10000 \
+ -e NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_ID=nifi \
+ -e
NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_SECRET=tU47ugXO308WZqf5TtylyoMX3xH6W0kN
\
+ -e NIFI_REGISTRY_SECURITY_USER_OIDC_PREFERRED_JWSALGORITHM=RS256 \
+ -e NIFI_REGISTRY_SECURITY_USER_OIDC_ADDITIONAL_SCOPES=email \
+ -e
NIFI_REGISTRY_SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER=preferred_username \
+ -d \
+ apache/nifi-registry:latest
+
+- Make sure you've created realm, client and user in OpenID Server before with
the same user name defined in `INITIAL_ADMIN_IDENTITY` environment variable
Review Comment:
This is different for each type of server, so this line should be removed.
```suggestion
```
##########
nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/README.md:
##########
@@ -124,6 +124,39 @@ The following, optional environment variables may be added
to the above command
-e LDAP_TLS_TRUSTSTORE_PASSWORD: ''
-e LDAP_TLS_TRUSTSTORE_TYPE: ''
+### Standalone Instance secured with HTTPS and OpenID Authentication
+In this configuration, the user will need to provide certificates and
associated configuration information.
+Of particular note, is the `AUTH` environment variable which is set to `oidc`.
Additionally, the user must provide a
+in the `INITIAL_ADMIN_IDENTITY` environment variable. This value will be used
to seed the instance with an initial
+user with administrative privileges.
+
+### For a minimal, connection to an OpenID server
+
+ docker run --name nifi-registry \
+ -v $(pwd)/certs/localhost:/opt/certs \
+ -p 18443:18443 \
+ -e AUTH=oidc \
+ -e KEYSTORE_PATH=/opt/certs/keystore.jks \
+ -e KEYSTORE_TYPE=JKS \
+ -e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \
+ -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
+ -e TRUSTSTORE_PASSWORD=rHkWR1gDNW3R9hgbeRsT3OM3Ue0zwGtQqcFKJD2EXWE \
+ -e TRUSTSTORE_TYPE=JKS \
Review Comment:
```suggestion
-e TRUSTSTORE_TYPE=PKCS12 \
```
##########
nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/README.md:
##########
@@ -124,6 +124,39 @@ The following, optional environment variables may be added
to the above command
-e LDAP_TLS_TRUSTSTORE_PASSWORD: ''
-e LDAP_TLS_TRUSTSTORE_TYPE: ''
+### Standalone Instance secured with HTTPS and OpenID Authentication
+In this configuration, the user will need to provide certificates and
associated configuration information.
+Of particular note, is the `AUTH` environment variable which is set to `oidc`.
Additionally, the user must provide a
+in the `INITIAL_ADMIN_IDENTITY` environment variable. This value will be used
to seed the instance with an initial
+user with administrative privileges.
+
+### For a minimal, connection to an OpenID server
+
+ docker run --name nifi-registry \
+ -v $(pwd)/certs/localhost:/opt/certs \
+ -p 18443:18443 \
+ -e AUTH=oidc \
+ -e KEYSTORE_PATH=/opt/certs/keystore.jks \
+ -e KEYSTORE_TYPE=JKS \
+ -e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \
+ -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
+ -e TRUSTSTORE_PASSWORD=rHkWR1gDNW3R9hgbeRsT3OM3Ue0zwGtQqcFKJD2EXWE \
Review Comment:
```suggestion
-e TRUSTSTORE_PASSWORD=PLACEHOLDER \
```
##########
nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/README.md:
##########
@@ -124,6 +124,39 @@ The following, optional environment variables may be added
to the above command
-e LDAP_TLS_TRUSTSTORE_PASSWORD: ''
-e LDAP_TLS_TRUSTSTORE_TYPE: ''
+### Standalone Instance secured with HTTPS and OpenID Authentication
+In this configuration, the user will need to provide certificates and
associated configuration information.
+Of particular note, is the `AUTH` environment variable which is set to `oidc`.
Additionally, the user must provide a
+in the `INITIAL_ADMIN_IDENTITY` environment variable. This value will be used
to seed the instance with an initial
+user with administrative privileges.
+
+### For a minimal, connection to an OpenID server
+
+ docker run --name nifi-registry \
+ -v $(pwd)/certs/localhost:/opt/certs \
+ -p 18443:18443 \
+ -e AUTH=oidc \
+ -e KEYSTORE_PATH=/opt/certs/keystore.jks \
+ -e KEYSTORE_TYPE=JKS \
+ -e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \
+ -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
+ -e TRUSTSTORE_PASSWORD=rHkWR1gDNW3R9hgbeRsT3OM3Ue0zwGtQqcFKJD2EXWE \
+ -e TRUSTSTORE_TYPE=JKS \
+ -e INITIAL_ADMIN_IDENTITY='test' \
Review Comment:
```suggestion
-e INITIAL_ADMIN_IDENTITY=PLACHOLDER_USER \
```
##########
nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/README.md:
##########
@@ -124,6 +124,39 @@ The following, optional environment variables may be added
to the above command
-e LDAP_TLS_TRUSTSTORE_PASSWORD: ''
-e LDAP_TLS_TRUSTSTORE_TYPE: ''
+### Standalone Instance secured with HTTPS and OpenID Authentication
+In this configuration, the user will need to provide certificates and
associated configuration information.
+Of particular note, is the `AUTH` environment variable which is set to `oidc`.
Additionally, the user must provide a
+in the `INITIAL_ADMIN_IDENTITY` environment variable. This value will be used
to seed the instance with an initial
+user with administrative privileges.
+
+### For a minimal, connection to an OpenID server
+
+ docker run --name nifi-registry \
+ -v $(pwd)/certs/localhost:/opt/certs \
+ -p 18443:18443 \
+ -e AUTH=oidc \
+ -e KEYSTORE_PATH=/opt/certs/keystore.jks \
+ -e KEYSTORE_TYPE=JKS \
+ -e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \
+ -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
Review Comment:
```suggestion
-e TRUSTSTORE_PATH=/opt/certs/truststore.p12 \
```
##########
nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/README.md:
##########
@@ -124,6 +124,39 @@ The following, optional environment variables may be added
to the above command
-e LDAP_TLS_TRUSTSTORE_PASSWORD: ''
-e LDAP_TLS_TRUSTSTORE_TYPE: ''
+### Standalone Instance secured with HTTPS and OpenID Authentication
+In this configuration, the user will need to provide certificates and
associated configuration information.
+Of particular note, is the `AUTH` environment variable which is set to `oidc`.
Additionally, the user must provide a
+in the `INITIAL_ADMIN_IDENTITY` environment variable. This value will be used
to seed the instance with an initial
+user with administrative privileges.
+
+### For a minimal, connection to an OpenID server
+
+ docker run --name nifi-registry \
+ -v $(pwd)/certs/localhost:/opt/certs \
+ -p 18443:18443 \
+ -e AUTH=oidc \
+ -e KEYSTORE_PATH=/opt/certs/keystore.jks \
+ -e KEYSTORE_TYPE=JKS \
+ -e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \
+ -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
+ -e TRUSTSTORE_PASSWORD=rHkWR1gDNW3R9hgbeRsT3OM3Ue0zwGtQqcFKJD2EXWE \
+ -e TRUSTSTORE_TYPE=JKS \
+ -e INITIAL_ADMIN_IDENTITY='test' \
+ -e
NIFI_REGISTRY_SECURITY_USER_OIDC_DISCOVERY_URL=http://OPENID_SERVER_URL/auth/realms/OPENID_REALM/.well-known/openid-configuration
\
+ -e NIFI_REGISTRY_SECURITY_USER_OIDC_CONNECT_TIMEOUT=10000 \
+ -e NIFI_REGISTRY_SECURITY_USER_OIDC_READ_TIMEOUT=10000 \
+ -e NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_ID=nifi \
+ -e
NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_SECRET=tU47ugXO308WZqf5TtylyoMX3xH6W0kN
\
Review Comment:
```suggestion
-e NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_SECRET=CLIENT_SECRET \
```
##########
nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/README.md:
##########
@@ -124,6 +124,39 @@ The following, optional environment variables may be added
to the above command
-e LDAP_TLS_TRUSTSTORE_PASSWORD: ''
-e LDAP_TLS_TRUSTSTORE_TYPE: ''
+### Standalone Instance secured with HTTPS and OpenID Authentication
+In this configuration, the user will need to provide certificates and
associated configuration information.
+Of particular note, is the `AUTH` environment variable which is set to `oidc`.
Additionally, the user must provide a
+in the `INITIAL_ADMIN_IDENTITY` environment variable. This value will be used
to seed the instance with an initial
+user with administrative privileges.
+
+### For a minimal, connection to an OpenID server
+
+ docker run --name nifi-registry \
+ -v $(pwd)/certs/localhost:/opt/certs \
+ -p 18443:18443 \
+ -e AUTH=oidc \
+ -e KEYSTORE_PATH=/opt/certs/keystore.jks \
+ -e KEYSTORE_TYPE=JKS \
+ -e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \
+ -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
+ -e TRUSTSTORE_PASSWORD=rHkWR1gDNW3R9hgbeRsT3OM3Ue0zwGtQqcFKJD2EXWE \
+ -e TRUSTSTORE_TYPE=JKS \
+ -e INITIAL_ADMIN_IDENTITY='test' \
+ -e
NIFI_REGISTRY_SECURITY_USER_OIDC_DISCOVERY_URL=http://OPENID_SERVER_URL/auth/realms/OPENID_REALM/.well-known/openid-configuration
\
Review Comment:
The URL path should be reduced from the standard well-known relative path:
```suggestion
-e
NIFI_REGISTRY_SECURITY_USER_OIDC_DISCOVERY_URL=http://OIDC_SERVER/.well-known/openid-configuration
\
```
##########
nifi-registry/nifi-registry-core/nifi-registry-docker/dockerhub/README.md:
##########
@@ -124,6 +124,39 @@ The following, optional environment variables may be added
to the above command
-e LDAP_TLS_TRUSTSTORE_PASSWORD: ''
-e LDAP_TLS_TRUSTSTORE_TYPE: ''
+### Standalone Instance secured with HTTPS and OpenID Authentication
+In this configuration, the user will need to provide certificates and
associated configuration information.
+Of particular note, is the `AUTH` environment variable which is set to `oidc`.
Additionally, the user must provide a
+in the `INITIAL_ADMIN_IDENTITY` environment variable. This value will be used
to seed the instance with an initial
+user with administrative privileges.
+
+### For a minimal, connection to an OpenID server
+
+ docker run --name nifi-registry \
+ -v $(pwd)/certs/localhost:/opt/certs \
+ -p 18443:18443 \
+ -e AUTH=oidc \
+ -e KEYSTORE_PATH=/opt/certs/keystore.jks \
+ -e KEYSTORE_TYPE=JKS \
+ -e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \
+ -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
+ -e TRUSTSTORE_PASSWORD=rHkWR1gDNW3R9hgbeRsT3OM3Ue0zwGtQqcFKJD2EXWE \
+ -e TRUSTSTORE_TYPE=JKS \
+ -e INITIAL_ADMIN_IDENTITY='test' \
+ -e
NIFI_REGISTRY_SECURITY_USER_OIDC_DISCOVERY_URL=http://OPENID_SERVER_URL/auth/realms/OPENID_REALM/.well-known/openid-configuration
\
+ -e NIFI_REGISTRY_SECURITY_USER_OIDC_CONNECT_TIMEOUT=10000 \
+ -e NIFI_REGISTRY_SECURITY_USER_OIDC_READ_TIMEOUT=10000 \
+ -e NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_ID=nifi \
+ -e
NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_SECRET=tU47ugXO308WZqf5TtylyoMX3xH6W0kN
\
+ -e NIFI_REGISTRY_SECURITY_USER_OIDC_PREFERRED_JWSALGORITHM=RS256 \
+ -e NIFI_REGISTRY_SECURITY_USER_OIDC_ADDITIONAL_SCOPES=email \
+ -e
NIFI_REGISTRY_SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER=preferred_username \
+ -d \
+ apache/nifi-registry:latest
+
+- Make sure you've created realm, client and user in OpenID Server before with
the same user name defined in `INITIAL_ADMIN_IDENTITY` environment variable
+- You can read more information about theses Nifi security OIDC configurations
in this following link:
[https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#openid_connect](https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#openid_connect)
Review Comment:
As this applies to NiFi but not NiFi Registry, this line should be removed.
```suggestion
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
