Juan C. Sequeiros created NIFI-12658:
----------------------------------------
Summary: Add an include list for users and / or groups when
configuring ShellUserGroupProvider
Key: NIFI-12658
URL: https://issues.apache.org/jira/browse/NIFI-12658
Project: Apache NiFi
Issue Type: New Feature
Reporter: Juan C. Sequeiros
When setting up host to use sssd it is a general best practice to set the [pam]
section of the sssd.conf file with value it might even be the default:
enumerate = false
This prevents the underlying commands to not return results.
https://github.com/apache/nifi/blob/3fcf5f25b4c705f6909d058d81a7b8b6d6a648f1/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-shell-authorizer/src/main/java/org/apache/nifi/authorization/NssShellCommands.java#L29
in general:
getent groups
getent passwd
Will only return local groups and users if the sssd.conf file has:
enumarate = false
However setting enumarate = true could give performance impact and underlying
issues.
Snippet from sssd.conf man pages:
"
enumerate (bool)
Determines if a domain can be enumerated, that is, whether the
domain can list all the users and group it contains. Note that it is not
required to enable enumeration in order
for secondary groups to be displayed. This parameter can have one of
the following values:
TRUE = Users and groups are enumerated
FALSE = No enumerations for this domain
Default: FALSE
Enumerating a domain requires SSSD to download and store ALL user
and group entries from the remote server.
Note: Enabling enumeration has a moderate performance impact on SSSD
while enumeration is running. It may take up to several minutes after SSSD
startup to fully complete
enumerations. During this time, individual requests for information
will go directly to LDAP, though it may be slow, due to the heavy enumeration
processing. Saving a large
number of entries to cache after the enumeration completes might
also be CPU intensive as the memberships have to be recomputed. This can lead
to the “sssd_be” process
becoming unresponsive or even restarted by the internal watchdog.
While the first enumeration is running, requests for the complete
user or group lists may return no results until it completes.
Further, enabling enumeration may increase the time necessary to
detect network disconnection, as longer timeouts are required to ensure that
enumeration lookups are completed
successfully. For more information, refer to the man pages for the
specific id_provider in use.
For the reasons cited above, enabling enumeration is not
recommended, especially in large environments. "
Propose to setting enumeration to instead introduce 2 additional property
fields for UserGroupShellProvider to allow for:
Include users
Include Groups
the same way that today it has the property settings for:
public static final String EXCLUDE_USER_PROPERTY = "Exclude Users";
public static final String EXCLUDE_GROUP_PROPERTY = "Exclude Groups";
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
