[jira] [Created] (NIFI-13409) NiFi Identity mappings stacking rather then first match only being applied

Matthew Clarke (Jira) Mon, 17 Jun 2024 07:15:04 -0700

Matthew Clarke created NIFI-13409:
-------------------------------------

             Summary: NiFi Identity mappings stacking rather then first match 
only being applied
                 Key: NIFI-13409
                 URL: https://issues.apache.org/jira/browse/NIFI-13409
             Project: Apache NiFi
          Issue Type: Bug
    Affects Versions: 1.23.1, 1.18.0
            Reporter: Matthew Clarke



Observed that NiFi is evaluating user identities against multiple configured 
mapping patterns and applying the value and transforms for each matched pattern.

According to documentation, the expected behavior is that mapping are evaluated 
in lexicographical order and first match only has its value and transform 
applied.

Lets assume I have a node certificate with "CN=nifi-node1, ST=MD, C=US" and a 
ldap username "nifiadmin" of the purposes of these observations and tests.

TEST 1:
Configured identity.mappings:

nifi.security.identity.mapping.pattern.dn=^CN=(.*?),\s{0,1}.+$
nifi.security.identity.mapping.transform.dn=NONE
nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.pattern.ldap=^(.*)$
nifi.security.identity.mapping.transform.ldap=UPPER
nifi.security.identity.mapping.value.ldap=$1

Observations:
1. The nodes DN did  have CN value extracted and also uppercased
NIFI-NODE1   <-- unexpected
2. My ldap users are transformed to all uppercase
NIFIAMDIN <-- expected

TEST 2:
Configured identity.mappings:

nifi.security.identity.mapping.pattern.dn=^CN=(.*?),\s{0,1}.+$
nifi.security.identity.mapping.transform.dn=NONE
nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.pattern.ldap=^(.*)$
nifi.security.identity.mapping.transform.ldap=UPPER
nifi.security.identity.mapping.value.ldap=$1
nifi.security.identity.mapping.pattern.username=^(.*)$
nifi.security.identity.mapping.transform.username=LOWER
nifi.security.identity.mapping.value.username=$1

Observations:
1. The nodes DN did  have CN value extracted and also uppercased
NIFI-NODE1   <-- unexpected
2. My ldap users are transformed to all uppercase
NIFIAMDIN <-- unexpected (assumed it would be lower if being stacked since 
"username" mapping woudl be evaled after "ldap" mapping)

TEST 3:
Configured identity.mappings:

nifi.security.identity.mapping.pattern.dn=^CN=(.*?),\s{0,1}.+$
nifi.security.identity.mapping.transform.dn=NONE
nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.pattern.ldap=^(.*)$
nifi.security.identity.mapping.transform.ldap=LOWER
nifi.security.identity.mapping.value.ldap=$1
nifi.security.identity.mapping.pattern.username=^(.*)$
nifi.security.identity.mapping.transform.username=UPPER
nifi.security.identity.mapping.value.username=$1

Observations:
1. The nodes DN did  have CN value extracted and also uppercased
nifi-node1  <-- expected
2. My ldap users are transformed to all uppercase
nifiadmin <-- expected
Here everything remained lowercase as expected (node that both "ldap" and 
"username" have same pattern regex set.

TEST 4:
Configured identity.mappings:

nifi.security.identity.mapping.pattern.dn=^CN=(.*?),\s{0,1}.+$
nifi.security.identity.mapping.transform.dn=NONE
nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.pattern.ldap=^ldap(.*?)$
nifi.security.identity.mapping.transform.ldap=LOWER
nifi.security.identity.mapping.value.ldap=$1
nifi.security.identity.mapping.pattern.username=^(.*)$
nifi.security.identity.mapping.transform.username=UPPER
nifi.security.identity.mapping.value.username=$1

Observations:
1. The nodes DN did  have CN value extracted and also uppercased
NIFI-NODE1  <-- unexpected
2. My ldap users are transformed to all uppercase
NIFIADMIN <-- expected
Appears that when multiple mappings have same pattern regex, only first is 
having its value and transform stacked.

TEST 5:
Configured identity.mappings:

nifi.security.identity.mapping.pattern.dn=^CN=(.*?),\s{0,1}.+$
nifi.security.identity.mapping.transform.dn=NONE
nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.pattern.ldap=^ldap(.*?)$
nifi.security.identity.mapping.transform.ldap=LOWER
nifi.security.identity.mapping.value.ldap=$1
nifi.security.identity.mapping.pattern.username=^(.*).test$
nifi.security.identity.mapping.transform.username=UPPER
nifi.security.identity.mapping.value.username=$1

Observations:
this test was to see if only transforms were being stacked or both value and 
transform were stacking.
1. The nodes DN did  have CN value extracted and also uppercased
NIFI-NODE1.TEST  <-- unexpected
2. My ldap users are transformed to all uppercase
NIFIADMIN.TEST <-- expected

This unexpected behavior causes issues when identities are coming from multiple 
sources and user needs to uniquely manipulated those source identities. If one 
pattern trims to a value that then matches another pattern, values and 
transform stack.

Expectation is that identity mappings are evaluated by property name in 
lexicographical order and only the first matching pattern as its corresponding  
value and transform applied ignoring all other matching patterns. 






--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (NIFI-13409) NiFi Identity mappings stacking rather then first match only being applied

Reply via email to