[
https://issues.apache.org/jira/browse/NIFI-15141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
segad44 updated NIFI-15141:
---------------------------
Description:
NiFi does not send all identity information of the user when proxying requests
to NiFi Registry.
This causes issues on NiFi Registry to verify user permissions.
As a result, if only the group of the OIDC user is declared on NiFi Registry,
the user cannot start a flow versioning.
This issue concerns NiFi with OIDC provisioner (not tested others).
h3. To reproduce
Tried with version 2.4.0 and 2.5.0, with 2.6.0 another issue blocking me at
step `2.`
Basic OIDC setup:
1. Configure NiFi and NiFi Registry with OIDC
2. Declare the group datascientist on both NiFi and NiFi Registry and give it
all user permissions
a. Nifi: view, modify, operate the main process group + view the controller
b. Nifi Registry: can manage bucket
3. On the Idp, create the user `user-a` in the group datascientist
At this point, everything is working as expected: the user can access to NiFi
and NiFi Registry with correct permissions.
Now, associate NiFi with NiFi Registry
4. Create a keystore with a mTLS client certificate for NiFi to authenticate
with NiFi Registry
5. On NiFi, create a NifiRegistryFlowRegistryClient with the previous keystore
6. On NiFi Registry, create a bucket `test`
7. On NiFi Registry, create the user `CN=nifi` with the permissions "can proxy
user requests"
The issue is that `user-a` cannot start a versioning flow from NiFi.
But he should because of its permissions from the `datascientist` group.
h3. Additional information
When NiFi tries to get buckets on NiFi Registry, the HTTP request to nifi-api
is:
{code:java}
GET
https://localhost:8443/nifi-api/flow/registries/00ea78fd-019a-1000-2e8c-3915df4085d6/buckets{code}
The result is an empty list:
{code:java}
"buckets": [] {code}
The JWT is valid and contains the datascientist group for `user-a`.
Decoded payload from JWT Cookie:
{code:java}
{
"sub": "[email protected]",
"aud": "https://e5a83c398392:8443";,
"nbf": 1760963601,
"iss": "https://e5a83c398392:8443";,
"groups": [
"datascientist"
],
"preferred_username": "[email protected]",
"exp": 1760963661,
"iat": 1760963601,
"jti": "f88c463d-dce9-4048-b155-fcba3d2bf765"
} {code}
h3. Workaround
We must declare users on nifi registry and associate them with the correct
group.
Thus, the user is known on nifi registry and associated with the groups that
have the required permissions on the buckets.
was:
NiFi does not send all identity information of the user when proxying requests
to NiFi Registry.
This causes issues on NiFi Registry to verify user permissions.
As a result, if only the group of the OIDC user is declared on NiFi Registry,
the user cannot start a flow versioning.
This issue concerns NiFi with OIDC provisioner (not tested others).
h3. To reproduce
Tried with version 2.4.0 and 2.5.0, with 2.6.0 another issue blocking me at
step `2.`
Basic OIDC setup:
1. Configure NiFi and NiFi Registry with OIDC
2. Declare the group datascientist on both NiFi and NiFi Registry and give it
all user permissions
a. Nifi: view, modify, operate the main process group + view the controller
b. Nifi Registry: can manage bucket
3. On the Idp, create the user `user-a` in the group datascientist
At this point, everything is working as expected: the user can access to NiFi
and NiFi Registry with correct permissions.
Now, associate NiFi with NiFi Registry
4. Create a keystore with a mTLS client certificate for NiFi to authenticate
with NiFi Registry
5. On NiFi, create a NifiRegistryFlowRegistryClient with the previous keystore
6. On NiFi Registry, create a bucket `test`
7. On NiFi Registry, create the user `CN=nifi` with the permissions "can proxy
user requests"
The issue is that `user-a` cannot start a versioning flow from NiFi.
But he should because of its permissions from the `datascientist` group.
h3. Additional information
When NiFi tries to get buckets on NiFi Registry, the HTTP request to nifi-api
is:
```
GET
https://localhost:8443/nifi-api/flow/registries/00ea78fd-019a-1000-2e8c-3915df4085d6/buckets
```
The result is an empty list:
```json
"buckets": []
```
The JWT is valid and contains the datascientist group for `user-a`.
Decoded payload from JWT Cookie:
```json
{
"sub": "[email protected]",
"aud": "https://e5a83c398392:8443";,
"nbf": 1760963601,
"iss": "https://e5a83c398392:8443";,
"groups": [
"datascientist"
],
"preferred_username": "[email protected]",
"exp": 1760963661,
"iat": 1760963601,
"jti": "f88c463d-dce9-4048-b155-fcba3d2bf765"
}
```
h3. Workaround
We must declare users on nifi registry and associate them with the correct
group.
Thus, the user is known on nifi registry and associated with the groups that
have the required permissions on the buckets.
> OpenID Connect groups are not forwarded when proxing request to NiFi Registry
> -----------------------------------------------------------------------------
>
> Key: NIFI-15141
> URL: https://issues.apache.org/jira/browse/NIFI-15141
> Project: Apache NiFi
> Issue Type: Bug
> Components: NiFi API, NiFi Registry
> Affects Versions: 2.4.0, 2.5.0
> Environment: docker compose, Kubernetes
> Reporter: segad44
> Priority: Major
>
> NiFi does not send all identity information of the user when proxying
> requests to NiFi Registry.
> This causes issues on NiFi Registry to verify user permissions.
> As a result, if only the group of the OIDC user is declared on NiFi Registry,
> the user cannot start a flow versioning.
> This issue concerns NiFi with OIDC provisioner (not tested others).
> h3. To reproduce
> Tried with version 2.4.0 and 2.5.0, with 2.6.0 another issue blocking me at
> step `2.`
> Basic OIDC setup:
> 1. Configure NiFi and NiFi Registry with OIDC
> 2. Declare the group datascientist on both NiFi and NiFi Registry and give it
> all user permissions
> a. Nifi: view, modify, operate the main process group + view the
> controller
> b. Nifi Registry: can manage bucket
> 3. On the Idp, create the user `user-a` in the group datascientist
> At this point, everything is working as expected: the user can access to NiFi
> and NiFi Registry with correct permissions.
> Now, associate NiFi with NiFi Registry
> 4. Create a keystore with a mTLS client certificate for NiFi to authenticate
> with NiFi Registry
> 5. On NiFi, create a NifiRegistryFlowRegistryClient with the previous keystore
> 6. On NiFi Registry, create a bucket `test`
> 7. On NiFi Registry, create the user `CN=nifi` with the permissions "can
> proxy user requests"
> The issue is that `user-a` cannot start a versioning flow from NiFi.
> But he should because of its permissions from the `datascientist` group.
> h3. Additional information
> When NiFi tries to get buckets on NiFi Registry, the HTTP request to nifi-api
> is:
>
> {code:java}
> GET
> https://localhost:8443/nifi-api/flow/registries/00ea78fd-019a-1000-2e8c-3915df4085d6/buckets{code}
>
>
>
> The result is an empty list:
> {code:java}
> "buckets": [] {code}
> The JWT is valid and contains the datascientist group for `user-a`.
> Decoded payload from JWT Cookie:
> {code:java}
> {
> "sub": "[email protected]",
> "aud": "https://e5a83c398392:8443";,
> "nbf": 1760963601,
> "iss": "https://e5a83c398392:8443";,
> "groups": [
> "datascientist"
> ],
> "preferred_username": "[email protected]",
> "exp": 1760963661,
> "iat": 1760963601,
> "jti": "f88c463d-dce9-4048-b155-fcba3d2bf765"
> } {code}
> h3. Workaround
> We must declare users on nifi registry and associate them with the correct
> group.
> Thus, the user is known on nifi registry and associated with the groups that
> have the required permissions on the buckets.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
