[
https://issues.apache.org/jira/browse/NIFI-13409?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pierre Villard resolved NIFI-13409.
-----------------------------------
Resolution: Feedback Received
Apache NiFi 1.x is no longer maintained and no new release is planned on the
1.x release line. Marking as resolved as part of a cleanup operation. Please
open a new one with an updated description if this is still relevant for NiFi
2.x.
> NiFi Identity mappings stacking rather then first match only being applied
> --------------------------------------------------------------------------
>
> Key: NIFI-13409
> URL: https://issues.apache.org/jira/browse/NIFI-13409
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.18.0, 1.23.1
> Reporter: Matthew Clarke
> Assignee: Simon Bence
> Priority: Critical
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> Observed that NiFi is evaluating user identities against multiple configured
> mapping patterns and applying the value and transforms for each matched
> pattern.
> According to documentation, the expected behavior is that mapping are
> evaluated in lexicographical order and first match only has its value and
> transform applied.
> Lets assume I have a node certificate with "CN=nifi-node1, ST=MD, C=US" and a
> ldap username "nifiadmin" of the purposes of these observations and tests.
> TEST 1:
> Configured identity.mappings:
> nifi.security.identity.mapping.pattern.dn=^CN=(.*?),\s{0,1}.+$
> nifi.security.identity.mapping.transform.dn=NONE
> nifi.security.identity.mapping.value.dn=$1
> nifi.security.identity.mapping.pattern.ldap=^(.*)$
> nifi.security.identity.mapping.transform.ldap=UPPER
> nifi.security.identity.mapping.value.ldap=$1
> Observations:
> 1. The nodes DN did have CN value extracted and also uppercased
> NIFI-NODE1 <-- unexpected
> 2. My ldap users are transformed to all uppercase
> NIFIAMDIN <-- expected
> TEST 2:
> Configured identity.mappings:
> nifi.security.identity.mapping.pattern.dn=^CN=(.*?),\s{0,1}.+$
> nifi.security.identity.mapping.transform.dn=NONE
> nifi.security.identity.mapping.value.dn=$1
> nifi.security.identity.mapping.pattern.ldap=^(.*)$
> nifi.security.identity.mapping.transform.ldap=UPPER
> nifi.security.identity.mapping.value.ldap=$1
> nifi.security.identity.mapping.pattern.username=^(.*)$
> nifi.security.identity.mapping.transform.username=LOWER
> nifi.security.identity.mapping.value.username=$1
> Observations:
> 1. The nodes DN did have CN value extracted and also uppercased
> NIFI-NODE1 <-- unexpected
> 2. My ldap users are transformed to all uppercase
> NIFIAMDIN <-- unexpected (assumed it would be lower if being stacked since
> "username" mapping woudl be evaled after "ldap" mapping)
> TEST 3:
> Configured identity.mappings:
> nifi.security.identity.mapping.pattern.dn=^CN=(.*?),\s{0,1}.+$
> nifi.security.identity.mapping.transform.dn=NONE
> nifi.security.identity.mapping.value.dn=$1
> nifi.security.identity.mapping.pattern.ldap=^(.*)$
> nifi.security.identity.mapping.transform.ldap=LOWER
> nifi.security.identity.mapping.value.ldap=$1
> nifi.security.identity.mapping.pattern.username=^(.*)$
> nifi.security.identity.mapping.transform.username=UPPER
> nifi.security.identity.mapping.value.username=$1
> Observations:
> 1. The nodes DN did have CN value extracted and also uppercased
> nifi-node1 <-- expected
> 2. My ldap users are transformed to all uppercase
> nifiadmin <-- expected
> Here everything remained lowercase as expected (node that both "ldap" and
> "username" have same pattern regex set.
> TEST 4:
> Configured identity.mappings:
> nifi.security.identity.mapping.pattern.dn=^CN=(.*?),\s{0,1}.+$
> nifi.security.identity.mapping.transform.dn=NONE
> nifi.security.identity.mapping.value.dn=$1
> nifi.security.identity.mapping.pattern.ldap=^ldap(.*?)$
> nifi.security.identity.mapping.transform.ldap=LOWER
> nifi.security.identity.mapping.value.ldap=$1
> nifi.security.identity.mapping.pattern.username=^(.*)$
> nifi.security.identity.mapping.transform.username=UPPER
> nifi.security.identity.mapping.value.username=$1
> Observations:
> 1. The nodes DN did have CN value extracted and also uppercased
> NIFI-NODE1 <-- unexpected
> 2. My ldap users are transformed to all uppercase
> NIFIADMIN <-- expected
> Appears that when multiple mappings have same pattern regex, only first is
> having its value and transform stacked.
> TEST 5:
> Configured identity.mappings:
> nifi.security.identity.mapping.pattern.dn=^CN=(.*?),\s{0,1}.+$
> nifi.security.identity.mapping.transform.dn=NONE
> nifi.security.identity.mapping.value.dn=$1
> nifi.security.identity.mapping.pattern.ldap=^ldap(.*?)$
> nifi.security.identity.mapping.transform.ldap=LOWER
> nifi.security.identity.mapping.value.ldap=$1
> nifi.security.identity.mapping.pattern.username=^(.*)$
> nifi.security.identity.mapping.transform.username=UPPER
> nifi.security.identity.mapping.value.username=$1.test
> Observations:
> this test was to see if only transforms were being stacked or both value and
> transform were stacking.
> 1. The nodes DN did have CN value extracted and also uppercased
> NIFI-NODE1.TEST <-- unexpected
> 2. My ldap users are transformed to all uppercase
> NIFIADMIN.TEST <-- expected
> This unexpected behavior causes issues when identities are coming from
> multiple sources and user needs to uniquely manipulated those source
> identities. If one pattern trims to a value that then matches another
> pattern, values and transform stack.
> Expectation is that identity mappings are evaluated by property name in
> lexicographical order and only the first matching pattern as its
> corresponding value and transform applied ignoring all other matching
> patterns.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
