Michael W Moser created NIFI-15622:
--------------------------------------
Summary: Create X500Principal identity mapper transform
Key: NIFI-15622
URL: https://issues.apache.org/jira/browse/NIFI-15622
Project: Apache NiFi
Issue Type: New Feature
Components: Core Framework
Reporter: Michael W Moser
Assignee: Michael W Moser
When NiFi is configured for X.509 certificate based user authentication, it
applies RFC-1779 format rules to the X.500 Principal before determining if the
user is authorized to access NiFi. NiFi admins can accidentally configure an
X.500 Distinguished Name in a NiFi UserGroupProvider that does not match
RFC-1779 format, and the AccessDeniedException result does not make it obvious
that this is the problem.
This ticket proposes to create a new X.500 IdentityMapper transform. NiFi
admins could then opt-in to transforming all user identities to an RFC-1779
format.
Example:
{noformat}
nifi.security.identity.mapping.pattern.dn=^(.*)$
nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.transform.dn=X500{noformat}
This ticket *also* proposes to apply IdentityMapper to all users/groups added
to the system using the nifi-api NiFiServiceFacade and saved to users.xml with
a FileUserGroupProvider.
Feedback on this proposal appreciated.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
