[
https://issues.apache.org/jira/browse/NIFI-15622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18059525#comment-18059525
]
David Handermann commented on NIFI-15622:
-----------------------------------------
Thanks for proposing this change for consideration [~mosermw].
For clarity, is the purpose of the proposed transform to correct issues with
misconfiguration? It sounds like there might other ways to consider addressing
the issue, such as validation, but it would be helpful to understand a few more
details of the use case.
> Create X500Principal identity mapper transform
> ----------------------------------------------
>
> Key: NIFI-15622
> URL: https://issues.apache.org/jira/browse/NIFI-15622
> Project: Apache NiFi
> Issue Type: New Feature
> Components: Core Framework
> Reporter: Michael W Moser
> Assignee: Michael W Moser
> Priority: Minor
>
> When NiFi is configured for X.509 certificate based user authentication, it
> applies RFC-1779 format rules to the X.500 Principal before determining if
> the user is authorized to access NiFi. NiFi admins can accidentally
> configure an X.500 Distinguished Name in a NiFi UserGroupProvider that does
> not match RFC-1779 format, and the AccessDeniedException result does not make
> it obvious that this is the problem.
> This ticket proposes to create a new X.500 IdentityMapper transform. NiFi
> admins could then opt-in to transforming all user identities to an RFC-1779
> format.
> Example:
> {noformat}
> nifi.security.identity.mapping.pattern.dn=^(.*)$
> nifi.security.identity.mapping.value.dn=$1
> nifi.security.identity.mapping.transform.dn=X500{noformat}
> This ticket *also* proposes to apply IdentityMapper to all users/groups added
> to the system using the nifi-api NiFiServiceFacade and saved to users.xml
> with a FileUserGroupProvider.
> Feedback on this proposal appreciated.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
