[
https://issues.apache.org/jira/browse/NIFI-15622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18059745#comment-18059745
]
Michael W Moser commented on NIFI-15622:
----------------------------------------
Thanks for engaging [~exceptionfactory]!
Yes, the intention is to correct issues when a NiFi admin manually adds a user
that does not match RFC-1779 format. I suppose some validation of the user
identity string in the POST to /nifi-api/tenants/users would accomplish the
same goal. Would returning a 400 if the user identity is a DN and it doesn't
match X500Principal.RFC1779 format work?
I am a bit worried when NiFi is configured with LDAP, OIDC or SAML
authentication that user identities may look like an X.500 DN and we would
incorrectly reject some valid identities. This is why I (a bit reluctantly)
proposed an opt-in approach. Should I be worried about this?
I also considered implementing the approach from NIFI-2517, but I believe that
would require changing user identities from a String to another object class,
so that we could make a custom equals() method. This would ripple quite far in
the nifi-framework-api, and I didn't feel the benefit was worth the scope of
change.
> Create X500Principal identity mapper transform
> ----------------------------------------------
>
> Key: NIFI-15622
> URL: https://issues.apache.org/jira/browse/NIFI-15622
> Project: Apache NiFi
> Issue Type: New Feature
> Components: Core Framework
> Reporter: Michael W Moser
> Assignee: Michael W Moser
> Priority: Minor
>
> When NiFi is configured for X.509 certificate based user authentication, it
> applies RFC-1779 format rules to the X.500 Principal before determining if
> the user is authorized to access NiFi. NiFi admins can accidentally
> configure an X.500 Distinguished Name in a NiFi UserGroupProvider that does
> not match RFC-1779 format, and the AccessDeniedException result does not make
> it obvious that this is the problem.
> This ticket proposes to create a new X.500 IdentityMapper transform. NiFi
> admins could then opt-in to transforming all user identities to an RFC-1779
> format.
> Example:
> {noformat}
> nifi.security.identity.mapping.pattern.dn=^(.*)$
> nifi.security.identity.mapping.value.dn=$1
> nifi.security.identity.mapping.transform.dn=X500{noformat}
> This ticket *also* proposes to apply IdentityMapper to all users/groups added
> to the system using the nifi-api NiFiServiceFacade and saved to users.xml
> with a FileUserGroupProvider.
> Feedback on this proposal appreciated.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
