[jira] [Commented] (NIFI-15622) Create X500Principal identity mapper transform

Wed, 25 Feb 2026 11:43:02 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-15622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18061152#comment-18061152
 ] 

David Handermann commented on NIFI-15622:
-----------------------------------------

Thanks for the reply [~mosermw].

Reviewing the REST API Resource methods, it seems like it might be a bit 
difficult to validate input strings for users and groups, but it could be 
considered. For example, a first pass of each user or group string could be to 
determine if it appears to be an X.500 Principal. If it looks like one, then 
the validation step could be to run the string through a formatting step, 
applying the RFC 1779 style, then comparing the result to the input string. If 
the value does not match, that would be considered a validation error.

In an ideal implementation, this would avoid introducing new properties. Since 
Client Certificate authentication is always enabled to support cluster node 
communication, it seems reasonable to apply the validation check in all 
scenarios.

What do you think of something along these lines?

> Create X500Principal identity mapper transform
> ----------------------------------------------
>
>                 Key: NIFI-15622
>                 URL: https://issues.apache.org/jira/browse/NIFI-15622
>             Project: Apache NiFi
>          Issue Type: New Feature
>          Components: Core Framework
>            Reporter: Michael W Moser
>            Assignee: Michael W Moser
>            Priority: Minor
>
> When NiFi is configured for X.509 certificate based user authentication, it 
> applies RFC-1779 format rules to the X.500 Principal before determining if 
> the user is authorized to access NiFi.  NiFi admins can accidentally 
> configure an X.500 Distinguished Name in a NiFi UserGroupProvider that does 
> not match RFC-1779 format, and the AccessDeniedException result does not make 
> it obvious that this is the problem.
> This ticket proposes to create a new X.500 IdentityMapper transform.  NiFi 
> admins could then opt-in to transforming all user identities to an RFC-1779 
> format.
> Example:
> {noformat}
> nifi.security.identity.mapping.pattern.dn=^(.*)$
> nifi.security.identity.mapping.value.dn=$1
> nifi.security.identity.mapping.transform.dn=X500{noformat}
> This ticket *also* proposes to apply IdentityMapper to all users/groups added 
> to the system using the nifi-api NiFiServiceFacade and saved to users.xml 
> with a FileUserGroupProvider.
> Feedback on this proposal appreciated.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to