[
https://issues.apache.org/jira/browse/NIFI-15622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18061212#comment-18061212
]
Michael W Moser commented on NIFI-15622:
----------------------------------------
I've been testing a fairly clean approach that is exactly what you suggested
and it's working well so far:
* User identities that are not X.500 Distinguished Names (such as "mosermw")
are valid.
* If requested user identity does not match the RFC-1779 formatted identity,
it is considered invalid.
* When using POST /nifi-api/tenants/users to create an invalid user, it
returns a 400 response with the message "User identity
[cn=Subject,o=Organization,c=US] does not match expected format [CN=Subject,
O=Organization, C=US]. Authorization for this user may not work." which
displays in the NiFi UI nicely.
* When building a users.xml with Initial User Identity, it will create the
invalid user but log an ERROR to nifi-user.log with the same error message
above.
* Did not touch the PUT /nifi-api/tenants/users/\{id} which modifies a user
identity, but will consider doing that (see next sentence).
I am still concerned that this will remove a use case that NiFi admins may be
using today, that is a non RFC-1779 username format from a non-certificate
authentication provider. A potential workaround for this scenario is to create
the user in RFC-1779 style, then modify the user to match the desired format.
Seems wonky to officially support that, though.
Then, I thought of adding a "force" boolean query parameter to the nifi-api for
these resource endpoints. "force=true" would bypass the validation. Making
this option available in the UI would involve a new checkbox on the Add User
dialog and some typescript work.
> Create X500Principal identity mapper transform
> ----------------------------------------------
>
> Key: NIFI-15622
> URL: https://issues.apache.org/jira/browse/NIFI-15622
> Project: Apache NiFi
> Issue Type: New Feature
> Components: Core Framework
> Reporter: Michael W Moser
> Assignee: Michael W Moser
> Priority: Minor
>
> When NiFi is configured for X.509 certificate based user authentication, it
> applies RFC-1779 format rules to the X.500 Principal before determining if
> the user is authorized to access NiFi. NiFi admins can accidentally
> configure an X.500 Distinguished Name in a NiFi UserGroupProvider that does
> not match RFC-1779 format, and the AccessDeniedException result does not make
> it obvious that this is the problem.
> This ticket proposes to create a new X.500 IdentityMapper transform. NiFi
> admins could then opt-in to transforming all user identities to an RFC-1779
> format.
> Example:
> {noformat}
> nifi.security.identity.mapping.pattern.dn=^(.*)$
> nifi.security.identity.mapping.value.dn=$1
> nifi.security.identity.mapping.transform.dn=X500{noformat}
> This ticket *also* proposes to apply IdentityMapper to all users/groups added
> to the system using the nifi-api NiFiServiceFacade and saved to users.xml
> with a FileUserGroupProvider.
> Feedback on this proposal appreciated.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
