Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/2177
Ok, here are my thoughts on this PR:
* I got test failures on `TestListenUDP` when running the full build. I am
assuming nothing here changed that so it's unrelated and I won't count it
against this PR, but making a note here because I had not seen it on `master`.
* There are checkstyle issues I [noted
above](https://github.com/apache/nifi/pull/2177#issuecomment-332344883).
* I validated the following use cases:
* Normal positive flow
* Bad username/password fails
* The Knox user authenticates but has no access policies on the canvas
* The Knox user JWT has no audiences and NiFi does not require any
* The Knox user JWT has no audiences and NiFi requires one
* The Knox user JWT has the wrong audience (i.e. not one required by NiFi)
* The Knox user JWT has the correct audience as required by NiFi
* The Knox user is logged in with one browser and another user is logged
in via client certificate in another
* Issues found:
* No way to logout of the Knox user through the NiFi UI (treated same as
client certificate)
* Workaround: Use browser to delete `hadoop-jwt` cookie
* If Knox SSO is configured to provide the wrong/insufficient audiences,
the login UX simply immediately redirects to the Knox login UI with no error
message
* Workaround: the NiFi User Log (`logs/nifi-user.log`) contains a
helpful error message
To me, neither issue is a blocker for this PR but I do think they should be
resolved in a future release. +1, LGTM (with the checkstyle violation
resolutions pending).
---
