[jira] [Updated] (NIFI-4215) Avro schemas with records that have a field of themselves fail to parse, causing stackoverflow exception

[James Wing (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFI-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Wing updated NIFI-4215:
-
Fix Version/s: (was: 1.4.0)

> Avro schemas with records that have a field of themselves fail to parse, 
> causing stackoverflow exception
> 
>
> Key: NIFI-4215
> URL: https://issues.apache.org/jira/browse/NIFI-4215
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.4.0
>Reporter: Wesley L Lawrence
>Priority: Minor
> Attachments: nifi-4215.patch
>
>
> Noticed this while attempting to use the AvroSchemaRegsitry with some complex 
> schema. Boiled down, Avro lets you define a schema such as;
> {code}
> { 
>   "namespace": "org.apache.nifi.testing", 
>   "name": "CompositRecord", 
>   "type": "record", 
>   "fields": [ 
> { 
>   "name": "id", 
>   "type": "int" 
> }, 
> { 
>   "name": "value", 
>   "type": "string" 
> }, 
> { 
>   "name": "parent", 
>   "type": [
> "null",
> "CompositRecord"
>   ]
> } 
>   ] 
> }
> {code}
> The AvroSchemaRegistry (AvroTypeUtil specifically) will fail to parse, and 
> generate a stackoverflow exception.
> I've whipped up a fix, tested it out in 1.4.0, and am just running through 
> the contrib build before I submit a patch.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (NIFI-4215) Avro schemas with records that have a field of themselves fail to parse, causing stackoverflow exception

[James Wing (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFI-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Wing updated NIFI-4215:
-
Priority: Minor  (was: Blocker)

> Avro schemas with records that have a field of themselves fail to parse, 
> causing stackoverflow exception
> 
>
> Key: NIFI-4215
> URL: https://issues.apache.org/jira/browse/NIFI-4215
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.4.0
>Reporter: Wesley L Lawrence
>Priority: Minor
> Attachments: nifi-4215.patch
>
>
> Noticed this while attempting to use the AvroSchemaRegsitry with some complex 
> schema. Boiled down, Avro lets you define a schema such as;
> {code}
> { 
>   "namespace": "org.apache.nifi.testing", 
>   "name": "CompositRecord", 
>   "type": "record", 
>   "fields": [ 
> { 
>   "name": "id", 
>   "type": "int" 
> }, 
> { 
>   "name": "value", 
>   "type": "string" 
> }, 
> { 
>   "name": "parent", 
>   "type": [
> "null",
> "CompositRecord"
>   ]
> } 
>   ] 
> }
> {code}
> The AvroSchemaRegistry (AvroTypeUtil specifically) will fail to parse, and 
> generate a stackoverflow exception.
> I've whipped up a fix, tested it out in 1.4.0, and am just running through 
> the contrib build before I submit a patch.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4215) Avro schemas with records that have a field of themselves fail to parse, causing stackoverflow exception

[James Wing (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110305#comment-16110305
 ] 

James Wing commented on NIFI-4215:
--

Thanks, [~markap14] , for bringing these issues to our attention.

I pushed a new commit to revert this change so it is not blocking, and we can 
take the time to make the right fix.

[~WesleyLawrence], I think the builder approach is worth a look, although I 
also haven't figured out the chicken vs. egg schema creation with a builder.  I 
like that part of your solution.

> Avro schemas with records that have a field of themselves fail to parse, 
> causing stackoverflow exception
> 
>
> Key: NIFI-4215
> URL: https://issues.apache.org/jira/browse/NIFI-4215
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.4.0
>Reporter: Wesley L Lawrence
>Priority: Blocker
> Fix For: 1.4.0
>
> Attachments: nifi-4215.patch
>
>
> Noticed this while attempting to use the AvroSchemaRegsitry with some complex 
> schema. Boiled down, Avro lets you define a schema such as;
> {code}
> { 
>   "namespace": "org.apache.nifi.testing", 
>   "name": "CompositRecord", 
>   "type": "record", 
>   "fields": [ 
> { 
>   "name": "id", 
>   "type": "int" 
> }, 
> { 
>   "name": "value", 
>   "type": "string" 
> }, 
> { 
>   "name": "parent", 
>   "type": [
> "null",
> "CompositRecord"
>   ]
> } 
>   ] 
> }
> {code}
> The AvroSchemaRegistry (AvroTypeUtil specifically) will fail to parse, and 
> generate a stackoverflow exception.
> I've whipped up a fix, tested it out in 1.4.0, and am just running through 
> the contrib build before I submit a patch.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4215) Avro schemas with records that have a field of themselves fail to parse, causing stackoverflow exception

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110300#comment-16110300
 ] 

ASF subversion and git services commented on NIFI-4215:
---

Commit 2502b79baef72e7e633a623784548ca7d25eeeb0 in nifi's branch 
refs/heads/master from [~jameswing]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=2502b79 ]

NIFI-4215 Revert Complex Avro Schema Changes

This reverts commit cf49a58ee75601e1d0d7512104b9ed0ca2e8ec41.


> Avro schemas with records that have a field of themselves fail to parse, 
> causing stackoverflow exception
> 
>
> Key: NIFI-4215
> URL: https://issues.apache.org/jira/browse/NIFI-4215
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.4.0
>Reporter: Wesley L Lawrence
>Priority: Blocker
> Fix For: 1.4.0
>
> Attachments: nifi-4215.patch
>
>
> Noticed this while attempting to use the AvroSchemaRegsitry with some complex 
> schema. Boiled down, Avro lets you define a schema such as;
> {code}
> { 
>   "namespace": "org.apache.nifi.testing", 
>   "name": "CompositRecord", 
>   "type": "record", 
>   "fields": [ 
> { 
>   "name": "id", 
>   "type": "int" 
> }, 
> { 
>   "name": "value", 
>   "type": "string" 
> }, 
> { 
>   "name": "parent", 
>   "type": [
> "null",
> "CompositRecord"
>   ]
> } 
>   ] 
> }
> {code}
> The AvroSchemaRegistry (AvroTypeUtil specifically) will fail to parse, and 
> generate a stackoverflow exception.
> I've whipped up a fix, tested it out in 1.4.0, and am just running through 
> the contrib build before I submit a patch.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (NIFI-4255) Add support for providing ACLs for paths in Zookeeper Migration tool

[Yolanda M. Davis (JIRA)]

Yolanda M. Davis created NIFI-4255:
--

 Summary: Add support for providing ACLs for paths in Zookeeper 
Migration tool
 Key: NIFI-4255
 URL: https://issues.apache.org/jira/browse/NIFI-4255
 Project: Apache NiFi
  Issue Type: Improvement
  Components: Tools and Build
Affects Versions: 1.3.0
Reporter: Yolanda M. Davis


Currently in the Zookeeper migration utility there is support for applying acls 
when importing zookeeper data (Znodes).  However this support only applies 
default ACLs values (either Open or Creator specific), and the value used 
depends on if security is enabled or disabled in the destination Zookeeper 
instance. This may become problematic if the user/identity used to import 
zookeeper data does not align with the users/identities that require 
read/modify rights on the imported Znodes. This also doesn't provide users 
flexibility in defining specific rights or applying additional authorizations 
on paths.

Enhancing the existing utility to support providing ACL information would offer 
users more flexibility in defining permissions and authentication schemes on 
znodes. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4238) Error in QueryDatabaseTable (NiFi CDC support): Unable to execute SQL select query due to org.apache.nifi.processor.exception.ProcessException: Error during database que

[Matt Burgess (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110192#comment-16110192
 ] 

Matt Burgess commented on NIFI-4238:


[~ella] this might be a configuration issue, can you share the configuration of 
the QueryDatabaseTable processor? If you are using the Generic database 
adapter, it is possible that DB2 requires a specific dialect for paging results 
(see NIFI-3596). If so, we could convert this to a "support DB2 in NiFi DB 
Fetch processors" Jira, where the workaround could be to rewrite the SQL as 
described in NIFI-3596.

> Error in QueryDatabaseTable (NiFi CDC support): Unable to execute SQL select 
> query due to org.apache.nifi.processor.exception.ProcessException: Error 
> during database query or conversion of records to Avro
> 
>
> Key: NIFI-4238
> URL: https://issues.apache.org/jira/browse/NIFI-4238
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.3.0
> Environment: Centos
>Reporter: Ella
> Attachments: diagram.png, Error.png
>
>
> Hi Guys,
> I should retrieve only the new added records from the DB2 database to a file 
> by NiFi's CDC feature--QueryDatabaseTable processor; however, I have 
> encountered the Error during executing my dataflow scenario. I have 
> respectfully attached the snapshot of Error as well as the dataflow; I would 
> really appreciate if someone helped me after all.
> Thanks a lot.
> Sincerely,
> Ella



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (NIFI-4022) Use SASL Auth Scheme For Secured Zookeeper Client Interaction

[Yolanda M. Davis (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFI-4022?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Yolanda M. Davis updated NIFI-4022:
---
Status: Patch Available  (was: In Progress)

PR available here: https://github.com/apache/nifi/pull/2046

> Use SASL Auth Scheme For Secured Zookeeper Client Interaction
> -
>
> Key: NIFI-4022
> URL: https://issues.apache.org/jira/browse/NIFI-4022
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.2.0
>Reporter: Yolanda M. Davis
>Assignee: Yolanda M. Davis
>
> NiFi uses Zookeeper to assist in cluster orchestration including leader 
> elections for Primary Node and Cluster Coordinator and to store state for 
> various processors (such as MonitorActivity). In secured Zookeeper 
> environments (supported by SASL + Kerberos) NiFi should protect the zNodes it 
> creates to prevent users or hosts, outside of a NiFi cluster, from accessing 
> or modifying entries.  In its current implementation security can be enforced 
> for processors that store state information in Zookeeper, however zNodes used 
> for managing Primary Node and Cluster Coordinator data are left open and 
> susceptible to change from any user.  Also when zNodes are secured for 
> processor state, a “Creator Only” policy is used which allows the system to 
> determine the identification of the NiFi node and protect any zNodes created 
> with that node id using Zookeeper’s “auth” scheme. The challenge with this 
> scheme is that it limits the ability for other NiFi nodes in the cluster to 
> access that zNode if needed (since it is specifically binds that zNode to the 
> unique id of its creator).
>  
> To best protect zNodes created in Zookeeper by NiFi while maximizing NiFi’s 
> ability to share information across the cluster I propose that we move to 
> using Zookeeper’s SASL authentication scheme, which will allow the use of 
> Kerberos principals for securing zNode with the appropriate permissions.  For 
> maximum flexibility, these principals can be mapped appropriately in 
> Zookeeper, using auth-to-local rules, to ensure that nodes across the cluster 
> can share zNodes as needed. 
>  
> Potential Concerns/Challenges for Discussion:
>  
> 1)  For existing NiFi users how will we migrate Zookeeper entries from 
> the old security scheme to the new scheme?
> 2)  How should zNodes be reverted to open if kerberos is disabled?
> 3)  What will the performance impact be on the cluster once SASL scheme 
> is enabled (since we’d be moving from open to protected)? Would require 
> investigation
> 4)  Currently users can control authentication scheme via state 
> management configuration for processors yet not for clusters.  Should we 
> still maintain the practice of allowing schemes to be configurable for 
> processors (with SASL being the new default)?



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (NIFI-4254) NiFi CA should provide detailed information when exception occurs

[Yolanda M. Davis (JIRA)]

Yolanda M. Davis created NIFI-4254:
--

 Summary: NiFi CA should provide detailed information when 
exception occurs
 Key: NIFI-4254
 URL: https://issues.apache.org/jira/browse/NIFI-4254
 Project: Apache NiFi
  Issue Type: Bug
  Components: Tools and Build
Affects Versions: 1.3.0
Reporter: Yolanda M. Davis
Priority: Minor


In the TlsCertificateAuthorityServiceHandler class if an exception occurs when 
handling a CSR a new exception is thrown indicating a Server error however the 
root exception is lost making it difficult to understand the cause of the 
exception.  

See 
https://github.com/apache/nifi/blob/master/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/server/TlsCertificateAuthorityServiceHandler.java#L99





--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130762623
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+throw new 
IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
+}
+
+final CacheKey oidcRequestIdentifierKey = new 
CacheKey(oidcRequestIdentifier);
+final State state = 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110048#comment-16110048
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130762623
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+ 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110010#comment-16110010
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130757944
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+ 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130757944
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+throw new 
IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
+}
+
+final CacheKey oidcRequestIdentifierKey = new 
CacheKey(oidcRequestIdentifier);
+final State state = 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130750100
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+throw new 
IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
+}
+
+final CacheKey oidcRequestIdentifierKey = new 
CacheKey(oidcRequestIdentifier);
+final State state = 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109958#comment-16109958
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130750100
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+ 

[jira] [Commented] (NIFI-4248) Create processor for Apache Rya

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4248?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109943#comment-16109943
 ] 

ASF GitHub Bot commented on NIFI-4248:
--

Github user jzonthemtn closed the pull request at:

https://github.com/apache/nifi/pull/2043


> Create processor for Apache Rya
> ---
>
> Key: NIFI-4248
> URL: https://issues.apache.org/jira/browse/NIFI-4248
> Project: Apache NiFi
>  Issue Type: Task
>  Components: Extensions
>Reporter: Jeff Zemerick
>Priority: Minor
>
> Create a processor to ingest triples into Apache Rya.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4248) Create processor for Apache Rya

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4248?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109942#comment-16109942
 ] 

ASF GitHub Bot commented on NIFI-4248:
--

Github user jzonthemtn commented on the issue:

https://github.com/apache/nifi/pull/2043
  
@bbende There appears to be no reason why not! (Other than ignorance on my 
part.) I will test it but I think it will be fine so I'm going to close this.


> Create processor for Apache Rya
> ---
>
> Key: NIFI-4248
> URL: https://issues.apache.org/jira/browse/NIFI-4248
> Project: Apache NiFi
>  Issue Type: Task
>  Components: Extensions
>Reporter: Jeff Zemerick
>Priority: Minor
>
> Create a processor to ingest triples into Apache Rya.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109941#comment-16109941
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130748733
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
--- End diff --

This can throw an NPE if the identity provider isn't defined. 


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi issue #2043: NIFI-4248: Adding Rya processor.

[jzonthemtn]

Github user jzonthemtn commented on the issue:

https://github.com/apache/nifi/pull/2043
  
@bbende There appears to be no reason why not! (Other than ignorance on my 
part.) I will test it but I think it will be fine so I'm going to close this.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #2043: NIFI-4248: Adding Rya processor.

[jzonthemtn]

Github user jzonthemtn closed the pull request at:

https://github.com/apache/nifi/pull/2043


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130748733
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
--- End diff --

This can throw an NPE if the identity provider isn't defined. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109940#comment-16109940
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130748639
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
--- End diff --

The Javadoc says the expiration is 5 minutes, but it looks like this is 
hardcoded to 1 minute. 


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109938#comment-16109938
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130748605
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
--- End diff --

Looks like it is missing a Javadoc `param` for the identity provider. 


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130748639
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
--- End diff --

The Javadoc says the expiration is 5 minutes, but it looks like this is 
hardcoded to 1 minute. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109936#comment-16109936
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130748365
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
+
+// remove the oidc 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130748365
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
+
+// remove the oidc request cookie
+removeOidcRequestCookie(httpServletResponse);
+
+// forward to the error page
+forwardToMessagePage(httpServletRequest, 
httpServletResponse, "Purposed state 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109934#comment-16109934
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130748112
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
+
+// remove the oidc 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130748112
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
+
+// remove the oidc request cookie
+removeOidcRequestCookie(httpServletResponse);
+
+// forward to the error page
+forwardToMessagePage(httpServletRequest, 
httpServletResponse, "Purposed state 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109930#comment-16109930
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130747485
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
--- End diff --

I don't understand 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130747485
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
--- End diff --

I don't understand what "Purposed state" refers to here. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109927#comment-16109927
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130747327
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
--- End diff --

Can this return value be an empty/blank String rather than `null`?


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130747327
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
--- End diff --

Can this return value be an empty/blank String rather than `null`?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109924#comment-16109924
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130747016
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
--- End diff --

My initial understanding is that all of these parameters are required for 
the call to work -- can we validate that the values are present and valid 
before attempting the request?


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130747016
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
--- End diff --

My initial understanding is that all of these parameters are required for 
the call to work -- can we validate that the values are present and valid 
before attempting the request?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109915#comment-16109915
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/2047
  
Reviewing...


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi issue #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/2047
  
Reviewing...


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-4253) Add support for Oracle 12+

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109869#comment-16109869
 ] 

ASF GitHub Bot commented on NIFI-4253:
--

GitHub user mattyb149 opened a pull request:

https://github.com/apache/nifi/pull/2048

NIFI-4253: Add Oracle 12+ database adapter

Thank you for submitting a contribution to Apache NiFi.

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

### For all changes:
- [x] Is there a JIRA ticket associated with this PR? Is it referenced 
 in the commit message?

- [x] Does your PR title start with NIFI- where  is the JIRA number 
you are trying to resolve? Pay particular attention to the hyphen "-" character.

- [x] Has your PR been rebased against the latest commit within the target 
branch (typically master)?

- [x] Is your initial contribution a single, squashed commit?

### For code changes:
- [x] Have you ensured that the full suite of tests is executed via mvn 
-Pcontrib-check clean install at the root nifi folder?
- [x] Have you written or updated unit tests to verify your changes?
- [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)? 
- [ ] If applicable, have you updated the LICENSE file, including the main 
LICENSE file under nifi-assembly?
- [ ] If applicable, have you updated the NOTICE file, including the main 
NOTICE file found under nifi-assembly?
- [ ] If adding new Properties, have you added .displayName in addition to 
.name (programmatic access) for each of the new properties?

### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in 
which it is rendered?

### Note:
Please ensure that once the PR is submitted, you check travis-ci for build 
issues and submit an update to your PR as soon as possible.


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/mattyb149/nifi NIFI-4253

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/nifi/pull/2048.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2048


commit 82ff0ebeaba146f1da79b3321a0fc22a4750317c
Author: Matt Burgess 
Date:   2017-08-01T21:59:42Z

NIFI-4253: Add Oracle 12+ database adapter




> Add support for Oracle 12+
> --
>
> Key: NIFI-4253
> URL: https://issues.apache.org/jira/browse/NIFI-4253
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Extensions
>Reporter: Matt Burgess
>Assignee: Matt Burgess
>
> The current Oracle database adapter in NiFi is compatible with versions of 
> Oracle up to 11, but does not make use of constructs available in Oracle 12 
> (such as OFFSET/FETCH). Adding an adapter that can make use of these 
> improvements will provide better support for such database versions.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (NIFI-4253) Add support for Oracle 12+

[Matt Burgess (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFI-4253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Matt Burgess updated NIFI-4253:
---
Status: Patch Available  (was: In Progress)

> Add support for Oracle 12+
> --
>
> Key: NIFI-4253
> URL: https://issues.apache.org/jira/browse/NIFI-4253
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Extensions
>Reporter: Matt Burgess
>Assignee: Matt Burgess
>
> The current Oracle database adapter in NiFi is compatible with versions of 
> Oracle up to 11, but does not make use of constructs available in Oracle 12 
> (such as OFFSET/FETCH). Adding an adapter that can make use of these 
> improvements will provide better support for such database versions.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Assigned] (NIFI-4253) Add support for Oracle 12+

[Matt Burgess (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFI-4253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Matt Burgess reassigned NIFI-4253:
--

Assignee: Matt Burgess

> Add support for Oracle 12+
> --
>
> Key: NIFI-4253
> URL: https://issues.apache.org/jira/browse/NIFI-4253
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Extensions
>Reporter: Matt Burgess
>Assignee: Matt Burgess
>
> The current Oracle database adapter in NiFi is compatible with versions of 
> Oracle up to 11, but does not make use of constructs available in Oracle 12 
> (such as OFFSET/FETCH). Adding an adapter that can make use of these 
> improvements will provide better support for such database versions.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (NIFI-4253) Add support for Oracle 12+

[Matt Burgess (JIRA)]

Matt Burgess created NIFI-4253:
--

 Summary: Add support for Oracle 12+
 Key: NIFI-4253
 URL: https://issues.apache.org/jira/browse/NIFI-4253
 Project: Apache NiFi
  Issue Type: Improvement
  Components: Extensions
Reporter: Matt Burgess


The current Oracle database adapter in NiFi is compatible with versions of 
Oracle up to 11, but does not make use of constructs available in Oracle 12 
(such as OFFSET/FETCH). Adding an adapter that can make use of these 
improvements will provide better support for such database versions.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (NIFI-4210) Add OpenId Connect support for authenticating users

[Matt Gilman (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Matt Gilman updated NIFI-4210:
--
Status: Patch Available  (was: Open)

> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109630#comment-16109630
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

GitHub user mcgilman opened a pull request:

https://github.com/apache/nifi/pull/2047

NIFI-4210: Add support for OpenId Connect

NIFI-4210:
- Introducing support for OpenId Connect.
- Updating REST API and UI to support the authorization code flow.

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/mcgilman/nifi NIFI-4210

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/nifi/pull/2047.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2047


commit 4859baa29f42ff98e3747527cb0135e306baa7d2
Author: Matt Gilman 
Date:   2017-08-01T14:46:45Z

NIFI-4210:
- Introducing support for OpenId Connect.
- Updating REST API and UI to support the authorization code flow.




> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[mcgilman]

GitHub user mcgilman opened a pull request:

https://github.com/apache/nifi/pull/2047

NIFI-4210: Add support for OpenId Connect

NIFI-4210:
- Introducing support for OpenId Connect.
- Updating REST API and UI to support the authorization code flow.

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/mcgilman/nifi NIFI-4210

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/nifi/pull/2047.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2047


commit 4859baa29f42ff98e3747527cb0135e306baa7d2
Author: Matt Gilman 
Date:   2017-08-01T14:46:45Z

NIFI-4210:
- Introducing support for OpenId Connect.
- Updating REST API and UI to support the authorization code flow.




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-4248) Create processor for Apache Rya

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4248?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109609#comment-16109609
 ] 

ASF GitHub Bot commented on NIFI-4248:
--

Github user bbende commented on the issue:

https://github.com/apache/nifi/pull/2043
  
Hi @jzonthemtn , thanks for contributing... 

I don't really know much about Apache Rya, other than the high-level 
description, but I was glancing over this PR... since PutRya is assuming the 
triples were created upstream, is there a reason the InvokeHttp processor 
couldn't be used to POST them to Rya?


> Create processor for Apache Rya
> ---
>
> Key: NIFI-4248
> URL: https://issues.apache.org/jira/browse/NIFI-4248
> Project: Apache NiFi
>  Issue Type: Task
>  Components: Extensions
>Reporter: Jeff Zemerick
>Priority: Minor
>
> Create a processor to ingest triples into Apache Rya.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi issue #2043: NIFI-4248: Adding Rya processor.

[bbende]

Github user bbende commented on the issue:

https://github.com/apache/nifi/pull/2043
  
Hi @jzonthemtn , thanks for contributing... 

I don't really know much about Apache Rya, other than the high-level 
description, but I was glancing over this PR... since PutRya is assuming the 
triples were created upstream, is there a reason the InvokeHttp processor 
couldn't be used to POST them to Rya?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-4022) Use SASL Auth Scheme For Secured Zookeeper Client Interaction

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4022?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109588#comment-16109588
 ] 

ASF GitHub Bot commented on NIFI-4022:
--

GitHub user YolandaMDavis opened a pull request:

https://github.com/apache/nifi/pull/2046

NIFI-4022 - Enabled SASL auth scheme/ACL support for Curator use 

Enhancement allows user to enable SASL based ACL's for nodes created via 
Curator for cluster management (e.g. leader election nodes, Cluster 
Coordinator/Primary Nodes).

For testing would recommend the following actions:

1) Follow the updated administrator guide (included in PR as a separate 
commit) for enabling kerberos on Zookeeper (external or embedded) and NiFi

2)Testing with nifi nodes where principals vary across servers.  For 
example nifi/instan...@realm.com vs nifi/instan...@realm.com.  In this case the 
kerberos.removeHostFromPrincipal would need to be true (in both 
zookeeper.properties and nifi.properties) to ensure that the user will be 
normalized as n...@realm.com for acls.

3) Ensuring leader election scenarios work as expected with acls in place 
on the /nifi path (acl should be 'sasl',  cdrwa and 'world', anyone r).  
Recommended scenario is removal of Cluster Coordinator from a cluster to ensure 
new coordinator is elected. 

Thank you for submitting a contribution to Apache NiFi.

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

### For all changes:
- [x] Is there a JIRA ticket associated with this PR? Is it referenced 
 in the commit message?

- [x] Does your PR title start with NIFI- where  is the JIRA number 
you are trying to resolve? Pay particular attention to the hyphen "-" character.

- [ ] Has your PR been rebased against the latest commit within the target 
branch (typically master)?

- [ ] Is your initial contribution a single, squashed commit?

### For code changes:
- [ ] Have you ensured that the full suite of tests is executed via mvn 
-Pcontrib-check clean install at the root nifi folder?
- [x] Have you written or updated unit tests to verify your changes?
- [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)? 
- [ ] If applicable, have you updated the LICENSE file, including the main 
LICENSE file under nifi-assembly?
- [ ] If applicable, have you updated the NOTICE file, including the main 
NOTICE file found under nifi-assembly?
- [ ] If adding new Properties, have you added .displayName in addition to 
.name (programmatic access) for each of the new properties?

### For documentation related changes:
- [x] Have you ensured that format looks appropriate for the output in 
which it is rendered?

### Note:
Please ensure that once the PR is submitted, you check travis-ci for build 
issues and submit an update to your PR as soon as possible.


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/YolandaMDavis/nifi NIFI-4022

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/nifi/pull/2046.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2046


commit 9e43229ed409527ffe3bab0b3bdb7584e64ce98e
Author: Yolanda M. Davis 
Date:   2017-07-31T17:27:48Z

NIFI-4022 - Initial update for SASL support for cluster management in 
Zookeeper

commit 588a5ca995c46f94e893b249a787be7c8104e060
Author: Yolanda M. Davis 
Date:   2017-08-01T18:31:15Z

NIFI-4022 - adding sasl documentation update and update to test




> Use SASL Auth Scheme For Secured Zookeeper Client Interaction
> -
>
> Key: NIFI-4022
> URL: https://issues.apache.org/jira/browse/NIFI-4022
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.2.0
>Reporter: Yolanda M. Davis
>Assignee: Yolanda M. Davis
>
> NiFi uses Zookeeper to assist in cluster orchestration including leader 
> elections for Primary Node and Cluster Coordinator and to store state for 
> various processors (such as MonitorActivity). In secured Zookeeper 
> environments (supported by SASL + Kerberos) NiFi should protect the zNodes it 
> creates to prevent users or hosts, outside of a NiFi cluster, from accessing 
> or modifying entries.  In its current implementation security can be enforced 
> for processors that store state information in Zookeeper, however zNodes used 
> for managing 

[jira] [Assigned] (NIFI-4252) Update documentation for new processor icons

[Andrew Lim (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFI-4252?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrew Lim reassigned NIFI-4252:


Assignee: Andrew Lim

> Update documentation for new processor icons
> 
>
> Key: NIFI-4252
> URL: https://issues.apache.org/jira/browse/NIFI-4252
> Project: Apache NiFi
>  Issue Type: Sub-task
>  Components: Documentation & Website
>Reporter: Andrew Lim
>Assignee: Andrew Lim
>Priority: Minor
>
> The documentation needs to be updated for the new processor icons.  This 
> includes text and screenshots as well as any legal text for use of Apache and 
> third-party logos/trademarks. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (NIFI-4252) Update documentation for new processor icons

[Andrew Lim (JIRA)]

Andrew Lim created NIFI-4252:


 Summary: Update documentation for new processor icons
 Key: NIFI-4252
 URL: https://issues.apache.org/jira/browse/NIFI-4252
 Project: Apache NiFi
  Issue Type: Sub-task
  Components: Documentation & Website
Reporter: Andrew Lim
Priority: Minor


The documentation needs to be updated for the new processor icons.  This 
includes text and screenshots as well as any legal text for use of Apache and 
third-party logos/trademarks. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi-minifi-cpp pull request #123: MINIFI-363: Set format macro declaration ...

[phrocker]

GitHub user phrocker opened a pull request:

https://github.com/apache/nifi-minifi-cpp/pull/123

MINIFI-363: Set format macro declaration to avoid issues from GLIBC

Thank you for submitting a contribution to Apache NiFi - MiNiFi C++.

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

### For all changes:
- [ ] Is there a JIRA ticket associated with this PR? Is it referenced
 in the commit message?

- [ ] Does your PR title start with MINIFI- where  is the JIRA 
number you are trying to resolve? Pay particular attention to the hyphen "-" 
character.

- [ ] Has your PR been rebased against the latest commit within the target 
branch (typically master)?

- [ ] Is your initial contribution a single, squashed commit?

### For code changes:
- [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the LICENSE file?
- [ ] If applicable, have you updated the NOTICE file?

### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in 
which it is rendered?

### Note:
Please ensure that once the PR is submitted, you check travis-ci for build 
issues and submit an update to your PR as soon as possible.


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/phrocker/nifi-minifi-cpp MINIFI-363

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/nifi-minifi-cpp/pull/123.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #123


commit 7b7b1b5bc20a92243aebe7ebe0816963a88747a0
Author: Marc Parisi 
Date:   2017-08-01T17:39:15Z

MINIFI-363: Set format macro declaration to avoid issues from GLIBC




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-4215) Avro schemas with records that have a field of themselves fail to parse, causing stackoverflow exception

[Wesley L Lawrence (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109209#comment-16109209
 ] 

Wesley L Lawrence commented on NIFI-4215:
-

[~markap14] If the 'fields' and 'fieldIndices' are private (but not final) to 
'SimpleRecordSchema', and 'fields' is still a 'Collections.unmodifiableList', 
and 'fieldIndices' isn't available outside the class, what can be mutated from 
outside 'SimpleRecordSchema'? While I agree that ideally they should also be 
final, the fact that they aren't mutable outside the 'SimpleRecordSchema', and 
that 'SimpleRecordSchema' currently doesn't mutate them (apart from a one-time 
'setFields' call, which throws an exception if used a second time) should be 
enough to maintain thread safety.

--Wes

> Avro schemas with records that have a field of themselves fail to parse, 
> causing stackoverflow exception
> 
>
> Key: NIFI-4215
> URL: https://issues.apache.org/jira/browse/NIFI-4215
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.4.0
>Reporter: Wesley L Lawrence
>Priority: Blocker
> Fix For: 1.4.0
>
> Attachments: nifi-4215.patch
>
>
> Noticed this while attempting to use the AvroSchemaRegsitry with some complex 
> schema. Boiled down, Avro lets you define a schema such as;
> {code}
> { 
>   "namespace": "org.apache.nifi.testing", 
>   "name": "CompositRecord", 
>   "type": "record", 
>   "fields": [ 
> { 
>   "name": "id", 
>   "type": "int" 
> }, 
> { 
>   "name": "value", 
>   "type": "string" 
> }, 
> { 
>   "name": "parent", 
>   "type": [
> "null",
> "CompositRecord"
>   ]
> } 
>   ] 
> }
> {code}
> The AvroSchemaRegistry (AvroTypeUtil specifically) will fail to parse, and 
> generate a stackoverflow exception.
> I've whipped up a fix, tested it out in 1.4.0, and am just running through 
> the contrib build before I submit a patch.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (NIFI-4251) Use Controller Services tab' white space to show process group belonging

[Russell Bateman (JIRA)]

Russell Bateman created NIFI-4251:
-

 Summary: Use Controller Services tab' white space to show process 
group belonging
 Key: NIFI-4251
 URL: https://issues.apache.org/jira/browse/NIFI-4251
 Project: Apache NiFi
  Issue Type: Improvement
  Components: Core UI
 Environment: Web browser UI, Process Group Configuration dialog
Reporter: Russell Bateman
Priority: Trivial


Add the process group name, what's shown in the General tab of the Process 
Group Configuration dialog to that dialog header in the copious white space 
available.

The reasoning is that doing this a) avoids having to click the General tab 
modally to see or be reminded of the identity of the process group to which the 
controller service instances in the Controller Services tab are associated.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4215) Avro schemas with records that have a field of themselves fail to parse, causing stackoverflow exception

[Wesley L Lawrence (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109145#comment-16109145
 ] 

Wesley L Lawrence commented on NIFI-4215:
-

Right. I didn't go with the Builder the first time, because the 
SimpleRecordSchema fields needs a circular reference when a record has a field 
of it's same type. They can't be final AFAIK...

I'll see what else I can think of.

--Wes

> Avro schemas with records that have a field of themselves fail to parse, 
> causing stackoverflow exception
> 
>
> Key: NIFI-4215
> URL: https://issues.apache.org/jira/browse/NIFI-4215
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.4.0
>Reporter: Wesley L Lawrence
>Priority: Blocker
> Fix For: 1.4.0
>
> Attachments: nifi-4215.patch
>
>
> Noticed this while attempting to use the AvroSchemaRegsitry with some complex 
> schema. Boiled down, Avro lets you define a schema such as;
> {code}
> { 
>   "namespace": "org.apache.nifi.testing", 
>   "name": "CompositRecord", 
>   "type": "record", 
>   "fields": [ 
> { 
>   "name": "id", 
>   "type": "int" 
> }, 
> { 
>   "name": "value", 
>   "type": "string" 
> }, 
> { 
>   "name": "parent", 
>   "type": [
> "null",
> "CompositRecord"
>   ]
> } 
>   ] 
> }
> {code}
> The AvroSchemaRegistry (AvroTypeUtil specifically) will fail to parse, and 
> generate a stackoverflow exception.
> I've whipped up a fix, tested it out in 1.4.0, and am just running through 
> the contrib build before I submit a patch.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (NIFIREG-6) Add nifi-registry-bootstrap module

[Bryan Bende (JIRA)]

Bryan Bende created NIFIREG-6:
-

 Summary: Add nifi-registry-bootstrap module
 Key: NIFIREG-6
 URL: https://issues.apache.org/jira/browse/NIFIREG-6
 Project: NiFi Registry
  Issue Type: Improvement
Affects Versions: 0.0.1
Reporter: Bryan Bende
Assignee: Bryan Bende
Priority: Minor


Currently NiFiRegistry is the entry point of the application, and in its 
current state the main method starts a new Jetty server every time.  

We should take a similar approach to NiFi where we have a bootstrap process 
that launches and communicates with the application process.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Comment Edited] (NIFI-4215) Avro schemas with records that have a field of themselves fail to parse, causing stackoverflow exception

[Wesley L Lawrence (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109082#comment-16109082
 ] 

Wesley L Lawrence edited comment on NIFI-4215 at 8/1/17 3:30 PM:
-

[~markap14] Thanks for adding a second eye to this code change.

I see there error that was added into AvroTypeUtil (on line 357, 
createSchema(...) ). Sorry about that, I'll get that fixed back to 'schemaId'.

I was hesitant to change the immutability of SimleRecordSchema, but there needs 
to be a way to create a place holder for the in-progress record parsing, so 
that sub-records of the same type don't create a parsing loop.

Looking back with a fresh set of eyes; I could create a 
'SimpleRecordSchemaBuilder' that's mutable, and once parsing is complete, 
returns the immutable 'SimpleRecordSchema'.

Any other ideas or feedback are welcome, and I'll get around to addressing this 
as soon as possible.

--Wes




was (Author: wesleylawrence):
[~markap14] Thanks for adding a second eye to this code change.

I see there error that was added into AvroTypeUtil (on line 357, 
createSchema(...) ).

I was hesitant to change the immutability of SimleRecordSchema, but there needs 
to be a way to create a place holder for the in-progress record parsing, so 
that sub-records of the same type don't create a parsing loop.

Looking back with a fresh set of eyes; I could create a 
'SimpleRecordSchemaBuilder' that's mutable, and once parsing is complete, 
returns the immutable 'SimpleRecordSchema'.

Any other ideas or feedback are welcome, and I'll get around to addressing this 
as soon as possible.

--Wes



> Avro schemas with records that have a field of themselves fail to parse, 
> causing stackoverflow exception
> 
>
> Key: NIFI-4215
> URL: https://issues.apache.org/jira/browse/NIFI-4215
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.4.0
>Reporter: Wesley L Lawrence
>Priority: Blocker
> Fix For: 1.4.0
>
> Attachments: nifi-4215.patch
>
>
> Noticed this while attempting to use the AvroSchemaRegsitry with some complex 
> schema. Boiled down, Avro lets you define a schema such as;
> {code}
> { 
>   "namespace": "org.apache.nifi.testing", 
>   "name": "CompositRecord", 
>   "type": "record", 
>   "fields": [ 
> { 
>   "name": "id", 
>   "type": "int" 
> }, 
> { 
>   "name": "value", 
>   "type": "string" 
> }, 
> { 
>   "name": "parent", 
>   "type": [
> "null",
> "CompositRecord"
>   ]
> } 
>   ] 
> }
> {code}
> The AvroSchemaRegistry (AvroTypeUtil specifically) will fail to parse, and 
> generate a stackoverflow exception.
> I've whipped up a fix, tested it out in 1.4.0, and am just running through 
> the contrib build before I submit a patch.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4215) Avro schemas with records that have a field of themselves fail to parse, causing stackoverflow exception

[Wesley L Lawrence (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109082#comment-16109082
 ] 

Wesley L Lawrence commented on NIFI-4215:
-

[~markap14] Thanks for adding a second eye to this code change.

I see there error that was added into AvroTypeUtil (on line 357, 
createSchema(...) ).

I was hesitant to change the immutability of SimleRecordSchema, but there needs 
to be a way to create a place holder for the in-progress record parsing, so 
that sub-records of the same type don't create a parsing loop.

Looking back with a fresh set of eyes; I could create a 
'SimpleRecordSchemaBuilder' that's mutable, and once parsing is complete, 
returns the immutable 'SimpleRecordSchema'.

Any other ideas or feedback are welcome, and I'll get around to addressing this 
as soon as possible.

--Wes



> Avro schemas with records that have a field of themselves fail to parse, 
> causing stackoverflow exception
> 
>
> Key: NIFI-4215
> URL: https://issues.apache.org/jira/browse/NIFI-4215
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.4.0
>Reporter: Wesley L Lawrence
>Priority: Blocker
> Fix For: 1.4.0
>
> Attachments: nifi-4215.patch
>
>
> Noticed this while attempting to use the AvroSchemaRegsitry with some complex 
> schema. Boiled down, Avro lets you define a schema such as;
> {code}
> { 
>   "namespace": "org.apache.nifi.testing", 
>   "name": "CompositRecord", 
>   "type": "record", 
>   "fields": [ 
> { 
>   "name": "id", 
>   "type": "int" 
> }, 
> { 
>   "name": "value", 
>   "type": "string" 
> }, 
> { 
>   "name": "parent", 
>   "type": [
> "null",
> "CompositRecord"
>   ]
> } 
>   ] 
> }
> {code}
> The AvroSchemaRegistry (AvroTypeUtil specifically) will fail to parse, and 
> generate a stackoverflow exception.
> I've whipped up a fix, tested it out in 1.4.0, and am just running through 
> the contrib build before I submit a patch.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (NIFIREG-5) Develop data model that can be shared by nifi and nifi-registry

[Bryan Bende (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFIREG-5?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bryan Bende updated NIFIREG-5:
--
Fix Version/s: 0.0.1

> Develop data model that can be shared by nifi and nifi-registry
> ---
>
> Key: NIFIREG-5
> URL: https://issues.apache.org/jira/browse/NIFIREG-5
> Project: NiFi Registry
>  Issue Type: Task
>Reporter: Mark Payne
>Assignee: Mark Payne
> Fix For: 0.0.1
>
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Resolved] (NIFIREG-5) Develop data model that can be shared by nifi and nifi-registry

[Bryan Bende (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFIREG-5?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bryan Bende resolved NIFIREG-5.
---
Resolution: Fixed

> Develop data model that can be shared by nifi and nifi-registry
> ---
>
> Key: NIFIREG-5
> URL: https://issues.apache.org/jira/browse/NIFIREG-5
> Project: NiFi Registry
>  Issue Type: Task
>Reporter: Mark Payne
>Assignee: Mark Payne
> Fix For: 0.0.1
>
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi-minifi-cpp issue #118: MINIFI-311 Move to alpine base for docker image.

[achristianson]

Github user achristianson commented on the issue:

https://github.com/apache/nifi-minifi-cpp/pull/118
  
@apiri removed those dirs & rebased. Should be good to go now.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp issue #117: MINIFI-338: Convert processor threads to use thr...

[phrocker]

Github user phrocker commented on the issue:

https://github.com/apache/nifi-minifi-cpp/pull/117
  
@benqiu2016 I've run this for > 24 hrs without issues. Is there additional 
testing you would like to see? 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp issue #118: MINIFI-311 Move to alpine base for docker image.

[achristianson]

Github user achristianson commented on the issue:

https://github.com/apache/nifi-minifi-cpp/pull/118
  
Thanks for the feedback. I will make the required changes and update the PR.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-4248) Create processor for Apache Rya

[Jeff Zemerick (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4248?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16108967#comment-16108967
 ] 

Jeff Zemerick commented on NIFI-4248:
-

There is a pull request for this at https://github.com/apache/nifi/pull/2043.

> Create processor for Apache Rya
> ---
>
> Key: NIFI-4248
> URL: https://issues.apache.org/jira/browse/NIFI-4248
> Project: Apache NiFi
>  Issue Type: Task
>  Components: Extensions
>Reporter: Jeff Zemerick
>Priority: Minor
>
> Create a processor to ingest triples into Apache Rya.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4215) Avro schemas with records that have a field of themselves fail to parse, causing stackoverflow exception

[Mark Payne (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16108935#comment-16108935
 ] 

Mark Payne commented on NIFI-4215:
--

Also changed priority of this from Minor to Blocker because I don't think we 
can release this as-is. Any flow that attempts to write schema information from 
the local avro schema registry will fail.

> Avro schemas with records that have a field of themselves fail to parse, 
> causing stackoverflow exception
> 
>
> Key: NIFI-4215
> URL: https://issues.apache.org/jira/browse/NIFI-4215
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.4.0
>Reporter: Wesley L Lawrence
>Priority: Blocker
> Fix For: 1.4.0
>
> Attachments: nifi-4215.patch
>
>
> Noticed this while attempting to use the AvroSchemaRegsitry with some complex 
> schema. Boiled down, Avro lets you define a schema such as;
> {code}
> { 
>   "namespace": "org.apache.nifi.testing", 
>   "name": "CompositRecord", 
>   "type": "record", 
>   "fields": [ 
> { 
>   "name": "id", 
>   "type": "int" 
> }, 
> { 
>   "name": "value", 
>   "type": "string" 
> }, 
> { 
>   "name": "parent", 
>   "type": [
> "null",
> "CompositRecord"
>   ]
> } 
>   ] 
> }
> {code}
> The AvroSchemaRegistry (AvroTypeUtil specifically) will fail to parse, and 
> generate a stackoverflow exception.
> I've whipped up a fix, tested it out in 1.4.0, and am just running through 
> the contrib build before I submit a patch.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (NIFI-4215) Avro schemas with records that have a field of themselves fail to parse, causing stackoverflow exception

[Mark Payne (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFI-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mark Payne updated NIFI-4215:
-
Priority: Blocker  (was: Minor)

> Avro schemas with records that have a field of themselves fail to parse, 
> causing stackoverflow exception
> 
>
> Key: NIFI-4215
> URL: https://issues.apache.org/jira/browse/NIFI-4215
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.4.0
>Reporter: Wesley L Lawrence
>Priority: Blocker
> Fix For: 1.4.0
>
> Attachments: nifi-4215.patch
>
>
> Noticed this while attempting to use the AvroSchemaRegsitry with some complex 
> schema. Boiled down, Avro lets you define a schema such as;
> {code}
> { 
>   "namespace": "org.apache.nifi.testing", 
>   "name": "CompositRecord", 
>   "type": "record", 
>   "fields": [ 
> { 
>   "name": "id", 
>   "type": "int" 
> }, 
> { 
>   "name": "value", 
>   "type": "string" 
> }, 
> { 
>   "name": "parent", 
>   "type": [
> "null",
> "CompositRecord"
>   ]
> } 
>   ] 
> }
> {code}
> The AvroSchemaRegistry (AvroTypeUtil specifically) will fail to parse, and 
> generate a stackoverflow exception.
> I've whipped up a fix, tested it out in 1.4.0, and am just running through 
> the contrib build before I submit a patch.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4215) Avro schemas with records that have a field of themselves fail to parse, causing stackoverflow exception

[Mark Payne (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16108934#comment-16108934
 ] 

Mark Payne commented on NIFI-4215:
--

[~jameswing] [~WesleyLawrence] I have re-opened this ticket because it's caused 
a couple of problems. The AvroTypeUtil class was modified to create a 
SimpleRecordSchema with a SchemaIdentifier of EMPTY instead of creating the 
proper Schema Identifier. This prevents the Schema Writers from having any way 
to write out the Schema Name, Schema Identifier or Schema Version. Also, it 
changed the SimpleRecordSchema so that it is no longer immutable. We need to 
ensure that the class remains immutable, because otherwise it is no longer 
thread-safe. Alternatively, we could add synchronization as appropriate, but I 
would much prefer to avoid this. Making the object immutable is much cleaner in 
my opinion, and results in fewer problems down the road.

> Avro schemas with records that have a field of themselves fail to parse, 
> causing stackoverflow exception
> 
>
> Key: NIFI-4215
> URL: https://issues.apache.org/jira/browse/NIFI-4215
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.4.0
>Reporter: Wesley L Lawrence
>Priority: Minor
> Fix For: 1.4.0
>
> Attachments: nifi-4215.patch
>
>
> Noticed this while attempting to use the AvroSchemaRegsitry with some complex 
> schema. Boiled down, Avro lets you define a schema such as;
> {code}
> { 
>   "namespace": "org.apache.nifi.testing", 
>   "name": "CompositRecord", 
>   "type": "record", 
>   "fields": [ 
> { 
>   "name": "id", 
>   "type": "int" 
> }, 
> { 
>   "name": "value", 
>   "type": "string" 
> }, 
> { 
>   "name": "parent", 
>   "type": [
> "null",
> "CompositRecord"
>   ]
> } 
>   ] 
> }
> {code}
> The AvroSchemaRegistry (AvroTypeUtil specifically) will fail to parse, and 
> generate a stackoverflow exception.
> I've whipped up a fix, tested it out in 1.4.0, and am just running through 
> the contrib build before I submit a patch.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4249) Modify design of Add Processor dialog to support new processor icons and legal info/disclaimer text

[Rob Moran (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16108931#comment-16108931
 ] 

Rob Moran commented on NIFI-4249:
-

Just pasting the disclaimer text seen in the mockup here:

bq. All Apache project logos are trademarks of the Apache Software Foundation. 
All third-party trademarks are the property of their respective owners. 
Third-party trademarks used in this program are for identification purposes 
only. Use of these trademarks does not imply endorsement or affiliation.

> Modify design of Add Processor dialog to support new processor icons and 
> legal info/disclaimer text
> ---
>
> Key: NIFI-4249
> URL: https://issues.apache.org/jira/browse/NIFI-4249
> Project: Apache NiFi
>  Issue Type: Sub-task
>  Components: Core UI
>Reporter: Rob Moran
>Assignee: Rob Moran
>Priority: Minor
> Attachments: add-processor-dialog.png
>
>
> The attached image describes the proposed changes



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Reopened] (NIFI-4215) Avro schemas with records that have a field of themselves fail to parse, causing stackoverflow exception

[Mark Payne (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFI-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mark Payne reopened NIFI-4215:
--

> Avro schemas with records that have a field of themselves fail to parse, 
> causing stackoverflow exception
> 
>
> Key: NIFI-4215
> URL: https://issues.apache.org/jira/browse/NIFI-4215
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.4.0
>Reporter: Wesley L Lawrence
>Priority: Minor
> Fix For: 1.4.0
>
> Attachments: nifi-4215.patch
>
>
> Noticed this while attempting to use the AvroSchemaRegsitry with some complex 
> schema. Boiled down, Avro lets you define a schema such as;
> {code}
> { 
>   "namespace": "org.apache.nifi.testing", 
>   "name": "CompositRecord", 
>   "type": "record", 
>   "fields": [ 
> { 
>   "name": "id", 
>   "type": "int" 
> }, 
> { 
>   "name": "value", 
>   "type": "string" 
> }, 
> { 
>   "name": "parent", 
>   "type": [
> "null",
> "CompositRecord"
>   ]
> } 
>   ] 
> }
> {code}
> The AvroSchemaRegistry (AvroTypeUtil specifically) will fail to parse, and 
> generate a stackoverflow exception.
> I've whipped up a fix, tested it out in 1.4.0, and am just running through 
> the contrib build before I submit a patch.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (NIFI-4245) OAuth 2 Authorization support - Resource Owner Password Credentials Grant

[Jeremy Dyer (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFI-4245?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jeremy Dyer updated NIFI-4245:
--
Description: 
If your interacting with REST endpoints on the web chances are you are going to 
run into an OAuth2 secured webservice. The IETF (Internet Engineering Task 
Force) defines 4 methods in which OAuth2 authorization can occur. This JIRA is 
focused solely on the Resource Owner Password Credentials Grant method defined 
at https://tools.ietf.org/html/rfc6749#section-4.3

This implementation should provide a ControllerService in which the enduser can 
configure the credentials for obtaining the authorization grant (access token) 
from the resource owner. In turn a new property will be added to the InvokeHTTP 
processor (if it doesn't already exist from one of the other JIRA efforts 
similar to this one) where the processor can reference this controller service 
to obtain the access token and insert the appropriate HTTP header 
(Authorization: Bearer {access_token}) so that the InvokeHTTP processor can 
interact with the OAuth protected resources without having to worry about 
setting up the credentials for each InvokeHTTP processor saving time and 
complexity.

  was:
If your interacting with REST endpoints on the web chances are you are going to 
run into an OAuth2 secured webservice. The IETF (Internet Engineering Task 
Force) defines 4 methods in which OAuth2 authorization can occur. This JIRA is 
focused solely on the Authorization Code Grant method defined at 
https://tools.ietf.org/html/rfc6749#section-4.3

This implementation should provide a ControllerService in which the enduser can 
configure the credentials for obtaining the authorization grant (access token) 
from the resource owner. In turn a new property will be added to the InvokeHTTP 
processor (if it doesn't already exist from one of the other JIRA efforts 
similar to this one) where the processor can reference this controller service 
to obtain the access token and insert the appropriate HTTP header 
(Authorization: Bearer {access_token}) so that the InvokeHTTP processor can 
interact with the OAuth protected resources without having to worry about 
setting up the credentials for each InvokeHTTP processor saving time and 
complexity.


> OAuth 2 Authorization support - Resource Owner Password Credentials Grant
> -
>
> Key: NIFI-4245
> URL: https://issues.apache.org/jira/browse/NIFI-4245
> Project: Apache NiFi
>  Issue Type: Improvement
>Reporter: Jeremy Dyer
>Assignee: Jeremy Dyer
>
> If your interacting with REST endpoints on the web chances are you are going 
> to run into an OAuth2 secured webservice. The IETF (Internet Engineering Task 
> Force) defines 4 methods in which OAuth2 authorization can occur. This JIRA 
> is focused solely on the Resource Owner Password Credentials Grant method 
> defined at https://tools.ietf.org/html/rfc6749#section-4.3
> This implementation should provide a ControllerService in which the enduser 
> can configure the credentials for obtaining the authorization grant (access 
> token) from the resource owner. In turn a new property will be added to the 
> InvokeHTTP processor (if it doesn't already exist from one of the other JIRA 
> efforts similar to this one) where the processor can reference this 
> controller service to obtain the access token and insert the appropriate HTTP 
> header (Authorization: Bearer {access_token}) so that the InvokeHTTP 
> processor can interact with the OAuth protected resources without having to 
> worry about setting up the credentials for each InvokeHTTP processor saving 
> time and complexity.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (NIFI-4244) OAuth 2 Authorization support - Implicit Grant

[Jeremy Dyer (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFI-4244?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jeremy Dyer updated NIFI-4244:
--
Description: 
If your interacting with REST endpoints on the web chances are you are going to 
run into an OAuth2 secured webservice. The IETF (Internet Engineering Task 
Force) defines 4 methods in which OAuth2 authorization can occur. This JIRA is 
focused solely on the Implicit Grant method defined at 
https://tools.ietf.org/html/rfc6749#section-4.2

This implementation should provide a ControllerService in which the enduser can 
configure the credentials for obtaining the authorization grant (access token) 
from the resource owner. In turn a new property will be added to the InvokeHTTP 
processor (if it doesn't already exist from one of the other JIRA efforts 
similar to this one) where the processor can reference this controller service 
to obtain the access token and insert the appropriate HTTP header 
(Authorization: Bearer {access_token}) so that the InvokeHTTP processor can 
interact with the OAuth protected resources without having to worry about 
setting up the credentials for each InvokeHTTP processor saving time and 
complexity.

  was:
If your interacting with REST endpoints on the web chances are you are going to 
run into an OAuth2 secured webservice. The IETF (Internet Engineering Task 
Force) defines 4 methods in which OAuth2 authorization can occur. This JIRA is 
focused solely on the Authorization Code Grant method defined at 
https://tools.ietf.org/html/rfc6749#section-4.2

This implementation should provide a ControllerService in which the enduser can 
configure the credentials for obtaining the authorization grant (access token) 
from the resource owner. In turn a new property will be added to the InvokeHTTP 
processor (if it doesn't already exist from one of the other JIRA efforts 
similar to this one) where the processor can reference this controller service 
to obtain the access token and insert the appropriate HTTP header 
(Authorization: Bearer {access_token}) so that the InvokeHTTP processor can 
interact with the OAuth protected resources without having to worry about 
setting up the credentials for each InvokeHTTP processor saving time and 
complexity.


> OAuth 2 Authorization support - Implicit Grant
> --
>
> Key: NIFI-4244
> URL: https://issues.apache.org/jira/browse/NIFI-4244
> Project: Apache NiFi
>  Issue Type: Improvement
>Reporter: Jeremy Dyer
>
> If your interacting with REST endpoints on the web chances are you are going 
> to run into an OAuth2 secured webservice. The IETF (Internet Engineering Task 
> Force) defines 4 methods in which OAuth2 authorization can occur. This JIRA 
> is focused solely on the Implicit Grant method defined at 
> https://tools.ietf.org/html/rfc6749#section-4.2
> This implementation should provide a ControllerService in which the enduser 
> can configure the credentials for obtaining the authorization grant (access 
> token) from the resource owner. In turn a new property will be added to the 
> InvokeHTTP processor (if it doesn't already exist from one of the other JIRA 
> efforts similar to this one) where the processor can reference this 
> controller service to obtain the access token and insert the appropriate HTTP 
> header (Authorization: Bearer {access_token}) so that the InvokeHTTP 
> processor can interact with the OAuth protected resources without having to 
> worry about setting up the credentials for each InvokeHTTP processor saving 
> time and complexity.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (NIFI-4246) OAuth 2 Authorization support - Client Credentials Grant

[Jeremy Dyer (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFI-4246?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jeremy Dyer updated NIFI-4246:
--
Description: 
If your interacting with REST endpoints on the web chances are you are going to 
run into an OAuth2 secured webservice. The IETF (Internet Engineering Task 
Force) defines 4 methods in which OAuth2 authorization can occur. This JIRA is 
focused solely on the Client Credentials Grant method defined at 
https://tools.ietf.org/html/rfc6749#section-4.4

This implementation should provide a ControllerService in which the enduser can 
configure the credentials for obtaining the authorization grant (access token) 
from the resource owner. In turn a new property will be added to the InvokeHTTP 
processor (if it doesn't already exist from one of the other JIRA efforts 
similar to this one) where the processor can reference this controller service 
to obtain the access token and insert the appropriate HTTP header 
(Authorization: Bearer{access_token}) so that the InvokeHTTP processor can 
interact with the OAuth protected resources without having to worry about 
setting up the credentials for each InvokeHTTP processor saving time and 
complexity.

  was:
If your interacting with REST endpoints on the web chances are you are going to 
run into an OAuth2 secured webservice. The IETF (Internet Engineering Task 
Force) defines 4 methods in which OAuth2 authorization can occur. This JIRA is 
focused solely on the Authorization Code Grant method defined at 
https://tools.ietf.org/html/rfc6749#section-4.4

This implementation should provide a ControllerService in which the enduser can 
configure the credentials for obtaining the authorization grant (access token) 
from the resource owner. In turn a new property will be added to the InvokeHTTP 
processor (if it doesn't already exist from one of the other JIRA efforts 
similar to this one) where the processor can reference this controller service 
to obtain the access token and insert the appropriate HTTP header 
(Authorization: Bearer{access_token}) so that the InvokeHTTP processor can 
interact with the OAuth protected resources without having to worry about 
setting up the credentials for each InvokeHTTP processor saving time and 
complexity.


> OAuth 2 Authorization support - Client Credentials Grant
> 
>
> Key: NIFI-4246
> URL: https://issues.apache.org/jira/browse/NIFI-4246
> Project: Apache NiFi
>  Issue Type: Improvement
>Reporter: Jeremy Dyer
>Assignee: Jeremy Dyer
>
> If your interacting with REST endpoints on the web chances are you are going 
> to run into an OAuth2 secured webservice. The IETF (Internet Engineering Task 
> Force) defines 4 methods in which OAuth2 authorization can occur. This JIRA 
> is focused solely on the Client Credentials Grant method defined at 
> https://tools.ietf.org/html/rfc6749#section-4.4
> This implementation should provide a ControllerService in which the enduser 
> can configure the credentials for obtaining the authorization grant (access 
> token) from the resource owner. In turn a new property will be added to the 
> InvokeHTTP processor (if it doesn't already exist from one of the other JIRA 
> efforts similar to this one) where the processor can reference this 
> controller service to obtain the access token and insert the appropriate HTTP 
> header (Authorization: Bearer{access_token}) so that the InvokeHTTP processor 
> can interact with the OAuth protected resources without having to worry about 
> setting up the credentials for each InvokeHTTP processor saving time and 
> complexity.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4250) Create support for deleting document by id from elasticsearch 5

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16108865#comment-16108865
 ] 

ASF GitHub Bot commented on NIFI-4250:
--

GitHub user mans2singh opened a pull request:

https://github.com/apache/nifi/pull/2045

NIFI-4250 - Elasticsearch 5 delete processor

Thank you for submitting a contribution to Apache NiFi.

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

### For all changes:
- [x] Is there a JIRA ticket associated with this PR? Is it referenced 
 in the commit message?

- [x] Does your PR title start with NIFI- where  is the JIRA number 
you are trying to resolve? Pay particular attention to the hyphen "-" character.

- [x] Has your PR been rebased against the latest commit within the target 
branch (typically master)?

- [x] Is your initial contribution a single, squashed commit?

### For code changes:
- [x] Have you ensured that the full suite of tests is executed via mvn 
-Pcontrib-check clean install at the root nifi folder?
- [x] Have you written or updated unit tests to verify your changes?
- [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)? 
- [ ] If applicable, have you updated the LICENSE file, including the main 
LICENSE file under nifi-assembly?
- [ ] If applicable, have you updated the NOTICE file, including the main 
NOTICE file found under nifi-assembly?
- [x] If adding new Properties, have you added .displayName in addition to 
.name (programmatic access) for each of the new properties?

### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in 
which it is rendered?

### Note:
Please ensure that once the PR is submitted, you check travis-ci for build 
issues and submit an update to your PR as soon as possible.


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/mans2singh/nifi NIFI-4250

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/nifi/pull/2045.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2045


commit ba98d1a4768740fc808b871f9194964a5e6b63ec
Author: mans2singh 
Date:   2017-08-01T13:07:38Z

NIFI-4250 - Elasticsearch 5 delete processor




> Create support for deleting document by id from elasticsearch 5
> ---
>
> Key: NIFI-4250
> URL: https://issues.apache.org/jira/browse/NIFI-4250
> Project: Apache NiFi
>  Issue Type: New Feature
>  Components: Extensions
>Affects Versions: 1.3.0
>Reporter: Mans Singh
>Assignee: Mans Singh
>Priority: Minor
>  Labels: delete, elasticsearch
> Fix For: 1.4.0
>
>
> Create a processor to delete documents from elasticsearch 5 based on document 
> id.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi pull request #2045: NIFI-4250 - Elasticsearch 5 delete processor

[mans2singh]

GitHub user mans2singh opened a pull request:

https://github.com/apache/nifi/pull/2045

NIFI-4250 - Elasticsearch 5 delete processor

Thank you for submitting a contribution to Apache NiFi.

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

### For all changes:
- [x] Is there a JIRA ticket associated with this PR? Is it referenced 
 in the commit message?

- [x] Does your PR title start with NIFI- where  is the JIRA number 
you are trying to resolve? Pay particular attention to the hyphen "-" character.

- [x] Has your PR been rebased against the latest commit within the target 
branch (typically master)?

- [x] Is your initial contribution a single, squashed commit?

### For code changes:
- [x] Have you ensured that the full suite of tests is executed via mvn 
-Pcontrib-check clean install at the root nifi folder?
- [x] Have you written or updated unit tests to verify your changes?
- [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)? 
- [ ] If applicable, have you updated the LICENSE file, including the main 
LICENSE file under nifi-assembly?
- [ ] If applicable, have you updated the NOTICE file, including the main 
NOTICE file found under nifi-assembly?
- [x] If adding new Properties, have you added .displayName in addition to 
.name (programmatic access) for each of the new properties?

### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in 
which it is rendered?

### Note:
Please ensure that once the PR is submitted, you check travis-ci for build 
issues and submit an update to your PR as soon as possible.


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/mans2singh/nifi NIFI-4250

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/nifi/pull/2045.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2045


commit ba98d1a4768740fc808b871f9194964a5e6b63ec
Author: mans2singh 
Date:   2017-08-01T13:07:38Z

NIFI-4250 - Elasticsearch 5 delete processor




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Created] (NIFI-4250) Create support for deleting document by id from elasticsearch 5

[Mans Singh (JIRA)]

Mans Singh created NIFI-4250:


 Summary: Create support for deleting document by id from 
elasticsearch 5
 Key: NIFI-4250
 URL: https://issues.apache.org/jira/browse/NIFI-4250
 Project: Apache NiFi
  Issue Type: New Feature
  Components: Extensions
Affects Versions: 1.3.0
Reporter: Mans Singh
Assignee: Mans Singh
Priority: Minor
 Fix For: 1.4.0


Create a processor to delete documents from elasticsearch 5 based on document 
id.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (NIFI-4249) Modify design of Add Processor dialog to support new processor icons and legal info/disclaimer text

[Rob Moran (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFI-4249?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Rob Moran updated NIFI-4249:

Attachment: add-processor-dialog.png

> Modify design of Add Processor dialog to support new processor icons and 
> legal info/disclaimer text
> ---
>
> Key: NIFI-4249
> URL: https://issues.apache.org/jira/browse/NIFI-4249
> Project: Apache NiFi
>  Issue Type: Sub-task
>  Components: Core UI
>Reporter: Rob Moran
>Assignee: Rob Moran
>Priority: Minor
> Attachments: add-processor-dialog.png
>
>
> The attached image describes the proposed changes



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (NIFI-4249) Modify design of Add Processor dialog to support new processor icons and legal info/disclaimer text

[Rob Moran (JIRA)]

Rob Moran created NIFI-4249:
---

 Summary: Modify design of Add Processor dialog to support new 
processor icons and legal info/disclaimer text
 Key: NIFI-4249
 URL: https://issues.apache.org/jira/browse/NIFI-4249
 Project: Apache NiFi
  Issue Type: Sub-task
  Components: Core UI
Reporter: Rob Moran
Assignee: Rob Moran
Priority: Minor


The attached image describes the proposed changes



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi-minifi pull request #81: MINIFI-276: Adds S3ChangeIngestor.

[jzonthemtn]

Github user jzonthemtn closed the pull request at:

https://github.com/apache/nifi-minifi/pull/81


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi pull request #88: MINIFI-347: Adding tests for C2 file system ca...

[jzonthemtn]

Github user jzonthemtn commented on a diff in the pull request:

https://github.com/apache/nifi-minifi/pull/88#discussion_r130586242
  
--- Diff: minifi-assembly/NOTICE ---
@@ -681,6 +681,14 @@ The following binary components are provided under the 
Common Development and Di
 (CDDL 1.0) (GPL3) Streaming API For XML 
(javax.xml.stream:stax-api:jar:1.0-2 - no url provided)
 
 
+Common Public License 1.0
+
+
+The following binary components are provided under the Common Public 
License Version 1.0.  See project link for details.
--- End diff --

Good catch -- I agree with you. I will remove that notice.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-4015) DeleteSQS Throws Exception Deleting Message

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16108733#comment-16108733
 ] 

ASF GitHub Bot commented on NIFI-4015:
--

Github user jzonthemtn commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1888#discussion_r130582495
  
--- Diff: 
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/sqs/ITDeleteSQS.java
 ---
@@ -0,0 +1,83 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.processors.aws.sqs;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import com.amazonaws.regions.Regions;
+import com.amazonaws.services.sqs.model.Message;
+import com.amazonaws.services.sqs.model.ReceiveMessageResult;
+import com.amazonaws.services.sqs.model.SendMessageResult;
+import org.apache.nifi.util.TestRunner;
+import org.apache.nifi.util.TestRunners;
+
+import com.amazonaws.auth.PropertiesCredentials;
+import com.amazonaws.services.sqs.AmazonSQSClient;
+
+import org.junit.Before;
+import org.junit.Ignore;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+
+
+@Ignore("For local testing only - interacts with S3 so the credentials 
file must be configured and all necessary queues created")
+public class ITDeleteSQS {
+
+private final String CREDENTIALS_FILE = 
System.getProperty("user.home") + "/aws-credentials.properties";
--- End diff --

I think it's fine as is after reading your comment. I didn't realize most 
of the integration tests use a properties file. No reason to break from that 
norm in this case. That's a good point about requiring separate credentials to 
prevent anything unintended from happening.


> DeleteSQS Throws Exception Deleting Message
> ---
>
> Key: NIFI-4015
> URL: https://issues.apache.org/jira/browse/NIFI-4015
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.2.0
>Reporter: James Wing
>Assignee: James Wing
>Priority: Minor
>
> While attempting to delete a message from an SQS queue, DeleteSQS throws the 
> following exception:
> {quote}
> DeleteSQS[id=6197f269-015c-1000-9317-818c01162722] Failed to delete 1 objects 
> from SQS due to com.amazonaws.services.sqs.model.AmazonSQSException: The 
> request must contain the parameter DeleteMessageBatchRequestEntry.1.Id. 
> (Service: AmazonSQS; Status Code: 400; Error Code: MissingParameter; Request 
> ID: eea76d96-a07d-5406-9838-3c3f26575223): 
> com.amazonaws.services.sqs.model.AmazonSQSException: The request must contain 
> the parameter DeleteMessageBatchRequestEntry.1.Id. (Service: AmazonSQS; 
> Status Code: 400; Error Code: MissingParameter; Request ID: 
> eea76d96-a07d-5406-9838-3c3f26575223)
> {quote}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Comment Edited] (NIFI-4241) ListSFTP node in Nifi cluster is sending warnings for unreachable peers

[Frank Thiele (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16106861#comment-16106861
 ] 

Frank Thiele edited comment on NIFI-4241 at 8/1/17 7:29 AM:


Also had this exception:
{code}
2017-07-31 06:25:28,522 ERROR [StandardProcessScheduler Thread-6] 
org.apache.nifi.engine.FlowEngine A flow controller task execution stopped 
abnormally
java.util.concurrent.ExecutionException: 
java.lang.reflect.InvocationTargetException
at java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.util.concurrent.FutureTask.get(FutureTask.java:192)
at org.apache.nifi.engine.FlowEngine.afterExecute(FlowEngine.java:100)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1150)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.reflect.InvocationTargetException: null
at sun.reflect.GeneratedMethodAccessor185.invoke(Unknown Source)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:137)
at 
org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:125)
at 
org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:70)
at 
org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotation(ReflectionUtils.java:47)
at 
org.apache.nifi.controller.StandardProcessorNode$1$1.call(StandardProcessorNode.java:1307)
at 
org.apache.nifi.controller.StandardProcessorNode$1$1.call(StandardProcessorNode.java:1303)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
... 2 common frames omitted
Caused by: java.io.IOException: Failed to obtain value from ZooKeeper for 
component with ID 9716842f-015d-1000--7de55c99 with exception code 
CONNECTIONLOSS
at 
org.apache.nifi.controller.state.providers.zookeeper.ZooKeeperStateProvider.getState(ZooKeeperStateProvider.java:420)
at 
org.apache.nifi.controller.state.StandardStateManager.getState(StandardStateManager.java:63)
at 
org.apache.nifi.processor.util.list.AbstractListProcessor.updateState(AbstractListProcessor.java:199)
... 15 common frames omitted
Caused by: org.apache.zookeeper.KeeperException$ConnectionLossException: 
KeeperErrorCode = ConnectionLoss for 
/nifi/components/9716842f-015d-1000--7de55c99
at org.apache.zookeeper.KeeperException.create(KeeperException.java:99)
at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1155)
at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1184)
at 
org.apache.nifi.controller.state.providers.zookeeper.ZooKeeperStateProvider.getState(ZooKeeperStateProvider.java:403)
... 17 common frames omitted
2017-07-31 06:25:28,523 ERROR [StandardProcessScheduler Thread-5] 
o.a.nifi.processors.standard.ListSFTP 
ListSFTP[id=9716842f-015d-1000--7de55c99] 
ListSFTP[id=9716842f-015d-1000--7de55c99] failed to invoke @OnScheduled 
method due to java.lang.RuntimeException: Failed while executing one of 
processor's OnScheduled task.; processor will not be scheduled to run for 30 
seconds: java.lang.RuntimeException: Failed while executing one of processor's 
OnScheduled task.
java.lang.RuntimeException: Failed while executing one of processor's 
OnScheduled task.
at 
org.apache.nifi.controller.StandardProcessorNode.invokeTaskAsCancelableFuture(StandardProcessorNode.java:1482)
at 
org.apache.nifi.controller.StandardProcessorNode.access$000(StandardProcessorNode.java:102)
at 
org.apache.nifi.controller.StandardProcessorNode$1.run(StandardProcessorNode.java:1303)
at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at 

[jira] [Updated] (NIFI-4241) ListSFTP node in Nifi cluster is sending warnings for unreachable peers

[Frank Thiele (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFI-4241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Frank Thiele updated NIFI-4241:
---
Priority: Minor  (was: Major)

> ListSFTP node in Nifi cluster is sending warnings for unreachable peers
> ---
>
> Key: NIFI-4241
> URL: https://issues.apache.org/jira/browse/NIFI-4241
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.3.0
> Environment: Docker container within VM:
> docker@myvm5:~$ uname -a
> Linux myvm5 4.4.74-boot2docker #1 SMP Mon Jun 26 18:01:14 UTC 2017 x86_64 
> GNU/Linux
>Reporter: Frank Thiele
>Priority: Minor
> Attachments: cluster.png, flow.xml, Overview.png
>
>
> I have setup a small cluster with 3 nodes nifi1:8080, nifi2:8081 and 
> nifi3:8082.
> When I configure a ListSFTP processor and run it, the following warning comes 
> up:
> {code}
> 2017-07-31 06:25:05,763 INFO [Clustering Tasks Thread-2] 
> o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-07-31 
> 06:25:05,754 and sent to nifi1:10600 at 2017-07-31 06:25:05,763; send took 9 
> millis
> 2017-07-31 06:25:07,947 WARN [Http Site-to-Site PeerSelector] 
> o.apache.nifi.remote.client.PeerSelector Could not communicate with 
> nifi1:8081 to determine which nodes exist in the remote NiFi cluster, due to 
> org.apache.http.conn.HttpHostConnectException: Connect to nifi1:8081 
> [nifi1/10.0.0.32] failed: Connection refused (Connection refused)
> 2017-07-31 06:25:07,947 WARN [Http Site-to-Site PeerSelector] 
> o.apache.nifi.remote.client.PeerSelector 
> org.apache.nifi.remote.client.PeerSelector@4516d212 Unable to refresh Remote 
> Group's peers due to Unable to communicate with remote NiFi cluster in order 
> to determine which nodes exist in the remote cluster
> 2017-07-31 06:25:10,775 INFO [Clustering Tasks Thread-1] 
> o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-07-31 
> 06:25:10,764 and sent to nifi1:10600 at 2017-07-31 06:25:10,775; send took 10 
> millis
> 2017-07-31 06:25:12,951 WARN [Http Site-to-Site PeerSelector] 
> o.apache.nifi.remote.client.PeerSelector Could not communicate with 
> nifi1:8081 to determine which nodes exist in the remote NiFi cluster, due to 
> org.apache.http.conn.HttpHostConnectException: Connect to nifi1:8081 
> [nifi1/10.0.0.32] failed: Connection refused (Connection refused)
> 2017-07-31 06:25:12,951 WARN [Http Site-to-Site PeerSelector] 
> o.apache.nifi.remote.client.PeerSelector 
> org.apache.nifi.remote.client.PeerSelector@4516d212 Unable to refresh Remote 
> Group's peers due to Unable to communicate with remote NiFi cluster in order 
> to determine which nodes exist in the remote cluster
> 2017-07-31 06:25:15,781 INFO [Clustering Tasks Thread-3] 
> o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-07-31 
> 06:25:15,775 and sent to nifi1:10600 at 2017-07-31 06:25:15,781; send took 5 
> millis
> 2017-07-31 06:25:17,954 WARN [Http Site-to-Site PeerSelector] 
> o.apache.nifi.remote.client.PeerSelector Could not communicate with 
> nifi1:8081 to determine which nodes exist in the remote NiFi cluster, due to 
> org.apache.http.conn.HttpHostConnectException: Connect to nifi1:8081 
> [nifi1/10.0.0.32] failed: Connection refused (Connection refused)
> 2017-07-31 06:25:17,955 WARN [Http Site-to-Site PeerSelector] 
> o.apache.nifi.remote.client.PeerSelector 
> org.apache.nifi.remote.client.PeerSelector@4516d212 Unable to refresh Remote 
> Group's peers due to Unable to communicate with remote NiFi cluster in order 
> to determine which nodes exist in the remote cluster
> 2017-07-31 06:25:20,790 INFO [Clustering Tasks Thread-2] 
> o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-07-31 
> 06:25:20,782 and sent to nifi1:10600 at 2017-07-31 06:25:20,790; send took 7 
> millis
> 2017-07-31 06:25:22,959 WARN [Http Site-to-Site PeerSelector] 
> o.apache.nifi.remote.client.PeerSelector Could not communicate with 
> nifi1:8081 to determine which nodes exist in the remote NiFi cluster, due to 
> org.apache.http.conn.HttpHostConnectException: Connect to nifi1:8081 
> [nifi1/10.0.0.32] failed: Connection refused (Connection refused)
> 2017-07-31 06:25:22,959 WARN [Http Site-to-Site PeerSelector] 
> o.apache.nifi.remote.client.PeerSelector 
> org.apache.nifi.remote.client.PeerSelector@4516d212 Unable to refresh Remote 
> Group's peers due to Unable to communicate with remote NiFi cluster in order 
> to determine which nodes exist in the remote cluster
> 2017-07-31 06:25:25,798 INFO [Clustering Tasks Thread-1] 
> o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-07-31 
> 06:25:25,790 and sent to nifi1:10600 at 2017-07-31 06:25:25,798; send took 6 
> millis
> 2017-07-31 06:25:27,962 WARN [Http Site-to-Site PeerSelector] 
> o.apache.nifi.remote.client.PeerSelector Could not 

[jira] [Updated] (NIFI-4241) ListSFTP node in Nifi cluster is sending warnings for unreachable peers

[Frank Thiele (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFI-4241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Frank Thiele updated NIFI-4241:
---
Description: 
I have setup a small cluster with 3 nodes nifi1:8080, nifi2:8081 and nifi3:8082.
When I configure a ListSFTP processor and run it, the following warning comes 
up:

{code}
2017-07-31 06:25:05,763 INFO [Clustering Tasks Thread-2] 
o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-07-31 
06:25:05,754 and sent to nifi1:10600 at 2017-07-31 06:25:05,763; send took 9 
millis
2017-07-31 06:25:07,947 WARN [Http Site-to-Site PeerSelector] 
o.apache.nifi.remote.client.PeerSelector Could not communicate with nifi1:8081 
to determine which nodes exist in the remote NiFi cluster, due to 
org.apache.http.conn.HttpHostConnectException: Connect to nifi1:8081 
[nifi1/10.0.0.32] failed: Connection refused (Connection refused)
2017-07-31 06:25:07,947 WARN [Http Site-to-Site PeerSelector] 
o.apache.nifi.remote.client.PeerSelector 
org.apache.nifi.remote.client.PeerSelector@4516d212 Unable to refresh Remote 
Group's peers due to Unable to communicate with remote NiFi cluster in order to 
determine which nodes exist in the remote cluster
2017-07-31 06:25:10,775 INFO [Clustering Tasks Thread-1] 
o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-07-31 
06:25:10,764 and sent to nifi1:10600 at 2017-07-31 06:25:10,775; send took 10 
millis
2017-07-31 06:25:12,951 WARN [Http Site-to-Site PeerSelector] 
o.apache.nifi.remote.client.PeerSelector Could not communicate with nifi1:8081 
to determine which nodes exist in the remote NiFi cluster, due to 
org.apache.http.conn.HttpHostConnectException: Connect to nifi1:8081 
[nifi1/10.0.0.32] failed: Connection refused (Connection refused)
2017-07-31 06:25:12,951 WARN [Http Site-to-Site PeerSelector] 
o.apache.nifi.remote.client.PeerSelector 
org.apache.nifi.remote.client.PeerSelector@4516d212 Unable to refresh Remote 
Group's peers due to Unable to communicate with remote NiFi cluster in order to 
determine which nodes exist in the remote cluster
2017-07-31 06:25:15,781 INFO [Clustering Tasks Thread-3] 
o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-07-31 
06:25:15,775 and sent to nifi1:10600 at 2017-07-31 06:25:15,781; send took 5 
millis
2017-07-31 06:25:17,954 WARN [Http Site-to-Site PeerSelector] 
o.apache.nifi.remote.client.PeerSelector Could not communicate with nifi1:8081 
to determine which nodes exist in the remote NiFi cluster, due to 
org.apache.http.conn.HttpHostConnectException: Connect to nifi1:8081 
[nifi1/10.0.0.32] failed: Connection refused (Connection refused)
2017-07-31 06:25:17,955 WARN [Http Site-to-Site PeerSelector] 
o.apache.nifi.remote.client.PeerSelector 
org.apache.nifi.remote.client.PeerSelector@4516d212 Unable to refresh Remote 
Group's peers due to Unable to communicate with remote NiFi cluster in order to 
determine which nodes exist in the remote cluster
2017-07-31 06:25:20,790 INFO [Clustering Tasks Thread-2] 
o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-07-31 
06:25:20,782 and sent to nifi1:10600 at 2017-07-31 06:25:20,790; send took 7 
millis
2017-07-31 06:25:22,959 WARN [Http Site-to-Site PeerSelector] 
o.apache.nifi.remote.client.PeerSelector Could not communicate with nifi1:8081 
to determine which nodes exist in the remote NiFi cluster, due to 
org.apache.http.conn.HttpHostConnectException: Connect to nifi1:8081 
[nifi1/10.0.0.32] failed: Connection refused (Connection refused)
2017-07-31 06:25:22,959 WARN [Http Site-to-Site PeerSelector] 
o.apache.nifi.remote.client.PeerSelector 
org.apache.nifi.remote.client.PeerSelector@4516d212 Unable to refresh Remote 
Group's peers due to Unable to communicate with remote NiFi cluster in order to 
determine which nodes exist in the remote cluster
2017-07-31 06:25:25,798 INFO [Clustering Tasks Thread-1] 
o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-07-31 
06:25:25,790 and sent to nifi1:10600 at 2017-07-31 06:25:25,798; send took 6 
millis
2017-07-31 06:25:27,962 WARN [Http Site-to-Site PeerSelector] 
o.apache.nifi.remote.client.PeerSelector Could not communicate with nifi1:8081 
to determine which nodes exist in the remote NiFi cluster, due to 
org.apache.http.conn.HttpHostConnectException: Connect to nifi1:8081 
[nifi1/10.0.0.32] failed: Connection refused (Connection refused)
2017-07-31 06:25:27,962 WARN [Http Site-to-Site PeerSelector] 
o.apache.nifi.remote.client.PeerSelector 
org.apache.nifi.remote.client.PeerSelector@4516d212 Unable to refresh Remote 
Group's peers due to Unable to communicate with remote NiFi cluster in order to 
determine which nodes exist in the remote cluster
{code}

This is unexpected as the node address is wrong -- it should be nifi1:8080 
instead of nifi1:8082 (being the port of the local machine I have taken the 
warning from). The same error I can see in the logs of nifi2 (for peer 
"nifi1:8081").

  

[jira] [Updated] (NIFI-4241) ListSFTP node in Nifi cluster is sending warnings for unreachable peers

[Frank Thiele (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFI-4241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Frank Thiele updated NIFI-4241:
---
Summary: ListSFTP node in Nifi cluster is sending warnings for unreachable 
peers  (was: ListSFTP node in cluster is sending warnings for unreachable peers)

> ListSFTP node in Nifi cluster is sending warnings for unreachable peers
> ---
>
> Key: NIFI-4241
> URL: https://issues.apache.org/jira/browse/NIFI-4241
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.3.0
> Environment: Docker container within VM:
> docker@myvm5:~$ uname -a
> Linux myvm5 4.4.74-boot2docker #1 SMP Mon Jun 26 18:01:14 UTC 2017 x86_64 
> GNU/Linux
>Reporter: Frank Thiele
> Attachments: cluster.png, flow.xml, Overview.png
>
>
> I have setup a small cluster with 3 nodes nifi1:8080, nifi2:8081 and 
> nifi3:8082.
> When I configure a ListSFTP processor and run it, the following exception 
> comes up:
> {code}
> 2017-07-31 06:25:28,522 ERROR [StandardProcessScheduler Thread-6] 
> org.apache.nifi.engine.FlowEngine A flow controller task execution stopped 
> abnormally
> java.util.concurrent.ExecutionException: 
> java.lang.reflect.InvocationTargetException
>   at java.util.concurrent.FutureTask.report(FutureTask.java:122)
>   at java.util.concurrent.FutureTask.get(FutureTask.java:192)
>   at org.apache.nifi.engine.FlowEngine.afterExecute(FlowEngine.java:100)
>   at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1150)
>   at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>   at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.reflect.InvocationTargetException: null
>   at sun.reflect.GeneratedMethodAccessor185.invoke(Unknown Source)
>   at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>   at java.lang.reflect.Method.invoke(Method.java:498)
>   at 
> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:137)
>   at 
> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:125)
>   at 
> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:70)
>   at 
> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotation(ReflectionUtils.java:47)
>   at 
> org.apache.nifi.controller.StandardProcessorNode$1$1.call(StandardProcessorNode.java:1307)
>   at 
> org.apache.nifi.controller.StandardProcessorNode$1$1.call(StandardProcessorNode.java:1303)
>   at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>   at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
>   at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>   at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>   ... 2 common frames omitted
> Caused by: java.io.IOException: Failed to obtain value from ZooKeeper for 
> component with ID 9716842f-015d-1000--7de55c99 with exception code 
> CONNECTIONLOSS
>   at 
> org.apache.nifi.controller.state.providers.zookeeper.ZooKeeperStateProvider.getState(ZooKeeperStateProvider.java:420)
>   at 
> org.apache.nifi.controller.state.StandardStateManager.getState(StandardStateManager.java:63)
>   at 
> org.apache.nifi.processor.util.list.AbstractListProcessor.updateState(AbstractListProcessor.java:199)
>   ... 15 common frames omitted
> Caused by: org.apache.zookeeper.KeeperException$ConnectionLossException: 
> KeeperErrorCode = ConnectionLoss for 
> /nifi/components/9716842f-015d-1000--7de55c99
>   at org.apache.zookeeper.KeeperException.create(KeeperException.java:99)
>   at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
>   at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1155)
>   at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1184)
>   at 
> org.apache.nifi.controller.state.providers.zookeeper.ZooKeeperStateProvider.getState(ZooKeeperStateProvider.java:403)
>   ... 17 common frames omitted
> 2017-07-31 06:25:28,523 ERROR [StandardProcessScheduler Thread-5] 
> o.a.nifi.processors.standard.ListSFTP 
> ListSFTP[id=9716842f-015d-1000--7de55c99] 
> ListSFTP[id=9716842f-015d-1000--7de55c99] failed to invoke 
> @OnScheduled method due to java.lang.RuntimeException: Failed while executing 
> one of processor's OnScheduled task.; processor will not be scheduled to run 
> for 30 seconds: java.lang.RuntimeException: Failed while executing one of 
> processor's OnScheduled task.
> java.lang.RuntimeException: Failed while executing 

[jira] [Updated] (NIFI-4241) ListSFTP node in cluster is sending warnings for unreachable peers

[Frank Thiele (JIRA)]

 [ 
https://issues.apache.org/jira/browse/NIFI-4241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Frank Thiele updated NIFI-4241:
---
Summary: ListSFTP node in cluster is sending warnings for unreachable peers 
 (was: ListSFTP node in cluster is not coming up)

> ListSFTP node in cluster is sending warnings for unreachable peers
> --
>
> Key: NIFI-4241
> URL: https://issues.apache.org/jira/browse/NIFI-4241
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.3.0
> Environment: Docker container within VM:
> docker@myvm5:~$ uname -a
> Linux myvm5 4.4.74-boot2docker #1 SMP Mon Jun 26 18:01:14 UTC 2017 x86_64 
> GNU/Linux
>Reporter: Frank Thiele
> Attachments: cluster.png, flow.xml, Overview.png
>
>
> I have setup a small cluster with 3 nodes nifi1:8080, nifi2:8081 and 
> nifi3:8082.
> When I configure a ListSFTP processor and run it, the following exception 
> comes up:
> {code}
> 2017-07-31 06:25:28,522 ERROR [StandardProcessScheduler Thread-6] 
> org.apache.nifi.engine.FlowEngine A flow controller task execution stopped 
> abnormally
> java.util.concurrent.ExecutionException: 
> java.lang.reflect.InvocationTargetException
>   at java.util.concurrent.FutureTask.report(FutureTask.java:122)
>   at java.util.concurrent.FutureTask.get(FutureTask.java:192)
>   at org.apache.nifi.engine.FlowEngine.afterExecute(FlowEngine.java:100)
>   at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1150)
>   at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>   at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.reflect.InvocationTargetException: null
>   at sun.reflect.GeneratedMethodAccessor185.invoke(Unknown Source)
>   at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>   at java.lang.reflect.Method.invoke(Method.java:498)
>   at 
> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:137)
>   at 
> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:125)
>   at 
> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:70)
>   at 
> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotation(ReflectionUtils.java:47)
>   at 
> org.apache.nifi.controller.StandardProcessorNode$1$1.call(StandardProcessorNode.java:1307)
>   at 
> org.apache.nifi.controller.StandardProcessorNode$1$1.call(StandardProcessorNode.java:1303)
>   at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>   at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
>   at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>   at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>   ... 2 common frames omitted
> Caused by: java.io.IOException: Failed to obtain value from ZooKeeper for 
> component with ID 9716842f-015d-1000--7de55c99 with exception code 
> CONNECTIONLOSS
>   at 
> org.apache.nifi.controller.state.providers.zookeeper.ZooKeeperStateProvider.getState(ZooKeeperStateProvider.java:420)
>   at 
> org.apache.nifi.controller.state.StandardStateManager.getState(StandardStateManager.java:63)
>   at 
> org.apache.nifi.processor.util.list.AbstractListProcessor.updateState(AbstractListProcessor.java:199)
>   ... 15 common frames omitted
> Caused by: org.apache.zookeeper.KeeperException$ConnectionLossException: 
> KeeperErrorCode = ConnectionLoss for 
> /nifi/components/9716842f-015d-1000--7de55c99
>   at org.apache.zookeeper.KeeperException.create(KeeperException.java:99)
>   at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
>   at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1155)
>   at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1184)
>   at 
> org.apache.nifi.controller.state.providers.zookeeper.ZooKeeperStateProvider.getState(ZooKeeperStateProvider.java:403)
>   ... 17 common frames omitted
> 2017-07-31 06:25:28,523 ERROR [StandardProcessScheduler Thread-5] 
> o.a.nifi.processors.standard.ListSFTP 
> ListSFTP[id=9716842f-015d-1000--7de55c99] 
> ListSFTP[id=9716842f-015d-1000--7de55c99] failed to invoke 
> @OnScheduled method due to java.lang.RuntimeException: Failed while executing 
> one of processor's OnScheduled task.; processor will not be scheduled to run 
> for 30 seconds: java.lang.RuntimeException: Failed while executing one of 
> processor's OnScheduled task.
> java.lang.RuntimeException: Failed while executing one of processor's 
> OnScheduled task.

[jira] [Commented] (NIFI-4241) ListSFTP node in cluster is not coming up

[Frank Thiele (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16108511#comment-16108511
 ] 

Frank Thiele commented on NIFI-4241:


This helped. Due to that I have adapted the ticket description.

> ListSFTP node in cluster is not coming up
> -
>
> Key: NIFI-4241
> URL: https://issues.apache.org/jira/browse/NIFI-4241
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.3.0
> Environment: Docker container within VM:
> docker@myvm5:~$ uname -a
> Linux myvm5 4.4.74-boot2docker #1 SMP Mon Jun 26 18:01:14 UTC 2017 x86_64 
> GNU/Linux
>Reporter: Frank Thiele
> Attachments: cluster.png, flow.xml, Overview.png
>
>
> I have setup a small cluster with 3 nodes nifi1:8080, nifi2:8081 and 
> nifi3:8082.
> When I configure a ListSFTP processor and run it, the following exception 
> comes up:
> {code}
> 2017-07-31 06:25:28,522 ERROR [StandardProcessScheduler Thread-6] 
> org.apache.nifi.engine.FlowEngine A flow controller task execution stopped 
> abnormally
> java.util.concurrent.ExecutionException: 
> java.lang.reflect.InvocationTargetException
>   at java.util.concurrent.FutureTask.report(FutureTask.java:122)
>   at java.util.concurrent.FutureTask.get(FutureTask.java:192)
>   at org.apache.nifi.engine.FlowEngine.afterExecute(FlowEngine.java:100)
>   at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1150)
>   at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>   at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.reflect.InvocationTargetException: null
>   at sun.reflect.GeneratedMethodAccessor185.invoke(Unknown Source)
>   at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>   at java.lang.reflect.Method.invoke(Method.java:498)
>   at 
> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:137)
>   at 
> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:125)
>   at 
> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:70)
>   at 
> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotation(ReflectionUtils.java:47)
>   at 
> org.apache.nifi.controller.StandardProcessorNode$1$1.call(StandardProcessorNode.java:1307)
>   at 
> org.apache.nifi.controller.StandardProcessorNode$1$1.call(StandardProcessorNode.java:1303)
>   at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>   at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
>   at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>   at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>   ... 2 common frames omitted
> Caused by: java.io.IOException: Failed to obtain value from ZooKeeper for 
> component with ID 9716842f-015d-1000--7de55c99 with exception code 
> CONNECTIONLOSS
>   at 
> org.apache.nifi.controller.state.providers.zookeeper.ZooKeeperStateProvider.getState(ZooKeeperStateProvider.java:420)
>   at 
> org.apache.nifi.controller.state.StandardStateManager.getState(StandardStateManager.java:63)
>   at 
> org.apache.nifi.processor.util.list.AbstractListProcessor.updateState(AbstractListProcessor.java:199)
>   ... 15 common frames omitted
> Caused by: org.apache.zookeeper.KeeperException$ConnectionLossException: 
> KeeperErrorCode = ConnectionLoss for 
> /nifi/components/9716842f-015d-1000--7de55c99
>   at org.apache.zookeeper.KeeperException.create(KeeperException.java:99)
>   at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
>   at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1155)
>   at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1184)
>   at 
> org.apache.nifi.controller.state.providers.zookeeper.ZooKeeperStateProvider.getState(ZooKeeperStateProvider.java:403)
>   ... 17 common frames omitted
> 2017-07-31 06:25:28,523 ERROR [StandardProcessScheduler Thread-5] 
> o.a.nifi.processors.standard.ListSFTP 
> ListSFTP[id=9716842f-015d-1000--7de55c99] 
> ListSFTP[id=9716842f-015d-1000--7de55c99] failed to invoke 
> @OnScheduled method due to java.lang.RuntimeException: Failed while executing 
> one of processor's OnScheduled task.; processor will not be scheduled to run 
> for 30 seconds: java.lang.RuntimeException: Failed while executing one of 
> processor's OnScheduled task.
> java.lang.RuntimeException: Failed while executing one of processor's 
> OnScheduled task.
>   at 
>