date:20170802

[GitHub] nifi issue #2020: [NiFi-3973] Add PutKudu Processor for ingesting data to Ku...

2017-08-02 Thread cammach

Github user cammach commented on the issue:

https://github.com/apache/nifi/pull/2020
  
Hi @rickysaltzer , I have figured out the Record Reader reference issue, 
and fixed. Would you please continue to review the code?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-4215) Avro schemas with records that have a field of themselves fail to parse, causing stackoverflow exception

2017-08-02 Thread James Wing (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16112166#comment-16112166
 ] 

James Wing commented on NIFI-4215:
--

[~markap14], would you please expand a bit on the immutability concern and what 
criteria we should apply to a solution?  Although the changes we introduced 
would mutate the SimpleRecordSchema once after creation, I don't believe it 
would have introduced or permitted widespread updates outside the initial 
creation and configuration.  Are you worried about immediate multi-threaded 
changes we introduced, future developers abusing the access, or the JVM not 
performing the right optimizations without the benefit of {{final}} guidance?

> Avro schemas with records that have a field of themselves fail to parse, 
> causing stackoverflow exception
> 
>
> Key: NIFI-4215
> URL: https://issues.apache.org/jira/browse/NIFI-4215
> Project: Apache NiFi
>  Issue Type: Bug
>Affects Versions: 1.4.0
>Reporter: Wesley L Lawrence
>Priority: Minor
> Attachments: nifi-4215.patch
>
>
> Noticed this while attempting to use the AvroSchemaRegsitry with some complex 
> schema. Boiled down, Avro lets you define a schema such as;
> {code}
> { 
>   "namespace": "org.apache.nifi.testing", 
>   "name": "CompositRecord", 
>   "type": "record", 
>   "fields": [ 
> { 
>   "name": "id", 
>   "type": "int" 
> }, 
> { 
>   "name": "value", 
>   "type": "string" 
> }, 
> { 
>   "name": "parent", 
>   "type": [
> "null",
> "CompositRecord"
>   ]
> } 
>   ] 
> }
> {code}
> The AvroSchemaRegistry (AvroTypeUtil specifically) will fail to parse, and 
> generate a stackoverflow exception.
> I've whipped up a fix, tested it out in 1.4.0, and am just running through 
> the contrib build before I submit a patch.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (NIFI-4259) Run-init.bat show permission error as org.apache.nifi.bootstrap.Command Failed to set permissions so that only the owner can read pid file

2017-08-02 Thread chatsiri (JIRA)


 [ 
https://issues.apache.org/jira/browse/NIFI-4259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

chatsiri updated NIFI-4259:
---
Description: 
Hello Contributor,

I  build Apache-nifi on Windows OS enviorment by use maven simple command 
references from official build steps. After built core jar file success in  
nifi-assembly folder. I run command line as below. That warning did I cannot 
loaded web URL : http://localhost:8080/nifi.
 
{panel:title=Console log after cal call command line ./run-nifi.bat}
PS C:\workspacejava\nifi\nifi-assembly\target\nifi-1.4.0-SNAPSHOT\bin> 
.\run-nifi.bat
2017-08-03 10:18:03,086 INFO [main] org.apache.nifi.bootstrap.Command Starting 
Apache NiFi...
2017-08-03 10:18:03,088 INFO [main] org.apache.nifi.bootstrap.Command Working 
Directory: C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S
2017-08-03 10:18:03,089 INFO [main] org.apache.nifi.bootstrap.Command Command: 
C:\Program Files\Java\jdk1.8.0_131\bin\java.exe -classpath 
C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\conf;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-
S\.\lib\javax.servlet-api-3.1.0.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\jcl-over-slf4j-1.7.25.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\jetty-schemas-3.1.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\tar
get\NIFI-1~2.0-S\.\lib\jul-to-slf4j-1.7.25.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\log4j-over-slf4j-1.7.25.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\logback-classic-1.2.3.jar;C:\Users\R2C06~1.CHA\WOA236~1\
nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\logback-core-1.2.3.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-api-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-framework-api-1.4.0-SNAPSHOT.jar;C:
\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-nar-utils-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-properties-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\
.\lib\nifi-runtime-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\slf4j-api-1.7.25.jar
 -Dorg.apache.jasper.compiler.disablejsr199=true -Xmx512m -Xms512m 
-Djava.security.egd=file:/dev/urandom -Dsun.net.http.allowRestrictedHeaders=
true -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseG1GC 
-Djava.protocol.handler.pkgs=sun.net.www.protocol 
-Dnifi.properties.file.path=C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\conf\nifi.properties
 -Dnifi.bootstrap.listen.port=53
626 -Dapp=NiFi 
-Dorg.apache.nifi.bootstrap.config.log.dir=C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\\logs
 org.apache.nifi.NiFi
2017-08-03 10:18:03,975 WARN [main] org.apache.nifi.bootstrap.Command Failed to 
set permissions so that only the owner can read pid file 
C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\run\nifi.pid;
 this may allows others to have access to the key
needed to communicate with NiFi. Permissions should be changed so that only the 
owner can read this file
2017-08-03 10:18:04,000 WARN [main] org.apache.nifi.bootstrap.Command Failed to 
set permissions so that only the owner can read status file 
C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\run\nifi.status;
 this may allows others to have access to th
e key needed to communicate with NiFi. Permissions should be changed so that 
only the owner can read this file
2017-08-03 10:18:04,051 INFO [main] org.apache.nifi.bootstrap.Command Launched 
Apache NiFi with Process ID 18036
{panel} 

It shows warning from console log is  


{panel:title=Console log}
2017-08-03 10:18:04,000 WARN [main] org.apache.nifi.bootstrap.Command Failed to 
set permissions so that only the owner can read status file 
C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\run\nifi.status;
 this may allows others to have access to th
e key needed to communicate with NiFi. Permissions should be changed so that 
only the owner can read this file
{panel}

I paste log from  Nifi-app.log


{panel:title=Nifi-app.log}
2017-08-02 23:55:08,101 WARN [main] org.apache.nifi.nar.ExtensionManager 
Component org.apache.nifi.processors.aws.dynamodb.PutDynamoDB is bundled with 
its referenced Controller Service APIs 
org.apache.nifi.processors.aws.credentials.pr
ovider.service.AWSCredentialsProviderService. The service APIs should not be 
bundled with component implementations that reference it.
2017-08-02 23:55:08,116 WARN [main] org.apache.nifi.nar.ExtensionManager 
Component org.apache.nifi.processors.aws.dynamodb.DeleteDynamoDB is bundled 
with its referenced Controller Service APIs

[jira] [Created] (NIFI-4259) Run-init.bat show permission error as org.apache.nifi.bootstrap.Command Failed to set permissions so that only the owner can read pid file

2017-08-02 Thread chatsiri (JIRA)

chatsiri created NIFI-4259:
--

 Summary: Run-init.bat show permission error as 
org.apache.nifi.bootstrap.Command Failed to set permissions so that only the 
owner can read pid file
 Key: NIFI-4259
 URL: https://issues.apache.org/jira/browse/NIFI-4259
 Project: Apache NiFi
  Issue Type: Bug
  Components: Configuration
Affects Versions: 2.0.0
Reporter: chatsiri


Hello Contributor,

I  build Apache-nifi on Windows OS enviorment by use maven simple command 
references from official build steps. After built core jar file success in  
nifi-assembly folder. I run command line as below. That warning did I cannot 
loaded web URL : http://localhost:8080/nifi.
 
{panel:title=My title}
PS C:\workspacejava\nifi\nifi-assembly\target\nifi-1.4.0-SNAPSHOT\bin> 
.\run-nifi.bat
2017-08-03 10:18:03,086 INFO [main] org.apache.nifi.bootstrap.Command Starting 
Apache NiFi...
2017-08-03 10:18:03,088 INFO [main] org.apache.nifi.bootstrap.Command Working 
Directory: C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S
2017-08-03 10:18:03,089 INFO [main] org.apache.nifi.bootstrap.Command Command: 
C:\Program Files\Java\jdk1.8.0_131\bin\java.exe -classpath 
C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\conf;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-
S\.\lib\javax.servlet-api-3.1.0.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\jcl-over-slf4j-1.7.25.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\jetty-schemas-3.1.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\tar
get\NIFI-1~2.0-S\.\lib\jul-to-slf4j-1.7.25.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\log4j-over-slf4j-1.7.25.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\logback-classic-1.2.3.jar;C:\Users\R2C06~1.CHA\WOA236~1\
nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\logback-core-1.2.3.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-api-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-framework-api-1.4.0-SNAPSHOT.jar;C:
\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-nar-utils-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-properties-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\
.\lib\nifi-runtime-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\slf4j-api-1.7.25.jar
 -Dorg.apache.jasper.compiler.disablejsr199=true -Xmx512m -Xms512m 
-Djava.security.egd=file:/dev/urandom -Dsun.net.http.allowRestrictedHeaders=
true -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseG1GC 
-Djava.protocol.handler.pkgs=sun.net.www.protocol 
-Dnifi.properties.file.path=C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\conf\nifi.properties
 -Dnifi.bootstrap.listen.port=53
626 -Dapp=NiFi 
-Dorg.apache.nifi.bootstrap.config.log.dir=C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\\logs
 org.apache.nifi.NiFi
2017-08-03 10:18:03,975 WARN [main] org.apache.nifi.bootstrap.Command Failed to 
set permissions so that only the owner can read pid file 
C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\run\nifi.pid;
 this may allows others to have access to the key
needed to communicate with NiFi. Permissions should be changed so that only the 
owner can read this file
2017-08-03 10:18:04,000 WARN [main] org.apache.nifi.bootstrap.Command Failed to 
set permissions so that only the owner can read status file 
C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\run\nifi.status;
 this may allows others to have access to th
e key needed to communicate with NiFi. Permissions should be changed so that 
only the owner can read this file
2017-08-03 10:18:04,051 INFO [main] org.apache.nifi.bootstrap.Command Launched 
Apache NiFi with Process ID 18036
{panel} 

It shows warning from console log is  


{panel:title=My title}
2017-08-03 10:18:04,000 WARN [main] org.apache.nifi.bootstrap.Command Failed to 
set permissions so that only the owner can read status file 
C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\run\nifi.status;
 this may allows others to have access to th
e key needed to communicate with NiFi. Permissions should be changed so that 
only the owner can read this file
{panel}

I paste log from  Nifi-app.log


{panel:title=My title}
2017-08-02 23:55:08,101 WARN [main] org.apache.nifi.nar.ExtensionManager 
Component org.apache.nifi.processors.aws.dynamodb.PutDynamoDB is bundled with 
its referenced Controller Service APIs 
org.apache.nifi.processors.aws.credentials.pr
ovider.service.AWSCredentialsProviderService. The service APIs should not be 
bundled with component implementations that reference it.

[jira] [Updated] (NIFI-4259) Run-init.bat show permission error as org.apache.nifi.bootstrap.Command Failed to set permissions so that only the owner can read pid file

2017-08-02 Thread chatsiri (JIRA)


 [ 
https://issues.apache.org/jira/browse/NIFI-4259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

chatsiri updated NIFI-4259:
---
Description: 
Hello Contributor,

I  build Apache-nifi on Windows OS enviorment by use maven simple command 
references from official build steps. After built core jar file success in  
nifi-assembly folder. I run command line as below. That warning did I cannot 
loaded web URL : http://localhost:8080/nifi.
 
{panel:title=My title}
PS C:\workspacejava\nifi\nifi-assembly\target\nifi-1.4.0-SNAPSHOT\bin> 
.\run-nifi.bat
2017-08-03 10:18:03,086 INFO [main] org.apache.nifi.bootstrap.Command Starting 
Apache NiFi...
2017-08-03 10:18:03,088 INFO [main] org.apache.nifi.bootstrap.Command Working 
Directory: C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S
2017-08-03 10:18:03,089 INFO [main] org.apache.nifi.bootstrap.Command Command: 
C:\Program Files\Java\jdk1.8.0_131\bin\java.exe -classpath 
C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\conf;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-
S\.\lib\javax.servlet-api-3.1.0.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\jcl-over-slf4j-1.7.25.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\jetty-schemas-3.1.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\tar
get\NIFI-1~2.0-S\.\lib\jul-to-slf4j-1.7.25.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\log4j-over-slf4j-1.7.25.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\logback-classic-1.2.3.jar;C:\Users\R2C06~1.CHA\WOA236~1\
nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\logback-core-1.2.3.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-api-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-framework-api-1.4.0-SNAPSHOT.jar;C:
\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-nar-utils-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-properties-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\
.\lib\nifi-runtime-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\slf4j-api-1.7.25.jar
 -Dorg.apache.jasper.compiler.disablejsr199=true -Xmx512m -Xms512m 
-Djava.security.egd=file:/dev/urandom -Dsun.net.http.allowRestrictedHeaders=
true -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseG1GC 
-Djava.protocol.handler.pkgs=sun.net.www.protocol 
-Dnifi.properties.file.path=C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\conf\nifi.properties
 -Dnifi.bootstrap.listen.port=53
626 -Dapp=NiFi 
-Dorg.apache.nifi.bootstrap.config.log.dir=C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\\logs
 org.apache.nifi.NiFi
2017-08-03 10:18:03,975 WARN [main] org.apache.nifi.bootstrap.Command Failed to 
set permissions so that only the owner can read pid file 
C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\run\nifi.pid;
 this may allows others to have access to the key
needed to communicate with NiFi. Permissions should be changed so that only the 
owner can read this file
2017-08-03 10:18:04,000 WARN [main] org.apache.nifi.bootstrap.Command Failed to 
set permissions so that only the owner can read status file 
C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\run\nifi.status;
 this may allows others to have access to th
e key needed to communicate with NiFi. Permissions should be changed so that 
only the owner can read this file
2017-08-03 10:18:04,051 INFO [main] org.apache.nifi.bootstrap.Command Launched 
Apache NiFi with Process ID 18036
{panel} 

It shows warning from console log is  


{panel:title=Console log}
2017-08-03 10:18:04,000 WARN [main] org.apache.nifi.bootstrap.Command Failed to 
set permissions so that only the owner can read status file 
C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\run\nifi.status;
 this may allows others to have access to th
e key needed to communicate with NiFi. Permissions should be changed so that 
only the owner can read this file
{panel}

I paste log from  Nifi-app.log


{panel:title=Nifi-app.log}
2017-08-02 23:55:08,101 WARN [main] org.apache.nifi.nar.ExtensionManager 
Component org.apache.nifi.processors.aws.dynamodb.PutDynamoDB is bundled with 
its referenced Controller Service APIs 
org.apache.nifi.processors.aws.credentials.pr
ovider.service.AWSCredentialsProviderService. The service APIs should not be 
bundled with component implementations that reference it.
2017-08-02 23:55:08,116 WARN [main] org.apache.nifi.nar.ExtensionManager 
Component org.apache.nifi.processors.aws.dynamodb.DeleteDynamoDB is bundled 
with its referenced Controller Service APIs 
org.apache.nifi.processors.aws.credentials

[GitHub] nifi-minifi-cpp pull request #117: MINIFI-338: Convert processor threads to ...

2017-08-02 Thread asfgit

Github user asfgit closed the pull request at:

https://github.com/apache/nifi-minifi-cpp/pull/117


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-4256) Add support for all AWS S3 Encryption Options

2017-08-02 Thread Franco (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111896#comment-16111896
 ] 

Franco commented on NIFI-4256:
--

More than happy to support the existing Server-Side-Encryption property.

Is there a pattern in the UI for flagging to users that a property is 
deprecated ?

> Add support for all AWS S3 Encryption Options
> -
>
> Key: NIFI-4256
> URL: https://issues.apache.org/jira/browse/NIFI-4256
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework
>Affects Versions: 1.2.0
>Reporter: Franco
>  Labels: aws, aws-s3, security
> Fix For: 1.4.0
>
>
> NiFi currently only supports SSE-S3 encryption (AES256).
> Support needs to be added for:
> * SSE-S3
> * SSE-KMS
> * SSE-C
> * CSE-KMS CMK
> * CSE-Master Key
> With all of the appropriate configuration options and such that SSE is 
> available only for PutS3Object whilst CSE is available also for FetchS3Object.
> Given that this will add another 20 or so UI properties the intention is to 
> split it into a Client Side Encryption Service and Server Side Encryption 
> Service. This will allow users to reuse "encryption" across different 
> workflows.
> Note: We will not support the existing server-side-encryption option so this 
> will be a breaking change for existing users. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

2017-08-02 Thread alopresto

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r131015708
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, final 
NiFiProperties properties) {
+this.properties = properties;
+this.jwtService = jwtService;
+
+// attempt to process the oidc configuration if configured
+if

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111861#comment-16111861
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r131015276
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
--- End diff --

I was concerned that a malformed cookie could have an empty/whitespace 
content but not be `null`. Looks like the cookie spec and browser 
implementations prevent that, so this is resolved. 


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

2017-08-02 Thread alopresto

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r131015276
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
--- End diff --

I was concerned that a malformed cookie could have an empty/whitespace 
content but not be `null`. Looks like the cookie spec and browser 
implementations prevent that, so this is resolved. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Updated] (NIFI-4257) Allow a custom WHERE clause in AbstractDatabaseFetchProcessor

2017-08-02 Thread Pierre Villard (JIRA)


 [ 
https://issues.apache.org/jira/browse/NIFI-4257?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pierre Villard updated NIFI-4257:
-
Status: Patch Available  (was: Open)

> Allow a custom WHERE clause in AbstractDatabaseFetchProcessor
> -
>
> Key: NIFI-4257
> URL: https://issues.apache.org/jira/browse/NIFI-4257
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Extensions
>Reporter: Pierre Villard
>Assignee: Pierre Villard
>
> It could be useful allowing a user to set a custom WHERE clause in 
> AbstractDatabaseFetchProcessor in case not all of the data in the table is 
> required.
> In case the WHERE clause is changed after the processor has already been 
> running, the user will probably have to set the initial maximum values to 
> ensure the expected behaviour.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4257) Allow a custom WHERE clause in AbstractDatabaseFetchProcessor

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111745#comment-16111745
 ] 

ASF GitHub Bot commented on NIFI-4257:
--

GitHub user pvillard31 opened a pull request:

https://github.com/apache/nifi/pull/2050

NIFI-4257 - add custom WHERE clause in database fetch processors

Thank you for submitting a contribution to Apache NiFi.

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

### For all changes:
- [ ] Is there a JIRA ticket associated with this PR? Is it referenced 
 in the commit message?

- [ ] Does your PR title start with NIFI- where  is the JIRA number 
you are trying to resolve? Pay particular attention to the hyphen "-" character.

- [ ] Has your PR been rebased against the latest commit within the target 
branch (typically master)?

- [ ] Is your initial contribution a single, squashed commit?

### For code changes:
- [ ] Have you ensured that the full suite of tests is executed via mvn 
-Pcontrib-check clean install at the root nifi folder?
- [ ] Have you written or updated unit tests to verify your changes?
- [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)? 
- [ ] If applicable, have you updated the LICENSE file, including the main 
LICENSE file under nifi-assembly?
- [ ] If applicable, have you updated the NOTICE file, including the main 
NOTICE file found under nifi-assembly?
- [ ] If adding new Properties, have you added .displayName in addition to 
.name (programmatic access) for each of the new properties?

### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in 
which it is rendered?

### Note:
Please ensure that once the PR is submitted, you check travis-ci for build 
issues and submit an update to your PR as soon as possible.


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/pvillard31/nifi NIFI-4257

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/nifi/pull/2050.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2050


commit 1f0fa6e97c6e357f0e3c796c084dca1fd5de942f
Author: Pierre Villard 
Date:   2017-08-02T13:22:31Z

NIFI-4257 - add custom WHERE clause in database fetch processors




> Allow a custom WHERE clause in AbstractDatabaseFetchProcessor
> -
>
> Key: NIFI-4257
> URL: https://issues.apache.org/jira/browse/NIFI-4257
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Extensions
>Reporter: Pierre Villard
>Assignee: Pierre Villard
>
> It could be useful allowing a user to set a custom WHERE clause in 
> AbstractDatabaseFetchProcessor in case not all of the data in the table is 
> required.
> In case the WHERE clause is changed after the processor has already been 
> running, the user will probably have to set the initial maximum values to 
> ensure the expected behaviour.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi pull request #2050: NIFI-4257 - add custom WHERE clause in database fet...

2017-08-02 Thread pvillard31

GitHub user pvillard31 opened a pull request:

https://github.com/apache/nifi/pull/2050

NIFI-4257 - add custom WHERE clause in database fetch processors

Thank you for submitting a contribution to Apache NiFi.

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

### For all changes:
- [ ] Is there a JIRA ticket associated with this PR? Is it referenced 
 in the commit message?

- [ ] Does your PR title start with NIFI- where  is the JIRA number 
you are trying to resolve? Pay particular attention to the hyphen "-" character.

- [ ] Has your PR been rebased against the latest commit within the target 
branch (typically master)?

- [ ] Is your initial contribution a single, squashed commit?

### For code changes:
- [ ] Have you ensured that the full suite of tests is executed via mvn 
-Pcontrib-check clean install at the root nifi folder?
- [ ] Have you written or updated unit tests to verify your changes?
- [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)? 
- [ ] If applicable, have you updated the LICENSE file, including the main 
LICENSE file under nifi-assembly?
- [ ] If applicable, have you updated the NOTICE file, including the main 
NOTICE file found under nifi-assembly?
- [ ] If adding new Properties, have you added .displayName in addition to 
.name (programmatic access) for each of the new properties?

### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in 
which it is rendered?

### Note:
Please ensure that once the PR is submitted, you check travis-ci for build 
issues and submit an update to your PR as soon as possible.


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/pvillard31/nifi NIFI-4257

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/nifi/pull/2050.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2050


commit 1f0fa6e97c6e357f0e3c796c084dca1fd5de942f
Author: Pierre Villard 
Date:   2017-08-02T13:22:31Z

NIFI-4257 - add custom WHERE clause in database fetch processors




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp pull request #122: MINIFI-359: Add PutFile test to test a va...

2017-08-02 Thread asfgit

Github user asfgit closed the pull request at:

https://github.com/apache/nifi-minifi-cpp/pull/122


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Created] (NIFI-4258) CSVUtils uses same AllowableValue for 'Informix Unload' and 'Informix Unload Escape Disabled'

2017-08-02 Thread Wesley L Lawrence (JIRA)

Wesley L Lawrence created NIFI-4258:
---

 Summary: CSVUtils uses same AllowableValue for 'Informix Unload' 
and 'Informix Unload Escape Disabled'
 Key: NIFI-4258
 URL: https://issues.apache.org/jira/browse/NIFI-4258
 Project: Apache NiFi
  Issue Type: Bug
Affects Versions: 1.4.0
Reporter: Wesley L Lawrence
Priority: Minor


Related to NIFI-4242, if you can't use 'Informix Unload Escape Disabled' as a 
pre-defined CSV format, because 'Informix Unload' has the same allowable value. 

The WebUI for CSVRedaer/CSVRecordSetWriter seems to always display 'Informix 
Unload', and when choosing from the drop down, says 'Informix Unload Escape 
Delimited'. 

Given that within CSVUtils, 'Informix Unload' is checked against first, I 
suspect that's the one that gets chosen.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi-minifi-cpp pull request #123: MINIFI-363: Set format macro declaration ...

2017-08-02 Thread asfgit

Github user asfgit closed the pull request at:

https://github.com/apache/nifi-minifi-cpp/pull/123


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFIREG-6) Add nifi-registry-bootstrap module

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFIREG-6?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111670#comment-16111670
 ] 

ASF GitHub Bot commented on NIFIREG-6:
--

GitHub user bbende opened a pull request:

https://github.com/apache/nifi-registry/pull/3

NIFIREG-6 Adding nifi-registry-bootstrap module

- Enables registry to have the same setup as NiFi where a bootstrap process 
is started first which launches the main process
- All the standard operations such as start, stop, dump, etc, should now 
work from nifi-registry.sh
- Added placeholder LICENSE and NOTICE files to the assembly, need to fill 
in later
- Create nifi-registry-utils to hold utility code

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/bbende/nifi-registry NIFIREG-6

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/nifi-registry/pull/3.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #3


commit 10857d551cc48b67e5188a059406bd045c19bce7
Author: Bryan Bende 
Date:   2017-08-01T18:59:47Z

NIFIREG-6 Adding nifi-registry-bootstrap module




> Add nifi-registry-bootstrap module
> --
>
> Key: NIFIREG-6
> URL: https://issues.apache.org/jira/browse/NIFIREG-6
> Project: NiFi Registry
>  Issue Type: Improvement
>Affects Versions: 0.0.1
>Reporter: Bryan Bende
>Assignee: Bryan Bende
>Priority: Minor
>
> Currently NiFiRegistry is the entry point of the application, and in its 
> current state the main method starts a new Jetty server every time.  
> We should take a similar approach to NiFi where we have a bootstrap process 
> that launches and communicates with the application process.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111512#comment-16111512
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130962746
  
--- Diff: pom.xml ---
@@ -95,7 +95,7 @@
 9.4.3.v20170317
 4.10.4
 4.2.4.RELEASE
-4.0.3.RELEASE
+4.2.3.RELEASE
--- End diff --

I'm not aware of the changes. Just realized we hadn't upgraded in awhile. 
I'm happy to back this out and create another JIRA to investigate further.


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

2017-08-02 Thread mcgilman

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130962746
  
--- Diff: pom.xml ---
@@ -95,7 +95,7 @@
 9.4.3.v20170317
 4.10.4
 4.2.4.RELEASE
-4.0.3.RELEASE
+4.2.3.RELEASE
--- End diff --

I'm not aware of the changes. Just realized we hadn't upgraded in awhile. 
I'm happy to back this out and create another JIRA to investigate further.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

2017-08-02 Thread mcgilman

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130962379
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, final 
NiFiProperties properties) {
+this.properties = properties;
+this.jwtService = jwtService;
+
+// attempt to process the oidc configuration if configured
+if

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111510#comment-16111510
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130962379
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService,

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111503#comment-16111503
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130961276
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService,

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111453#comment-16111453
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130954077
  
--- Diff: pom.xml ---
@@ -95,7 +95,7 @@
 9.4.3.v20170317
 4.10.4
 4.2.4.RELEASE
-4.0.3.RELEASE
+4.2.3.RELEASE
--- End diff --

Any big changes in going from 4.0 to 4.2?


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111436#comment-16111436
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130951566
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService,

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

2017-08-02 Thread alopresto

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130951566
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, final 
NiFiProperties properties) {
+this.properties = properties;
+this.jwtService = jwtService;
+
+// attempt to process the oidc configuration if configured
+if

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111433#comment-16111433
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130951002
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService,

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

2017-08-02 Thread alopresto

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130951002
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, final 
NiFiProperties properties) {
+this.properties = properties;
+this.jwtService = jwtService;
+
+// attempt to process the oidc configuration if configured
+if

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111380#comment-16111380
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130943341
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService,

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

2017-08-02 Thread mcgilman

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130943341
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, final 
NiFiProperties properties) {
+this.properties = properties;
+this.jwtService = jwtService;
+
+// attempt to process the oidc configuration if configured
+if

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111360#comment-16111360
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130940968
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService,

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

2017-08-02 Thread alopresto

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130940968
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, final 
NiFiProperties properties) {
+this.properties = properties;
+this.jwtService = jwtService;
+
+// attempt to process the oidc configuration if configured
+if

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111344#comment-16111344
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130939060
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService,

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

2017-08-02 Thread alopresto

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130939060
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, final 
NiFiProperties properties) {
+this.properties = properties;
+this.jwtService = jwtService;
+
+// attempt to process the oidc configuration if configured
+if

[jira] [Commented] (NIFI-4024) Create EvaluateRecordPath processor

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1669#comment-1669
 ] 

ASF GitHub Bot commented on NIFI-4024:
--

Github user MikeThomsen commented on the issue:

https://github.com/apache/nifi/pull/1961
  
@bbende Done.


> Create EvaluateRecordPath processor
> ---
>
> Key: NIFI-4024
> URL: https://issues.apache.org/jira/browse/NIFI-4024
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Steve Champagne
>Priority: Minor
>
> With the new RecordPath DSL, it would be nice if there was a processor that 
> could pull fields into attributes of the flowfile based on a RecordPath. This 
> would be similar to the EvaluateJsonPath processor that currently exists, 
> except it could be used to pull fields from arbitrary record formats. My 
> current use case for it would be pulling fields out of Avro records while 
> skipping the steps of having to convert Avro to JSON, evaluate JsonPath, and 
> then converting back to Avro. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi issue #1961: NIFI-4024 Added org.apache.nifi.hbase.PutHBaseRecord

2017-08-02 Thread MikeThomsen

Github user MikeThomsen commented on the issue:

https://github.com/apache/nifi/pull/1961
  
@bbende Done.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp issue #123: MINIFI-363: Set format macro declaration to avoi...

2017-08-02 Thread benqiu2016

Github user benqiu2016 commented on the issue:

https://github.com/apache/nifi-minifi-cpp/pull/123
  
@phrocker the CI build is failing.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp pull request #118: MINIFI-311 Move to alpine base for docker...

2017-08-02 Thread asfgit

Github user asfgit closed the pull request at:

https://github.com/apache/nifi-minifi-cpp/pull/118


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp issue #118: MINIFI-311 Move to alpine base for docker image.

2017-08-02 Thread apiri

Github user apiri commented on the issue:

https://github.com/apache/nifi-minifi-cpp/pull/118
  
hey @achristianson,

everything looks good here. will get this merged in.  thanks for your 
adjustments!


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp issue #118: MINIFI-311 Move to alpine base for docker image.

2017-08-02 Thread apiri

Github user apiri commented on the issue:

https://github.com/apache/nifi-minifi-cpp/pull/118
  
reviewing changes


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

2017-08-02 Thread mcgilman

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130884930
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+throw new 
IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
+}
+
+final CacheKey oidcRequestIdentifierKey = new 
CacheKey(oidcRequestIdentifier);
+final State state =

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110963#comment-16110963
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130884901
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110964#comment-16110964
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130884930
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+

[GitHub] nifi-minifi-cpp issue #122: MINIFI-359: Add PutFile test to test a variety o...

2017-08-02 Thread achristianson

Github user achristianson commented on the issue:

https://github.com/apache/nifi-minifi-cpp/pull/122
  
+1


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp issue #123: MINIFI-363: Set format macro declaration to avoi...

2017-08-02 Thread achristianson

Github user achristianson commented on the issue:

https://github.com/apache/nifi-minifi-cpp/pull/123
  
+1


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-3484) GenerateTableFetch Should Allow for Right Boundary

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-3484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110950#comment-16110950
 ] 

ASF GitHub Bot commented on NIFI-3484:
--

Github user pvillard31 commented on the issue:

https://github.com/apache/nifi/pull/1513
  
Hey @patricker, thanks for this PR and sorry it took so long to get into 
it. I just reviewed your work and it looks valid. I was able to confirm that it 
fixes the data duplication issue I was seeing in my environment.

I have pushed a commit here:
https://github.com/pvillard31/nifi/tree/PR1513

It fixes a check style issue in your PR and also adds a unit test to show 
the existing data duplication possibility. If you agree with it, can you add it 
into your PR and I'll get everything merged?

Thanks a lot!


> GenerateTableFetch Should Allow for Right Boundary
> --
>
> Key: NIFI-3484
> URL: https://issues.apache.org/jira/browse/NIFI-3484
> Project: Apache NiFi
>  Issue Type: New Feature
>  Components: Core Framework
>Affects Versions: 1.2.0
>Reporter: Peter Wicks
>Assignee: Peter Wicks
>Priority: Minor
>
> When using GenerateTableFetch it places no right hand boundary on pages of 
> data.  This can lead to issues when the statement says to get the next 1000 
> records greater then a specific key, but records were added to the table 
> between the time the processor executed and when the SQL is being executed. 
> As a result it pulls in records that did not exist when the processor was 
> run.  On the next execution of the processor these records will be pulled in 
> a second time.
> Example:
> Partition Size = 1000
> First run (no state): Count(*)=4700 and MAX(ID)=4700.
> 5 FlowFiles are generated, the last one will say to fetch 1000, not 700. (But 
> I don't think this is really a bug, just an observation).
> 5 Flow Files are now in queue to be executed by ExecuteSQL.  Before the 5th 
> file can execute 400 new rows are added to the table.  When the final SQL 
> statement is executed 300 extra records, with higher ID values, will also be 
> pulled into NiFi.
> Second run (state: ID=4700).  Count(*) ID>4700 = 400 and MAX(ID)=5100.
> 1 Flow File is generated, but includes 300 records already pulled into NiFI.
> The solution is to have an optional property that will let users use the new 
> MAX(ID) as a right boundary when generating queries.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi issue #1513: NIFI-3484 GenerateTableFetch Should Allow for Right Bounda...

2017-08-02 Thread pvillard31

Github user pvillard31 commented on the issue:

https://github.com/apache/nifi/pull/1513
  
Hey @patricker, thanks for this PR and sorry it took so long to get into 
it. I just reviewed your work and it looks valid. I was able to confirm that it 
fixes the data duplication issue I was seeing in my environment.

I have pushed a commit here:
https://github.com/pvillard31/nifi/tree/PR1513

It fixes a check style issue in your PR and also adds a unit test to show 
the existing data duplication possibility. If you agree with it, can you add it 
into your PR and I'll get everything merged?

Thanks a lot!


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110946#comment-16110946
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130882716
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

2017-08-02 Thread mcgilman

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130882716
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+throw new 
IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
+}
+
+final CacheKey oidcRequestIdentifierKey = new 
CacheKey(oidcRequestIdentifier);
+final State state =

[GitHub] nifi issue #1969: NIFI-4082 - Added EL on GetMongo properties

2017-08-02 Thread nicholasmhughes

Github user nicholasmhughes commented on the issue:

https://github.com/apache/nifi/pull/1969
  
@pvillard31 @jfrazee I'm very interested in this functionality. The Jira 
for this issue doesn't have a fix version identified. Do you think it will make 
it into 1.4.0 (or the next formal release)?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Updated] (NIFI-4218) ElasticsearchHttp processors should support dynamic properties as query parameters

2017-08-02 Thread Matt Burgess (JIRA)


 [ 
https://issues.apache.org/jira/browse/NIFI-4218?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Matt Burgess updated NIFI-4218:
---
Status: Patch Available  (was: In Progress)

> ElasticsearchHttp processors should support dynamic properties as query 
> parameters
> --
>
> Key: NIFI-4218
> URL: https://issues.apache.org/jira/browse/NIFI-4218
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Extensions
>Reporter: Matt Burgess
>Assignee: Matt Burgess
>Priority: Minor
>
> The Elasticsearch HTTP API has a number of fields that can be specified as 
> query parameters in the URL, such as support for 
> [pipelines|https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html].
>  Rather than including all possibilities as processor properties, it might be 
> more flexible to allow the user to specify dynamic properties on 
> ElasticsearchHttp processors, and then use those to set query parameters on 
> the API URL.
> Documentation should include a note that not all features are available to 
> all versions of Elasticsearch, and thus the ES documentation should be 
> consulted before adding dynamic properties. For example, pipelines were 
> introduced in ES 5.x, so using pipeline parameters in an ElasticsearchHttp 
> processor will not work if connecting to an ES 2.x cluster.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4218) ElasticsearchHttp processors should support dynamic properties as query parameters

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110919#comment-16110919
 ] 

ASF GitHub Bot commented on NIFI-4218:
--

GitHub user mattyb149 opened a pull request:

https://github.com/apache/nifi/pull/2049

NIFI-4218: Dynamic properties as query parameters in ESHttp processors

### For all changes:
- [x] Is there a JIRA ticket associated with this PR? Is it referenced 
 in the commit message?

- [x] Does your PR title start with NIFI- where  is the JIRA number 
you are trying to resolve? Pay particular attention to the hyphen "-" character.

- [x] Has your PR been rebased against the latest commit within the target 
branch (typically master)?

- [x] Is your initial contribution a single, squashed commit?

### For code changes:
- [x] Have you ensured that the full suite of tests is executed via mvn 
-Pcontrib-check clean install at the root nifi folder?
- [x] Have you written or updated unit tests to verify your changes?
- [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)? 
- [ ] If applicable, have you updated the LICENSE file, including the main 
LICENSE file under nifi-assembly?
- [ ] If applicable, have you updated the NOTICE file, including the main 
NOTICE file found under nifi-assembly?
- [ ] If adding new Properties, have you added .displayName in addition to 
.name (programmatic access) for each of the new properties?

### For documentation related changes:
- [x] Have you ensured that format looks appropriate for the output in 
which it is rendered?

### Note:
Please ensure that once the PR is submitted, you check travis-ci for build 
issues and submit an update to your PR as soon as possible.


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/mattyb149/nifi NIFI-4218

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/nifi/pull/2049.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2049


commit e6fe6dc3adc953b5eea938e0750efe38f92b88ab
Author: Matt Burgess 
Date:   2017-08-02T13:41:12Z

NIFI-4218: Dynamic properties as query parameters in ESHttp processors




> ElasticsearchHttp processors should support dynamic properties as query 
> parameters
> --
>
> Key: NIFI-4218
> URL: https://issues.apache.org/jira/browse/NIFI-4218
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Extensions
>Reporter: Matt Burgess
>Assignee: Matt Burgess
>Priority: Minor
>
> The Elasticsearch HTTP API has a number of fields that can be specified as 
> query parameters in the URL, such as support for 
> [pipelines|https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html].
>  Rather than including all possibilities as processor properties, it might be 
> more flexible to allow the user to specify dynamic properties on 
> ElasticsearchHttp processors, and then use those to set query parameters on 
> the API URL.
> Documentation should include a note that not all features are available to 
> all versions of Elasticsearch, and thus the ES documentation should be 
> consulted before adding dynamic properties. For example, pipelines were 
> introduced in ES 5.x, so using pipeline parameters in an ElasticsearchHttp 
> processor will not work if connecting to an ES 2.x cluster.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

2017-08-02 Thread mcgilman

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130879118
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
--- End diff --

Got it.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110916#comment-16110916
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130878847
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
--- End diff --

Got it.


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Assigned] (NIFI-4218) ElasticsearchHttp processors should support dynamic properties as query parameters

2017-08-02 Thread Matt Burgess (JIRA)


 [ 
https://issues.apache.org/jira/browse/NIFI-4218?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Matt Burgess reassigned NIFI-4218:
--

Assignee: Matt Burgess

> ElasticsearchHttp processors should support dynamic properties as query 
> parameters
> --
>
> Key: NIFI-4218
> URL: https://issues.apache.org/jira/browse/NIFI-4218
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Extensions
>Reporter: Matt Burgess
>Assignee: Matt Burgess
>Priority: Minor
>
> The Elasticsearch HTTP API has a number of fields that can be specified as 
> query parameters in the URL, such as support for 
> [pipelines|https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html].
>  Rather than including all possibilities as processor properties, it might be 
> more flexible to allow the user to specify dynamic properties on 
> ElasticsearchHttp processors, and then use those to set query parameters on 
> the API URL.
> Documentation should include a note that not all features are available to 
> all versions of Elasticsearch, and thus the ES documentation should be 
> consulted before adding dynamic properties. For example, pipelines were 
> introduced in ES 5.x, so using pipeline parameters in an ElasticsearchHttp 
> processor will not work if connecting to an ES 2.x cluster.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

2017-08-02 Thread mcgilman

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130878806
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
--- End diff --

Got it.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110914#comment-16110914
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130878563
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
+
+// remove the oidc

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

2017-08-02 Thread mcgilman

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130878563
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
+
+// remove the oidc request cookie
+removeOidcRequestCookie(httpServletResponse);
+
+// forward to the error page
+forwardToMessagePage(httpServletRequest, 
httpServletResponse, "Purposed state

[jira] [Commented] (NIFI-4248) Create processor for Apache Rya

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4248?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110898#comment-16110898
 ] 

ASF GitHub Bot commented on NIFI-4248:
--

Github user bbende commented on the issue:

https://github.com/apache/nifi/pull/2043
  
@jzonthemtn sounds good, if you find that InvokeHttp doesn't work for some 
reason, or if there is some specific logic related to Rya that you need, then 
by all means re-open


> Create processor for Apache Rya
> ---
>
> Key: NIFI-4248
> URL: https://issues.apache.org/jira/browse/NIFI-4248
> Project: Apache NiFi
>  Issue Type: Task
>  Components: Extensions
>Reporter: Jeff Zemerick
>Priority: Minor
>
> Create a processor to ingest triples into Apache Rya.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] nifi issue #2043: NIFI-4248: Adding Rya processor.

2017-08-02 Thread bbende

Github user bbende commented on the issue:

https://github.com/apache/nifi/pull/2043
  
@jzonthemtn sounds good, if you find that InvokeHttp doesn't work for some 
reason, or if there is some specific logic related to Rya that you need, then 
by all means re-open


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-4124) Add a Record API-based PutMongo clone

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110882#comment-16110882
 ] 

ASF GitHub Bot commented on NIFI-4124:
--

Github user MikeThomsen commented on the issue:

https://github.com/apache/nifi/pull/1945
  
@markap14 @joewitt Any chance of getting this reviewed?


> Add a Record API-based PutMongo clone
> -
>
> Key: NIFI-4124
> URL: https://issues.apache.org/jira/browse/NIFI-4124
> Project: Apache NiFi
>  Issue Type: Improvement
>Reporter: Mike Thomsen
>Priority: Minor
>  Labels: mongodb, putmongo, records
>
> A new processor that can use the Record API to put data into Mongo is needed.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4024) Create EvaluateRecordPath processor

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110880#comment-16110880
 ] 

ASF GitHub Bot commented on NIFI-4024:
--

Github user MikeThomsen commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1961#discussion_r130873950
  
--- Diff: 
nifi-nar-bundles/nifi-hbase-bundle/nifi-hbase-processors/src/main/java/org/apache/nifi/hbase/PutHBaseRecord.java
 ---
@@ -0,0 +1,323 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.hbase;
+
+import org.apache.nifi.annotation.behavior.EventDriven;
+import org.apache.nifi.annotation.behavior.InputRequirement;
+import org.apache.nifi.annotation.behavior.ReadsAttribute;
+import org.apache.nifi.annotation.behavior.SupportsBatching;
+import org.apache.nifi.annotation.behavior.WritesAttribute;
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.components.AllowableValue;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.flowfile.FlowFile;
+import org.apache.nifi.hbase.put.PutColumn;
+import org.apache.nifi.hbase.put.PutFlowFile;
+import org.apache.nifi.processor.ProcessContext;
+import org.apache.nifi.processor.ProcessSession;
+import org.apache.nifi.processor.Relationship;
+import org.apache.nifi.processor.exception.ProcessException;
+import org.apache.nifi.processor.util.StandardValidators;
+import org.apache.nifi.serialization.RecordReader;
+import org.apache.nifi.serialization.RecordReaderFactory;
+import org.apache.nifi.serialization.record.Record;
+import org.apache.nifi.serialization.record.RecordFieldType;
+import org.apache.nifi.serialization.record.RecordSchema;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+@EventDriven
+@SupportsBatching
+@InputRequirement(InputRequirement.Requirement.INPUT_REQUIRED)
+@Tags({"hadoop", "hbase", "put", "record"})
+@CapabilityDescription("Adds rows to HBase based on the contents of a 
flowfile using a configured record reader.")
+@ReadsAttribute(attribute = "restart.index", description = "Reads 
restart.index when it needs to replay part of a record set that did not get 
into HBase.")
+@WritesAttribute(attribute = "restart.index", description = "Writes 
restart.index when a batch fails to be insert into HBase")
+public class PutHBaseRecord extends AbstractPutHBase {
+
+protected static final PropertyDescriptor ROW_FIELD_NAME = new 
PropertyDescriptor.Builder()
+.name("Row Identifier Field Path")
+.description("Specifies the name of a record field whose value 
should be used as the row id for the given record.")
+.expressionLanguageSupported(true)
+.addValidator(StandardValidators.NON_EMPTY_VALIDATOR)
+.build();
+
+protected static final String FAIL_VALUE = "Fail";
+protected static final String WARN_VALUE = "Warn";
+protected static final String IGNORE_VALUE = "Ignore";
+protected static final String TEXT_VALUE = "Text";
+
+protected static final AllowableValue COMPLEX_FIELD_FAIL = new 
AllowableValue(FAIL_VALUE, FAIL_VALUE, "Route entire FlowFile to failure if any 
elements contain complex values.");
+protected static final AllowableValue COMPLEX_FIELD_WARN = new 
AllowableValue(WARN_VALUE, WARN_VALUE, "Provide a warning and do not include 
field in row sent to HBase.");
+protected static final AllowableValue COMPLEX_FIELD_IGNORE = new 
AllowableValue(IGNORE_VALUE, IGNORE_VALUE, "Silently ignore and do not include 
in row sent to HBase.");
+protected static final AllowableValue COMPLEX_FIELD_TEXT = new 
AllowableValue(TEXT_VALUE, TEXT_VALUE, "Use the string representation of the 
complex field as the value of the

[GitHub] nifi pull request #1961: NIFI-4024 Added org.apache.nifi.hbase.PutHBaseRecor...

2017-08-02 Thread MikeThomsen

Github user MikeThomsen commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1961#discussion_r130873950
  
--- Diff: 
nifi-nar-bundles/nifi-hbase-bundle/nifi-hbase-processors/src/main/java/org/apache/nifi/hbase/PutHBaseRecord.java
 ---
@@ -0,0 +1,323 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.hbase;
+
+import org.apache.nifi.annotation.behavior.EventDriven;
+import org.apache.nifi.annotation.behavior.InputRequirement;
+import org.apache.nifi.annotation.behavior.ReadsAttribute;
+import org.apache.nifi.annotation.behavior.SupportsBatching;
+import org.apache.nifi.annotation.behavior.WritesAttribute;
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.components.AllowableValue;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.flowfile.FlowFile;
+import org.apache.nifi.hbase.put.PutColumn;
+import org.apache.nifi.hbase.put.PutFlowFile;
+import org.apache.nifi.processor.ProcessContext;
+import org.apache.nifi.processor.ProcessSession;
+import org.apache.nifi.processor.Relationship;
+import org.apache.nifi.processor.exception.ProcessException;
+import org.apache.nifi.processor.util.StandardValidators;
+import org.apache.nifi.serialization.RecordReader;
+import org.apache.nifi.serialization.RecordReaderFactory;
+import org.apache.nifi.serialization.record.Record;
+import org.apache.nifi.serialization.record.RecordFieldType;
+import org.apache.nifi.serialization.record.RecordSchema;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+@EventDriven
+@SupportsBatching
+@InputRequirement(InputRequirement.Requirement.INPUT_REQUIRED)
+@Tags({"hadoop", "hbase", "put", "record"})
+@CapabilityDescription("Adds rows to HBase based on the contents of a 
flowfile using a configured record reader.")
+@ReadsAttribute(attribute = "restart.index", description = "Reads 
restart.index when it needs to replay part of a record set that did not get 
into HBase.")
+@WritesAttribute(attribute = "restart.index", description = "Writes 
restart.index when a batch fails to be insert into HBase")
+public class PutHBaseRecord extends AbstractPutHBase {
+
+protected static final PropertyDescriptor ROW_FIELD_NAME = new 
PropertyDescriptor.Builder()
+.name("Row Identifier Field Path")
+.description("Specifies the name of a record field whose value 
should be used as the row id for the given record.")
+.expressionLanguageSupported(true)
+.addValidator(StandardValidators.NON_EMPTY_VALIDATOR)
+.build();
+
+protected static final String FAIL_VALUE = "Fail";
+protected static final String WARN_VALUE = "Warn";
+protected static final String IGNORE_VALUE = "Ignore";
+protected static final String TEXT_VALUE = "Text";
+
+protected static final AllowableValue COMPLEX_FIELD_FAIL = new 
AllowableValue(FAIL_VALUE, FAIL_VALUE, "Route entire FlowFile to failure if any 
elements contain complex values.");
+protected static final AllowableValue COMPLEX_FIELD_WARN = new 
AllowableValue(WARN_VALUE, WARN_VALUE, "Provide a warning and do not include 
field in row sent to HBase.");
+protected static final AllowableValue COMPLEX_FIELD_IGNORE = new 
AllowableValue(IGNORE_VALUE, IGNORE_VALUE, "Silently ignore and do not include 
in row sent to HBase.");
+protected static final AllowableValue COMPLEX_FIELD_TEXT = new 
AllowableValue(TEXT_VALUE, TEXT_VALUE, "Use the string representation of the 
complex field as the value of the given column.");
+
+static final PropertyDescriptor RECORD_READER_FACTORY = new 
PropertyDescriptor.Builder()
+.name("record-reader")
+.displayName("Record Reader")
+

[GitHub] nifi issue #1945: NIFI-4124 Added org.apache.nifi.mongo.PutMongoRecord.

2017-08-02 Thread MikeThomsen

Github user MikeThomsen commented on the issue:

https://github.com/apache/nifi/pull/1945
  
@markap14 @joewitt Any chance of getting this reviewed?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110875#comment-16110875
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130873359
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
--- End diff --

That's a typo. It

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

2017-08-02 Thread mcgilman

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130873359
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
--- End diff --

That's a typo. It was meant to say the "Proposed state". I'll update 
accordingly.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110873#comment-16110873
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130872958
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
--- End diff --

The only value that isn't checked here is the authorization endpoint. The 
remainder of the checks are done during start up in the 
`StandardOidcIdentityProvider` constructor. I'll update it to verify the 
presence of the endpoints that we explicitly invoke.


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

2017-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110865#comment-16110865
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130871309
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
--- End diff --

`getCookieValue` returns null when no cookie is found with the specified 
name. I'll update the Javadoc's on that method to make it clearer.

If there is a cookie with that name, we attempt to use the associated value 
in the login process. We have not formally defined a format for this 
identifier. Rather, we've left it just a `String` for now in case we choose to 
change it later.


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

2017-08-02 Thread mcgilman

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130871309
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
--- End diff --

`getCookieValue` returns null when no cookie is found with the specified 
name. I'll update the Javadoc's on that method to make it clearer.

If there is a cookie with that name, we attempt to use the associated value 
in the login process. We have not formally defined a format for this 
identifier. Rather, we've left it just a `String` for now in case we choose to 
change it later.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (NIFI-4256) Add support for all AWS S3 Encryption Options

2017-08-02 Thread Pierre Villard (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110780#comment-16110780
 ] 

Pierre Villard commented on NIFI-4256:
--

I'm a bit worried about:
bq. Note: We will not support the existing server-side-encryption option so 
this will be a breaking change for existing users.

If this is a breaking change and if existing workflows are going to behave 
differently after a NiFi upgrade, this change might need to wait a v2.0.0 
release.

> Add support for all AWS S3 Encryption Options
> -
>
> Key: NIFI-4256
> URL: https://issues.apache.org/jira/browse/NIFI-4256
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework
>Affects Versions: 1.2.0
>Reporter: Franco
>  Labels: aws, aws-s3, security
> Fix For: 1.4.0
>
>
> NiFi currently only supports SSE-S3 encryption (AES256).
> Support needs to be added for:
> * SSE-S3
> * SSE-KMS
> * SSE-C
> * CSE-KMS CMK
> * CSE-Master Key
> With all of the appropriate configuration options and such that SSE is 
> available only for PutS3Object whilst CSE is available also for FetchS3Object.
> Given that this will add another 20 or so UI properties the intention is to 
> split it into a Client Side Encryption Service and Server Side Encryption 
> Service. This will allow users to reuse "encryption" across different 
> workflows.
> Note: We will not support the existing server-side-encryption option so this 
> will be a breaking change for existing users. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (NIFI-4257) Allow a custom WHERE clause in AbstractDatabaseFetchProcessor

2017-08-02 Thread Pierre Villard (JIRA)

Pierre Villard created NIFI-4257:


 Summary: Allow a custom WHERE clause in 
AbstractDatabaseFetchProcessor
 Key: NIFI-4257
 URL: https://issues.apache.org/jira/browse/NIFI-4257
 Project: Apache NiFi
  Issue Type: Improvement
  Components: Extensions
Reporter: Pierre Villard
Assignee: Pierre Villard


It could be useful allowing a user to set a custom WHERE clause in 
AbstractDatabaseFetchProcessor in case not all of the data in the table is 
required.

In case the WHERE clause is changed after the processor has already been 
running, the user will probably have to set the initial maximum values to 
ensure the expected behaviour.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4256) Add support for all AWS S3 Encryption Options

2017-08-02 Thread Franco (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110385#comment-16110385
 ] 

Franco commented on NIFI-4256:
--

Patch is currently undergoing internal testing and will be submitted for review.

> Add support for all AWS S3 Encryption Options
> -
>
> Key: NIFI-4256
> URL: https://issues.apache.org/jira/browse/NIFI-4256
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework
>Affects Versions: 1.2.0
>Reporter: Franco
>  Labels: aws, aws-s3, security
> Fix For: 1.4.0
>
>
> NiFi currently only supports SSE-S3 encryption (AES256).
> Support needs to be added for:
> * SSE-S3
> * SSE-KMS
> * SSE-C
> * CSE-KMS CMK
> * CSE-Master Key
> With all of the appropriate configuration options and such that SSE is 
> available only for PutS3Object whilst CSE is available also for FetchS3Object.
> Given that this will add another 20 or so UI properties the intention is to 
> split it into a Client Side Encryption Service and Server Side Encryption 
> Service. This will allow users to reuse "encryption" across different 
> workflows.
> Note: We will not support the existing server-side-encryption option so this 
> will be a breaking change for existing users. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (NIFI-4256) Add support for all AWS S3 Encryption Options

2017-08-02 Thread Franco (JIRA)

Franco created NIFI-4256:


 Summary: Add support for all AWS S3 Encryption Options
 Key: NIFI-4256
 URL: https://issues.apache.org/jira/browse/NIFI-4256
 Project: Apache NiFi
  Issue Type: Improvement
  Components: Core Framework
Affects Versions: 1.2.0
Reporter: Franco
 Fix For: 1.4.0


NiFi currently only supports SSE-S3 encryption (AES256).

Support needs to be added for:
* SSE-S3
* SSE-KMS
* SSE-C
* CSE-KMS CMK
* CSE-Master Key

With all of the appropriate configuration options and such that SSE is 
available only for PutS3Object whilst CSE is available also for FetchS3Object.

Given that this will add another 20 or so UI properties the intention is to 
split it into a Client Side Encryption Service and Server Side Encryption 
Service. This will allow users to reuse "encryption" across different workflows.

Note: We will not support the existing server-side-encryption option so this 
will be a breaking change for existing users. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

72 matches

Mail list logo