Hi all, I didn't get much traction when I raised this question a few weeks ago. Is there any appetite for re-addressing the Jira ticket mentioned?
Regards Steve Hindmarch From: stephen.hindmarch.bt.com via users <users@nifi.apache.org> Sent: Friday, April 12, 2024 12:15 PM To: users@nifi.apache.org Subject: Authorisation with multi-tiered groups Hi all, I have started working with a new client who is using AD for authentication and authorization and has a complex 3-tiered structure for their group membership. By using an LDAP authorization provider NiFi cannot see when a given user is ultimately a member of a configured NiFi role and so a work around is needed. We are currently using the Shell User Group provider, as the AD CLI connection flattens all group membership, but this comes with its own problems, which I am in the process of investigating. Just to explain how the group structure works: * I create NiFi related roles by granting access policies to an app specific group, for example "role_nifi_admin" has the policies needed to admin the NiFi cluster. * Members of the role group are "responsibility" groups, such as "resp_ingest_admin", for ingest pipeline admins. * Members of the responsibility group are "team" groups, such "team_admin_ops", for the IT operations team. * Members of the team group are the actual operator users who are administering NiFI. This complex structure gives the customer the flexibility they need to manage the large, multiskilled team they have managing and running a complex project, of which NiFi is only one component. But as stated, NiFi does not support this through the LDAP authorization provider, as it does not navigate the multiple tiers when checking which groups a user is a member of. So, it cannot check if my user is ultimately a member of the role group it has configured with access policies, it can only tell the user is a member of the team group, for which it has no policies. Can anyone suggest a better work around then using the Shell User Group provider? I can also see there was a previous Jira requesting for the LDAP provider to implement filters that would apparently solve this problem. See [NIFI-8035] Handle nested LDAP groups in LdapUserGroupProvider - ASF JIRA (apache.org)<https://issues.apache.org/jira/browse/NIFI-8035> and the associated pull request NIFI-8035: added userGroupsFilterExpression to allow per user LDAP filters and LDAP nested groups by CefBoud * Pull Request #4681 * apache/nifi * GitHub<https://github.com/apache/nifi/pull/4681>. This request is still open, and the pull request has been marked as stale. Can anyone say if this ticket would indeed have solved my problem, and is there any interest in reviving it? Thanks Steve Hindmarch
