[ https://issues.apache.org/jira/browse/NIFI-2517?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17779636#comment-17779636 ]
Michael W Moser commented on NIFI-2517: --------------------------------------- One use case in favor of this is to input an RFC-2253 formatted DN into authorizers.xml Initial Admin Identity only to have it not match the X500Principal name of the actual certificate because NiFi only accepts RFC-1779 formatting. > Apply ordering to DNs from certificates > --------------------------------------- > > Key: NIFI-2517 > URL: https://issues.apache.org/jira/browse/NIFI-2517 > Project: Apache NiFi > Issue Type: Improvement > Affects Versions: 1.0.0, 0.7.0 > Reporter: Bryan Bende > Priority: Minor > > Currently when a user authenticates to NiFi with a certificate, the DN is > extracted with the following code from SubjectDnX509PrincipalExtractor: > {code} > public Object extractPrincipal(X509Certificate cert) { > return cert.getSubjectDN().getName().trim(); > } > {code} > This string ends up being the user identity that needs to line up with > policies. > It is not guaranteed that the subject DN from a certificate will always be in > a known format. For example, one cert can put the CN before the OU, and > another can put the OU before the CN. Different tools can also display the > same DN in different orders, such as openssl vs keytool. > NiFi should be able to apply a re-ordering of the DNs so that after passing > through the X509 authentication code, the app can then assume the DN is in a > known order. We should also consider how this interacts with the identity > mapping concept introduced in 1.0.0. > In addition we are currently using getSubjectDN() from X509 certificate and > the Java Doc says: > {code} > * <strong>Denigrated</strong>, replaced by {@linkplain > * #getSubjectX500Principal()}. This method returns the {@code subject} > * as an implementation specific Principal object, which should not be > * relied upon by portable code. > {code} > So we may want to look at moving away from that method. -- This message was sent by Atlassian Jira (v8.20.10#820010)