[
https://issues.apache.org/jira/browse/NIFI-15141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
segad44 updated NIFI-15141:
---------------------------
Affects Version/s: 2.7.2
2.7.1
2.7.0
2.6.0
> OpenID Connect groups are not forwarded when proxing request to NiFi Registry
> -----------------------------------------------------------------------------
>
> Key: NIFI-15141
> URL: https://issues.apache.org/jira/browse/NIFI-15141
> Project: Apache NiFi
> Issue Type: Bug
> Components: NiFi API, NiFi Registry
> Affects Versions: 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.7.1, 2.7.2
> Environment: docker compose, Kubernetes
> Reporter: segad44
> Priority: Major
>
> NiFi does not send all identity information of the user when proxying
> requests to NiFi Registry.
> This causes issues on NiFi Registry to verify user permissions.
> As a result, if only the group of the OIDC user is declared on NiFi Registry,
> the user cannot start a flow versioning.
> This issue concerns NiFi with OIDC provisioner (not tested others).
> h3. To reproduce
> Tried with version 2.4.0 and 2.5.0, with 2.6.0 another issue blocking me at
> step `2.`
> Basic OIDC setup:
> 1. Configure NiFi and NiFi Registry with OIDC
> 2. Declare the group datascientist on both NiFi and NiFi Registry and give it
> all user permissions
> a. Nifi: view, modify, operate the main process group + view the
> controller
> b. Nifi Registry: can manage bucket
> 3. On the Idp, create the user `user-a` in the group datascientist
> At this point, everything is working as expected: the user can access to NiFi
> and NiFi Registry with correct permissions.
> Now, associate NiFi with NiFi Registry
> 4. Create a keystore with a mTLS client certificate for NiFi to authenticate
> with NiFi Registry
> 5. On NiFi, create a NifiRegistryFlowRegistryClient with the previous keystore
> 6. On NiFi Registry, create a bucket `test`
> 7. On NiFi Registry, create the user `CN=nifi` with the permissions "can
> proxy user requests"
> The issue is that `user-a` cannot start a versioning flow from NiFi.
> But he should because of its permissions from the `datascientist` group.
> h3. Additional information
> When NiFi tries to get buckets on NiFi Registry, the HTTP request to nifi-api
> is:
> {code:java}
> GET
> https://localhost:8443/nifi-api/flow/registries/00ea78fd-019a-1000-2e8c-3915df4085d6/buckets{code}
> The result is an empty list:
> {code:java}
> "buckets": [] {code}
> The JWT is valid and contains the datascientist group for `user-a`.
> Decoded payload from JWT Cookie:
> {code:java}
> {
> "sub": "[email protected]",
> "aud": "https://e5a83c398392:8443";,
> "nbf": 1760963601,
> "iss": "https://e5a83c398392:8443";,
> "groups": [
> "datascientist"
> ],
> "preferred_username": "[email protected]",
> "exp": 1760963661,
> "iat": 1760963601,
> "jti": "f88c463d-dce9-4048-b155-fcba3d2bf765"
> } {code}
> h3. Workaround
> We must declare users on nifi registry and associate them with the correct
> group.
> Thus, the user is known on nifi registry and associated with the groups that
> have the required permissions on the buckets.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
