[jira] [Commented] (NIFIREG-33) Add LDAP and JWT identity providers NiFi Registry security framework

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/NIFIREG-33?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16240870#comment-16240870
 ] 

ASF GitHub Bot commented on NIFIREG-33:
---------------------------------------

Github user bbende commented on the issue:

    https://github.com/apache/nifi-registry/pull/29
  
    @kevdoran I looked into the issue with the app not shutting down cleanly... 
taking  a thread dump showed:
    
    ```
    " (ldap-user-group-provider) - background sync thread" #28 prio=5 
os_prio=31 tid=0x00007f86f06f2000 nid=0x140b waiting on condition 
[0x0000700002cf5000]
       java.lang.Thread.State: TIMED_WAITING (parking)
            at sun.misc.Unsafe.park(Native Method)
            - parking to wait for  <0x00000007a1560750> (a 
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)
            at 
java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:215)
            at 
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:2078)
            at 
java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:1093)
            at 
java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:809)
            at 
java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1074)
            at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1134)
            at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
            at java.lang.Thread.run(Thread.java:748)
    ```
    Digging in further, I realized we don't have a concept of shutting down 
extensions, even though the authorizer, user/group provider, and policy 
providers do have a preDestruction method which would have shutdown that thread 
if we called it.
    
    Tested a change where I made AuthorizerFactory extend DisposableBean and 
added:
    ```
    @Override
        public void destroy() throws Exception {
            if (authorizers != null) {
                authorizers.entrySet().stream().forEach(e -> 
e.getValue().preDestruction());
            }
    
            if (accessPolicyProviders != null) {
                accessPolicyProviders.entrySet().stream().forEach(e -> 
e.getValue().preDestruction());
            }
    
            if (userGroupProviders != null) {
                userGroupProviders.entrySet().stream().forEach(e -> 
e.getValue().preDestruction());
            }
        }
    ```
    This appears to work, so if you can add that for AuthorizerFactory and 
LoginIdentityProviderFactory then we should be good for that one.


> Add LDAP and JWT identity providers NiFi Registry security framework
> --------------------------------------------------------------------
>
>                 Key: NIFIREG-33
>                 URL: https://issues.apache.org/jira/browse/NIFIREG-33
>             Project: NiFi Registry
>          Issue Type: Improvement
>            Reporter: Kevin Doran
>            Assignee: Kevin Doran
>
> The initial addition of a security model to the NiFi Registry framework only 
> included support for certificates as a means of establishing client identity 
> for authentication.
> In order to support more flexible methods of client authentication, this 
> ticket is to provider two new identity providers:
> * LDAPProvider - will verify username/password for authentication and allow 
> JWT token generation via the REST API
> * JWTIdentityProvider - will authenticate tokens that were generated by the 
> registry on subsequent requests.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)