[GitHub] nifi pull request: Nifi 1274
Github user JPercivall commented on a diff in the pull request: https://github.com/apache/nifi/pull/284#discussion_r56509790 --- Diff: nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers/src/test/resources/nifi.properties --- @@ -0,0 +1,185 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Core Properties # +nifi.version=0.6.0-SNAPSHOT +nifi.flow.configuration.file=./conf/flow.xml.gz +nifi.flow.configuration.archive.dir=./conf/archive/ +nifi.flowcontroller.autoResumeState=true +nifi.flowcontroller.graceful.shutdown.period=10 sec +nifi.flowservice.writedelay.interval=500 ms +nifi.administrative.yield.duration=30 sec +# If a component has no work to do (is "bored"), how long should we wait before checking again for work? +nifi.bored.yield.duration=10 millis + +nifi.authority.provider.configuration.file=./conf/authority-providers.xml +nifi.login.identity.provider.configuration.file=./conf/login-identity-providers.xml +nifi.templates.directory=./conf/templates +nifi.ui.banner.text= +nifi.ui.autorefresh.interval=30 sec +nifi.nar.library.directory=./lib +nifi.nar.working.directory=./work/nar/ +nifi.documentation.working.directory=./work/docs/components + + +# State Management # + +nifi.state.management.configuration.file=./conf/state-management.xml +# The ID of the local state provider +nifi.state.management.provider.local=local-provider +# The ID of the cluster-wide state provider. This will be ignored if NiFi is not clustered but must be populated if running in a cluster. +nifi.state.management.provider.cluster=zk-provider +# Specifies whether or not this instance of NiFi should run an embedded ZooKeeper server +nifi.state.management.embedded.zookeeper.start=false +# Properties file that provides the ZooKeeper properties to use if is set to true +nifi.state.management.embedded.zookeeper.properties=./conf/zookeeper.properties + + +# H2 Settings +nifi.database.directory=./database_repository +nifi.h2.url.append=;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE + +# FlowFile Repository +nifi.flowfile.repository.implementation=org.apache.nifi.controller.repository.WriteAheadFlowFileRepository +nifi.flowfile.repository.directory=./flowfile_repository +nifi.flowfile.repository.partitions=256 +nifi.flowfile.repository.checkpoint.interval=2 mins +nifi.flowfile.repository.always.sync=false + +nifi.swap.manager.implementation=org.apache.nifi.controller.FileSystemSwapManager +nifi.queue.swap.threshold=2 +nifi.swap.in.period=5 sec +nifi.swap.in.threads=1 +nifi.swap.out.period=5 sec +nifi.swap.out.threads=4 + +# Content Repository +nifi.content.repository.implementation=org.apache.nifi.controller.repository.FileSystemRepository +nifi.content.claim.max.appendable.size=10 MB +nifi.content.claim.max.flow.files=100 +nifi.content.repository.directory.default=./content_repository +nifi.content.repository.archive.max.retention.period=12 hours +nifi.content.repository.archive.max.usage.percentage=50% +nifi.content.repository.archive.enabled=true +nifi.content.repository.always.sync=false +nifi.content.viewer.url=/nifi-content-viewer/ + +# Provenance Repository Properties +nifi.provenance.repository.implementation=org.apache.nifi.provenance.PersistentProvenanceRepository + +# Persistent Provenance Repository Properties +nifi.provenance.repository.directory.default=./provenance_repository +nifi.provenance.repository.max.storage.time=24 hours +nifi.provenance.repository.max.storage.size=1 GB +nifi.provenance.repository.rollover.time=30 secs +nifi.provenance.repository.rollover.size=100 MB +nifi.provenance.repository.query.threads=2 +nifi.provenance.repository.index.threads=1 +nifi.provenance.repository.compress.on.rollover=true +nifi.provenance.repository.always.sync=false +nifi.provenance.repository.journal.count=16 +#
[GitHub] nifi pull request: Nifi 1274
Github user mcgilman commented on the pull request: https://github.com/apache/nifi/pull/284#issuecomment-197950387 +1 from me as well. Verified functionality for both standalone and clustered instances. Looking good. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi pull request: Nifi 1274
Github user alopresto commented on the pull request: https://github.com/apache/nifi/pull/284#issuecomment-197978496 All of @mcgilman 's changes are great. The test resources are files I added that make it easier to set up a Kerberized instance of NiFi for testing, but were not related to any code tests. We should remove them and I will try to follow up with integration tests for a future release. Thanks. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi pull request: Nifi 1274
Github user JPercivall commented on a diff in the pull request: https://github.com/apache/nifi/pull/284#discussion_r56507643 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtService.java --- @@ -70,8 +70,6 @@ public String getAuthenticationFromToken(final String base64EncodedToken) throws // TODO: Validate issuer against active registry? --- End diff -- NVM, it's not something that was modified in this patch. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi pull request: Nifi 1274
Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/284#discussion_r56496561 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/kerberos/KerberosAuthenticationFilter.java --- @@ -0,0 +1,79 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.kerberos; + +import org.apache.nifi.web.security.InvalidAuthenticationException; +import org.apache.nifi.web.security.NiFiAuthenticationFilter; +import org.apache.nifi.web.security.token.NiFiAuthorizationRequestToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.AuthenticationException; +import org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.util.Arrays; + +/** + */ +public class KerberosAuthenticationFilter extends NiFiAuthenticationFilter { --- End diff -- I don't believe this filter is necessary anymore as the SPNEGO negotiation is performed in the AccessResource at /access/kerberos. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi pull request: Nifi 1274
Github user JPercivall commented on a diff in the pull request: https://github.com/apache/nifi/pull/284#discussion_r56410434 --- Diff: nifi-nar-bundles/nifi-update-attribute-bundle/nifi-update-attribute-ui/src/main/java/org/apache/nifi/update/attributes/api/RuleResource.java --- @@ -16,66 +16,63 @@ */ package org.apache.nifi.update.attributes.api; -import java.text.Collator; -import java.util.ArrayList; -import java.util.Collections; -import java.util.Comparator; -import java.util.List; -import java.util.Locale; -import java.util.Set; -import java.util.UUID; - -import javax.servlet.ServletContext; -import javax.servlet.http.HttpServletRequest; -import javax.ws.rs.Consumes; -import javax.ws.rs.DELETE; -import javax.ws.rs.DefaultValue; -import javax.ws.rs.GET; -import javax.ws.rs.POST; -import javax.ws.rs.PUT; -import javax.ws.rs.Path; -import javax.ws.rs.PathParam; -import javax.ws.rs.Produces; -import javax.ws.rs.QueryParam; -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.CacheControl; -import javax.ws.rs.core.Context; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.Response; -import javax.ws.rs.core.Response.ResponseBuilder; -import javax.ws.rs.core.UriBuilder; -import javax.ws.rs.core.UriInfo; - +import com.sun.jersey.api.NotFoundException; +import org.apache.commons.lang3.StringUtils; import org.apache.nifi.update.attributes.Action; import org.apache.nifi.update.attributes.Condition; import org.apache.nifi.update.attributes.Criteria; +import org.apache.nifi.update.attributes.FlowFilePolicy; import org.apache.nifi.update.attributes.Rule; import org.apache.nifi.update.attributes.UpdateAttributeModelFactory; import org.apache.nifi.update.attributes.dto.DtoFactory; import org.apache.nifi.update.attributes.dto.RuleDTO; import org.apache.nifi.update.attributes.entity.ActionEntity; import org.apache.nifi.update.attributes.entity.ConditionEntity; +import org.apache.nifi.update.attributes.entity.EvaluationContextEntity; import org.apache.nifi.update.attributes.entity.RuleEntity; import org.apache.nifi.update.attributes.entity.RulesEntity; import org.apache.nifi.update.attributes.serde.CriteriaSerDe; -import org.apache.nifi.web.InvalidRevisionException; -import org.apache.nifi.web.Revision; -import org.apache.commons.lang3.StringUtils; - -import com.sun.jersey.api.NotFoundException; - -import org.apache.nifi.update.attributes.FlowFilePolicy; -import org.apache.nifi.update.attributes.entity.EvaluationContextEntity; import org.apache.nifi.web.ComponentDetails; import org.apache.nifi.web.HttpServletConfigurationRequestContext; import org.apache.nifi.web.HttpServletRequestContext; +import org.apache.nifi.web.InvalidRevisionException; import org.apache.nifi.web.NiFiWebConfigurationContext; import org.apache.nifi.web.NiFiWebConfigurationRequestContext; import org.apache.nifi.web.NiFiWebRequestContext; +import org.apache.nifi.web.Revision; import org.apache.nifi.web.UiExtensionType; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import javax.servlet.ServletContext; +import javax.servlet.http.HttpServletRequest; +import javax.ws.rs.Consumes; +import javax.ws.rs.DELETE; +import javax.ws.rs.DefaultValue; +import javax.ws.rs.GET; +import javax.ws.rs.POST; +import javax.ws.rs.PUT; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; +import javax.ws.rs.QueryParam; +import javax.ws.rs.WebApplicationException; +import javax.ws.rs.core.CacheControl; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.Response; +import javax.ws.rs.core.Response.ResponseBuilder; +import javax.ws.rs.core.UriBuilder; +import javax.ws.rs.core.UriInfo; +import java.text.Collator; +import java.util.ArrayList; +import java.util.Collections; +import java.util.Comparator; +import java.util.List; +import java.util.Locale; +import java.util.Set; +import java.util.UUID; --- End diff -- From what I can tell, the only changes to this file are to the formatting of the imports. In general extraneous modifications should be limited. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi pull request: Nifi 1274
Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/284#discussion_r56496662 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java --- @@ -64,7 +64,7 @@ public void doFilter(final ServletRequest request, final ServletResponse respons } -private boolean requiresAuthentication(final HttpServletRequest request) { --- End diff -- This can stay private since there is no need to override anymore. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi pull request: Nifi 1274
Github user JPercivall commented on a diff in the pull request: https://github.com/apache/nifi/pull/284#discussion_r56425560 --- Diff: nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers/src/main/java/org/apache/nifi/kerberos/KerberosProvider.java --- @@ -0,0 +1,118 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.kerberos; + +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.authentication.AuthenticationResponse; +import org.apache.nifi.authentication.LoginCredentials; +import org.apache.nifi.authentication.LoginIdentityProvider; +import org.apache.nifi.authentication.LoginIdentityProviderConfigurationContext; +import org.apache.nifi.authentication.LoginIdentityProviderInitializationContext; +import org.apache.nifi.authentication.exception.IdentityAccessException; +import org.apache.nifi.authentication.exception.InvalidLoginCredentialsException; +import org.apache.nifi.authorization.exception.ProviderCreationException; +import org.apache.nifi.authorization.exception.ProviderDestructionException; +import org.apache.nifi.util.FormatUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.AuthenticationException; +import org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider; +import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient; + +import java.util.concurrent.TimeUnit; + +/** + * Kerberos-based implementation of a login identity provider. + */ +public class KerberosProvider implements LoginIdentityProvider { + +private static final Logger logger = LoggerFactory.getLogger(KerberosProvider.class); + +private KerberosAuthenticationProvider provider; +private String issuer; +private long expiration; + +@Override +public final void initialize(final LoginIdentityProviderInitializationContext initializationContext) throws ProviderCreationException { +this.issuer = getClass().getSimpleName(); +} + +@Override +public final void onConfigured(final LoginIdentityProviderConfigurationContext configurationContext) throws ProviderCreationException { +final String rawExpiration = configurationContext.getProperty("Authentication Expiration"); +if (StringUtils.isBlank(rawExpiration)) { +throw new ProviderCreationException("The Authentication Expiration must be specified."); +} + +try { +expiration = FormatUtils.getTimeDuration(rawExpiration, TimeUnit.MILLISECONDS); +} catch (final IllegalArgumentException iae) { +throw new ProviderCreationException(String.format("The Expiration Duration '%s' is not a valid time duration", rawExpiration)); +} + +provider = new KerberosAuthenticationProvider(); +SunJaasKerberosClient client = new SunJaasKerberosClient(); +client.setDebug(true); +provider.setKerberosClient(client); +provider.setUserDetailsService(new KerberosUserDetailsService()); +} + +@Override +public final AuthenticationResponse authenticate(final LoginCredentials credentials) throws InvalidLoginCredentialsException, IdentityAccessException { +if (provider == null) { +throw new IdentityAccessException("The Kerberos authentication provider is not initialized."); +} + +try { +// TODO: Remove debug statements +logger.info("[REMOVE] Attempting to authenticate Kerberos user {} with password {}", credentials.getUsername(), credentials.getPassword()); + +// Perform the authentication +final
[GitHub] nifi pull request: Nifi 1274
GitHub user alopresto opened a pull request: https://github.com/apache/nifi/pull/284 Nifi 1274 Adds support for Kerberos single sign-on via SPNEGO negotiation with fallback to Kerberos LoginIdentityProvider (similar to LDAP credential login). Initial PR for review. I am adding documentation and will rebase after feedback is provided. You can merge this pull request into a Git repository by running: $ git pull https://github.com/alopresto/nifi NIFI-1274 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi/pull/284.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #284 commit 522787dd5f6a11a0e6b8e97266106dfc66d9c09e Author: Adam LamarDate: 2016-02-21T06:12:56Z NIFI-1180: Modify PutS3Object to enable encryption commit f3395b2757305dd516c34f2d6573ad125760ecab Author: Andy LoPresto Date: 2016-02-26T00:21:34Z Merge branch 'NIFI-1180' of https://github.com/adamonduty/nifi commit 50fc5b6bc256aa160bbe663f059eca6f71e49bb9 Author: Andy LoPresto Date: 2016-03-01T18:26:47Z Merge branch 'master' of https://github.com/apache/nifi commit 68c86ad9c86363eba60afae19711a4400888bfc4 Author: Andy LoPresto Date: 2016-03-11T23:11:19Z NIFI-1274 Added nifi-kerberos-iaa-providers-bundle module to nifi/pom.xml. Added skeleton of Kerberos authenticator using Spring Security Kerberos plugin. commit 2fb038d9c2d5d470e6e007d5131d6130f6ccae35 Author: Andy LoPresto Date: 2016-03-12T06:05:02Z NIFI-1274 Added kerberos module dependencies to nifi/pom.xml and nifi-assembly/pom.xml. Added default properties to login-identity-providers.xml. commit 513a0f0bcd3e7c8808194106c45a6f3e7098c6d3 Author: Andy LoPresto Date: 2016-03-12T06:09:40Z NIFI-1274 Added working configuration files to test/resources in kerberos module to document necessary config. This version requires the user to enter their Kerberos username (without realm) and password into the NiFi login screen and will authenticate them against the running KDC. Also includes a sample keystore and root CA public key for configuring a secure instance. commit b97f754d6c4bc65d430d255231e8609163bfab7c Author: Andy LoPresto Date: 2016-03-15T05:28:48Z NIFI-1274 Added KerberosAuthenticationFilter to conduct SPNEGO authentication with local (client) Kerberos ticket. Added properties and accessors for service principal and keytab location for NiFi app server. Added KAF to NiFiWebApiSecurityConfiguration. Added AlternateKerberosUserDetailsService to provide user lookup without dependency on extension bundle (nifi-kerberos-iaa-provider). Added dependencies on spring-security-kerberos-core and -web modules to pom.xml. commit 0733574a0d1cd72b7663eadd0fd89c9297731003 Author: Andy LoPresto Date: 2016-03-15T18:40:48Z NIFI-1274 Added temporary solution for Rules Resource access via Kerberos ticket. commit 6670b8bf33bf8018366972217dde8a0956e88194 Author: Andy LoPresto Date: 2016-03-15T19:13:53Z NIFI-1274 Removed temporary solution for Rules Resource access via Kerberos ticket. commit 794b9be508d1fe2042c70ba27a775eee0f4aab32 Author: Andy LoPresto Date: 2016-03-15T19:19:25Z NIFI-1274 Renamed Kerberos discovery method to be explicit about service vs. credential login. commit 22ff40b58994b2cdc0bedcf03d85ec744a37dfd5 Author: Andy LoPresto Date: 2016-03-15T19:50:38Z NIFI-1274 Added check to only instantiate beans when Kerberos enabled to allow access control integration tests to pass. commit ff50eaf0ffc2355e0794135b1aa6610ee562bf3f Author: Andy LoPresto Date: 2016-03-16T02:33:24Z NIFI-1274 Kerberos SPNEGO works without additional filter (new entry endpoint accepts Kerberos ticket in Authorization header and returns JWT so the rest of the application functions the same as LDAP). commit 49d8063bc69e0c73d4ac039e7d0047f865e17fc0 Author: Andy LoPresto Date: 2016-03-16T04:01:51Z NIFI-1274 Fixed canvas call to only attempt Kerberos login if JWT not present in local storage. Added logic to handle ticket validation failure in AccessResource. Changed wiring of Kerberos service beans to XML in nifi-web-security-context.xml for consistency. commit 2a33ded7c896f73d4c1a203f115e0e6d21f432f4 Author: Andy LoPresto Date: 2016-03-16T17:33:36Z NIFI-1274 Added NiFi properties for Kerberos SSO. commit 710318a43c7e0c05dc182ba9c7f406bb4eaa7722 Author: Andy LoPresto
[GitHub] nifi pull request: Nifi 1274
Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/284#discussion_r56511388 --- Diff: nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers/src/test/resources/nifi.properties --- @@ -0,0 +1,185 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Core Properties # +nifi.version=0.6.0-SNAPSHOT +nifi.flow.configuration.file=./conf/flow.xml.gz +nifi.flow.configuration.archive.dir=./conf/archive/ +nifi.flowcontroller.autoResumeState=true +nifi.flowcontroller.graceful.shutdown.period=10 sec +nifi.flowservice.writedelay.interval=500 ms +nifi.administrative.yield.duration=30 sec +# If a component has no work to do (is "bored"), how long should we wait before checking again for work? +nifi.bored.yield.duration=10 millis + +nifi.authority.provider.configuration.file=./conf/authority-providers.xml +nifi.login.identity.provider.configuration.file=./conf/login-identity-providers.xml +nifi.templates.directory=./conf/templates +nifi.ui.banner.text= +nifi.ui.autorefresh.interval=30 sec +nifi.nar.library.directory=./lib +nifi.nar.working.directory=./work/nar/ +nifi.documentation.working.directory=./work/docs/components + + +# State Management # + +nifi.state.management.configuration.file=./conf/state-management.xml +# The ID of the local state provider +nifi.state.management.provider.local=local-provider +# The ID of the cluster-wide state provider. This will be ignored if NiFi is not clustered but must be populated if running in a cluster. +nifi.state.management.provider.cluster=zk-provider +# Specifies whether or not this instance of NiFi should run an embedded ZooKeeper server +nifi.state.management.embedded.zookeeper.start=false +# Properties file that provides the ZooKeeper properties to use if is set to true +nifi.state.management.embedded.zookeeper.properties=./conf/zookeeper.properties + + +# H2 Settings +nifi.database.directory=./database_repository +nifi.h2.url.append=;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE + +# FlowFile Repository +nifi.flowfile.repository.implementation=org.apache.nifi.controller.repository.WriteAheadFlowFileRepository +nifi.flowfile.repository.directory=./flowfile_repository +nifi.flowfile.repository.partitions=256 +nifi.flowfile.repository.checkpoint.interval=2 mins +nifi.flowfile.repository.always.sync=false + +nifi.swap.manager.implementation=org.apache.nifi.controller.FileSystemSwapManager +nifi.queue.swap.threshold=2 +nifi.swap.in.period=5 sec +nifi.swap.in.threads=1 +nifi.swap.out.period=5 sec +nifi.swap.out.threads=4 + +# Content Repository +nifi.content.repository.implementation=org.apache.nifi.controller.repository.FileSystemRepository +nifi.content.claim.max.appendable.size=10 MB +nifi.content.claim.max.flow.files=100 +nifi.content.repository.directory.default=./content_repository +nifi.content.repository.archive.max.retention.period=12 hours +nifi.content.repository.archive.max.usage.percentage=50% +nifi.content.repository.archive.enabled=true +nifi.content.repository.always.sync=false +nifi.content.viewer.url=/nifi-content-viewer/ + +# Provenance Repository Properties +nifi.provenance.repository.implementation=org.apache.nifi.provenance.PersistentProvenanceRepository + +# Persistent Provenance Repository Properties +nifi.provenance.repository.directory.default=./provenance_repository +nifi.provenance.repository.max.storage.time=24 hours +nifi.provenance.repository.max.storage.size=1 GB +nifi.provenance.repository.rollover.time=30 secs +nifi.provenance.repository.rollover.size=100 MB +nifi.provenance.repository.query.threads=2 +nifi.provenance.repository.index.threads=1 +nifi.provenance.repository.compress.on.rollover=true +nifi.provenance.repository.always.sync=false +nifi.provenance.repository.journal.count=16 +#
[GitHub] nifi pull request: Nifi 1274
Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/284#discussion_r56411928 --- Diff: nifi-nar-bundles/nifi-update-attribute-bundle/nifi-update-attribute-ui/src/main/java/org/apache/nifi/update/attributes/api/RuleResource.java --- @@ -16,66 +16,63 @@ */ package org.apache.nifi.update.attributes.api; -import java.text.Collator; -import java.util.ArrayList; -import java.util.Collections; -import java.util.Comparator; -import java.util.List; -import java.util.Locale; -import java.util.Set; -import java.util.UUID; - -import javax.servlet.ServletContext; -import javax.servlet.http.HttpServletRequest; -import javax.ws.rs.Consumes; -import javax.ws.rs.DELETE; -import javax.ws.rs.DefaultValue; -import javax.ws.rs.GET; -import javax.ws.rs.POST; -import javax.ws.rs.PUT; -import javax.ws.rs.Path; -import javax.ws.rs.PathParam; -import javax.ws.rs.Produces; -import javax.ws.rs.QueryParam; -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.CacheControl; -import javax.ws.rs.core.Context; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.Response; -import javax.ws.rs.core.Response.ResponseBuilder; -import javax.ws.rs.core.UriBuilder; -import javax.ws.rs.core.UriInfo; - +import com.sun.jersey.api.NotFoundException; +import org.apache.commons.lang3.StringUtils; import org.apache.nifi.update.attributes.Action; import org.apache.nifi.update.attributes.Condition; import org.apache.nifi.update.attributes.Criteria; +import org.apache.nifi.update.attributes.FlowFilePolicy; import org.apache.nifi.update.attributes.Rule; import org.apache.nifi.update.attributes.UpdateAttributeModelFactory; import org.apache.nifi.update.attributes.dto.DtoFactory; import org.apache.nifi.update.attributes.dto.RuleDTO; import org.apache.nifi.update.attributes.entity.ActionEntity; import org.apache.nifi.update.attributes.entity.ConditionEntity; +import org.apache.nifi.update.attributes.entity.EvaluationContextEntity; import org.apache.nifi.update.attributes.entity.RuleEntity; import org.apache.nifi.update.attributes.entity.RulesEntity; import org.apache.nifi.update.attributes.serde.CriteriaSerDe; -import org.apache.nifi.web.InvalidRevisionException; -import org.apache.nifi.web.Revision; -import org.apache.commons.lang3.StringUtils; - -import com.sun.jersey.api.NotFoundException; - -import org.apache.nifi.update.attributes.FlowFilePolicy; -import org.apache.nifi.update.attributes.entity.EvaluationContextEntity; import org.apache.nifi.web.ComponentDetails; import org.apache.nifi.web.HttpServletConfigurationRequestContext; import org.apache.nifi.web.HttpServletRequestContext; +import org.apache.nifi.web.InvalidRevisionException; import org.apache.nifi.web.NiFiWebConfigurationContext; import org.apache.nifi.web.NiFiWebConfigurationRequestContext; import org.apache.nifi.web.NiFiWebRequestContext; +import org.apache.nifi.web.Revision; import org.apache.nifi.web.UiExtensionType; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import javax.servlet.ServletContext; +import javax.servlet.http.HttpServletRequest; +import javax.ws.rs.Consumes; +import javax.ws.rs.DELETE; +import javax.ws.rs.DefaultValue; +import javax.ws.rs.GET; +import javax.ws.rs.POST; +import javax.ws.rs.PUT; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; +import javax.ws.rs.QueryParam; +import javax.ws.rs.WebApplicationException; +import javax.ws.rs.core.CacheControl; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.Response; +import javax.ws.rs.core.Response.ResponseBuilder; +import javax.ws.rs.core.UriBuilder; +import javax.ws.rs.core.UriInfo; +import java.text.Collator; +import java.util.ArrayList; +import java.util.Collections; +import java.util.Comparator; +import java.util.List; +import java.util.Locale; +import java.util.Set; +import java.util.UUID; --- End diff -- Yes, there were other changes here that were reverted and this was my IDE. I'll just revert this file. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi pull request: Nifi 1274
Github user mcgilman commented on the pull request: https://github.com/apache/nifi/pull/284#issuecomment-197860863 Looks really good overall. Found a couple things lingering that I believe can be removed prior to merging. Additionally, there are a number of src/test/resources in the nifi-kerberos-iaa-providers but there are no corresponding test cases. Are we comfortable removing these test resources? Thanks! --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi pull request: Nifi 1274
Github user alopresto commented on the pull request: https://github.com/apache/nifi/pull/284#issuecomment-197610965 I removed all added TODO statements. I created NIFI-1637 to refactor the duplicated `KerberosUserDetailsService` and `AlternateKerberosUserDetailsService` to a shared utility module. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi pull request: Nifi 1274
Github user JPercivall commented on the pull request: https://github.com/apache/nifi/pull/284#issuecomment-197944422 +1 (with Gilman's last modifications) Used Gilman's branch to do a contrib check build, reviewed that comments were addressed and ran through setting up a kerberos secure nifi instance. Looks good. Thanks for contributing this awesome new feature! --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi pull request: Nifi 1274
Github user JPercivall commented on a diff in the pull request: https://github.com/apache/nifi/pull/284#discussion_r56507392 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtService.java --- @@ -70,8 +70,6 @@ public String getAuthenticationFromToken(final String base64EncodedToken) throws // TODO: Validate issuer against active registry? --- End diff -- Reason for keeping this TODO? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi pull request: Nifi 1274
Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/284#discussion_r56510044 --- Diff: nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers/src/test/resources/nifi.properties --- @@ -0,0 +1,185 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Core Properties # +nifi.version=0.6.0-SNAPSHOT +nifi.flow.configuration.file=./conf/flow.xml.gz +nifi.flow.configuration.archive.dir=./conf/archive/ +nifi.flowcontroller.autoResumeState=true +nifi.flowcontroller.graceful.shutdown.period=10 sec +nifi.flowservice.writedelay.interval=500 ms +nifi.administrative.yield.duration=30 sec +# If a component has no work to do (is "bored"), how long should we wait before checking again for work? +nifi.bored.yield.duration=10 millis + +nifi.authority.provider.configuration.file=./conf/authority-providers.xml +nifi.login.identity.provider.configuration.file=./conf/login-identity-providers.xml +nifi.templates.directory=./conf/templates +nifi.ui.banner.text= +nifi.ui.autorefresh.interval=30 sec +nifi.nar.library.directory=./lib +nifi.nar.working.directory=./work/nar/ +nifi.documentation.working.directory=./work/docs/components + + +# State Management # + +nifi.state.management.configuration.file=./conf/state-management.xml +# The ID of the local state provider +nifi.state.management.provider.local=local-provider +# The ID of the cluster-wide state provider. This will be ignored if NiFi is not clustered but must be populated if running in a cluster. +nifi.state.management.provider.cluster=zk-provider +# Specifies whether or not this instance of NiFi should run an embedded ZooKeeper server +nifi.state.management.embedded.zookeeper.start=false +# Properties file that provides the ZooKeeper properties to use if is set to true +nifi.state.management.embedded.zookeeper.properties=./conf/zookeeper.properties + + +# H2 Settings +nifi.database.directory=./database_repository +nifi.h2.url.append=;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE + +# FlowFile Repository +nifi.flowfile.repository.implementation=org.apache.nifi.controller.repository.WriteAheadFlowFileRepository +nifi.flowfile.repository.directory=./flowfile_repository +nifi.flowfile.repository.partitions=256 +nifi.flowfile.repository.checkpoint.interval=2 mins +nifi.flowfile.repository.always.sync=false + +nifi.swap.manager.implementation=org.apache.nifi.controller.FileSystemSwapManager +nifi.queue.swap.threshold=2 +nifi.swap.in.period=5 sec +nifi.swap.in.threads=1 +nifi.swap.out.period=5 sec +nifi.swap.out.threads=4 + +# Content Repository +nifi.content.repository.implementation=org.apache.nifi.controller.repository.FileSystemRepository +nifi.content.claim.max.appendable.size=10 MB +nifi.content.claim.max.flow.files=100 +nifi.content.repository.directory.default=./content_repository +nifi.content.repository.archive.max.retention.period=12 hours +nifi.content.repository.archive.max.usage.percentage=50% +nifi.content.repository.archive.enabled=true +nifi.content.repository.always.sync=false +nifi.content.viewer.url=/nifi-content-viewer/ + +# Provenance Repository Properties +nifi.provenance.repository.implementation=org.apache.nifi.provenance.PersistentProvenanceRepository + +# Persistent Provenance Repository Properties +nifi.provenance.repository.directory.default=./provenance_repository +nifi.provenance.repository.max.storage.time=24 hours +nifi.provenance.repository.max.storage.size=1 GB +nifi.provenance.repository.rollover.time=30 secs +nifi.provenance.repository.rollover.size=100 MB +nifi.provenance.repository.query.threads=2 +nifi.provenance.repository.index.threads=1 +nifi.provenance.repository.compress.on.rollover=true +nifi.provenance.repository.always.sync=false +nifi.provenance.repository.journal.count=16 +#
[GitHub] nifi pull request: Nifi 1274
Github user JPercivall commented on the pull request: https://github.com/apache/nifi/pull/284#issuecomment-197582465 There are multiple "todo" comments. What is the plan for them? It appears that some are just comments on the code, some can be removed (already done), and a few could become follow-up tickets after committing. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi pull request: Nifi 1274
Github user mcgilman commented on the pull request: https://github.com/apache/nifi/pull/284#issuecomment-197504323 Reviewing... :) --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---