[jira] [Created] (NIFI-4257) Allow a custom WHERE clause in AbstractDatabaseFetchProcessor
Pierre Villard created NIFI-4257: Summary: Allow a custom WHERE clause in AbstractDatabaseFetchProcessor Key: NIFI-4257 URL: https://issues.apache.org/jira/browse/NIFI-4257 Project: Apache NiFi Issue Type: Improvement Components: Extensions Reporter: Pierre Villard Assignee: Pierre Villard It could be useful allowing a user to set a custom WHERE clause in AbstractDatabaseFetchProcessor in case not all of the data in the table is required. In case the WHERE clause is changed after the processor has already been running, the user will probably have to set the initial maximum values to ensure the expected behaviour. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (NIFI-4256) Add support for all AWS S3 Encryption Options
[ https://issues.apache.org/jira/browse/NIFI-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110780#comment-16110780 ] Pierre Villard commented on NIFI-4256: -- I'm a bit worried about: bq. Note: We will not support the existing server-side-encryption option so this will be a breaking change for existing users. If this is a breaking change and if existing workflows are going to behave differently after a NiFi upgrade, this change might need to wait a v2.0.0 release. > Add support for all AWS S3 Encryption Options > - > > Key: NIFI-4256 > URL: https://issues.apache.org/jira/browse/NIFI-4256 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework >Affects Versions: 1.2.0 >Reporter: Franco > Labels: aws, aws-s3, security > Fix For: 1.4.0 > > > NiFi currently only supportsĀ SSE-S3 encryption (AES256). > Support needs to be added for: > * SSE-S3 > * SSE-KMS > * SSE-C > * CSE-KMS CMK > * CSE-Master Key > With all of the appropriate configuration options and such that SSE is > available only for PutS3Object whilst CSE is available also for FetchS3Object. > Given that this will add another 20 or so UI properties the intention is to > split it into a Client Side Encryption Service and Server Side Encryption > Service. This will allow users to reuse "encryption" across different > workflows. > Note: We will not support the existing server-side-encryption option so this > will be a breaking change for existing users. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130871309 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java --- @@ -125,6 +142,160 @@ public Response getLoginConfig(@Context HttpServletRequest httpServletRequest) { return generateOkResponse(entity).build(); } +@GET +@Consumes(MediaType.WILDCARD) +@Produces(MediaType.WILDCARD) +@Path("oidc/request") +@ApiOperation( +value = "Initiates a request to authenticate through the configured OpenId Connect provider." +) +public void oidcRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { +// only consider user specific access over https +if (!httpServletRequest.isSecure()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); +return; +} + +// ensure oidc is enabled +if (!oidcService.isOidcEnabled()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); +return; +} + +final String oidcRequestIdentifier = UUID.randomUUID().toString(); + +// generate a cookie to associate this login sequence +final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, oidcRequestIdentifier); +cookie.setPath("/"); +cookie.setHttpOnly(true); +cookie.setMaxAge(60); +cookie.setSecure(true); +httpServletResponse.addCookie(cookie); + +// get the state for this request +final State state = oidcService.createState(oidcRequestIdentifier); + +// build the authorization uri +final URI authorizationUri = UriBuilder.fromUri(oidcService.getAuthorizationEndpoint()) +.queryParam("client_id", oidcService.getClientId()) +.queryParam("response_type", "code") +.queryParam("scope", oidcService.getScope().toString()) +.queryParam("state", state.getValue()) +.queryParam("redirect_uri", getOidcCallback()) +.build(); + +// generate the response +httpServletResponse.sendRedirect(authorizationUri.toString()); +} + +@GET +@Consumes(MediaType.WILDCARD) +@Produces(MediaType.WILDCARD) +@Path("oidc/callback") +@ApiOperation( +value = "Redirect/callback URI for processing the result of the OpenId Connect login sequence." +) +public void oidcCallback(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { +// only consider user specific access over https +if (!httpServletRequest.isSecure()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); +return; +} + +// ensure oidc is enabled +if (!oidcService.isOidcEnabled()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); +return; +} + +final String oidcRequestIdentifier = getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER); +if (oidcRequestIdentifier == null) { --- End diff -- `getCookieValue` returns null when no cookie is found with the specified name. I'll update the Javadoc's on that method to make it clearer. If there is a cookie with that name, we attempt to use the associated value in the login process. We have not formally defined a format for this identifier. Rather, we've left it just a `String` for now in case we choose to change it later. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110865#comment-16110865 ] ASF GitHub Bot commented on NIFI-4210: -- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130871309 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java --- @@ -125,6 +142,160 @@ public Response getLoginConfig(@Context HttpServletRequest httpServletRequest) { return generateOkResponse(entity).build(); } +@GET +@Consumes(MediaType.WILDCARD) +@Produces(MediaType.WILDCARD) +@Path("oidc/request") +@ApiOperation( +value = "Initiates a request to authenticate through the configured OpenId Connect provider." +) +public void oidcRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { +// only consider user specific access over https +if (!httpServletRequest.isSecure()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); +return; +} + +// ensure oidc is enabled +if (!oidcService.isOidcEnabled()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); +return; +} + +final String oidcRequestIdentifier = UUID.randomUUID().toString(); + +// generate a cookie to associate this login sequence +final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, oidcRequestIdentifier); +cookie.setPath("/"); +cookie.setHttpOnly(true); +cookie.setMaxAge(60); +cookie.setSecure(true); +httpServletResponse.addCookie(cookie); + +// get the state for this request +final State state = oidcService.createState(oidcRequestIdentifier); + +// build the authorization uri +final URI authorizationUri = UriBuilder.fromUri(oidcService.getAuthorizationEndpoint()) +.queryParam("client_id", oidcService.getClientId()) +.queryParam("response_type", "code") +.queryParam("scope", oidcService.getScope().toString()) +.queryParam("state", state.getValue()) +.queryParam("redirect_uri", getOidcCallback()) +.build(); + +// generate the response +httpServletResponse.sendRedirect(authorizationUri.toString()); +} + +@GET +@Consumes(MediaType.WILDCARD) +@Produces(MediaType.WILDCARD) +@Path("oidc/callback") +@ApiOperation( +value = "Redirect/callback URI for processing the result of the OpenId Connect login sequence." +) +public void oidcCallback(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { +// only consider user specific access over https +if (!httpServletRequest.isSecure()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); +return; +} + +// ensure oidc is enabled +if (!oidcService.isOidcEnabled()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); +return; +} + +final String oidcRequestIdentifier = getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER); +if (oidcRequestIdentifier == null) { --- End diff -- `getCookieValue` returns null when no cookie is found with the specified name. I'll update the Javadoc's on that method to make it clearer. If there is a cookie with that name, we attempt to use the associated value in the login process. We have not formally defined a format for this identifier. Rather, we've left it just a `String` for now in case we choose to change it later. > Add OpenId Connect support for authenticating users > --- > > Key: NIFI-4210 > URL: https://issues.apache.org/jira/browse/NIFI-4210 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework, Core UI >Reporter: Matt Gilman >Assignee: Matt Gilman > > Add support for authenticating users with the
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130872958 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java --- @@ -125,6 +142,160 @@ public Response getLoginConfig(@Context HttpServletRequest httpServletRequest) { return generateOkResponse(entity).build(); } +@GET +@Consumes(MediaType.WILDCARD) +@Produces(MediaType.WILDCARD) +@Path("oidc/request") +@ApiOperation( +value = "Initiates a request to authenticate through the configured OpenId Connect provider." +) +public void oidcRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { +// only consider user specific access over https +if (!httpServletRequest.isSecure()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); +return; +} + +// ensure oidc is enabled +if (!oidcService.isOidcEnabled()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); +return; +} + +final String oidcRequestIdentifier = UUID.randomUUID().toString(); + +// generate a cookie to associate this login sequence +final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, oidcRequestIdentifier); +cookie.setPath("/"); +cookie.setHttpOnly(true); +cookie.setMaxAge(60); +cookie.setSecure(true); +httpServletResponse.addCookie(cookie); + +// get the state for this request +final State state = oidcService.createState(oidcRequestIdentifier); + +// build the authorization uri +final URI authorizationUri = UriBuilder.fromUri(oidcService.getAuthorizationEndpoint()) --- End diff -- The only value that isn't checked here is the authorization endpoint. The remainder of the checks are done during start up in the `StandardOidcIdentityProvider` constructor. I'll update it to verify the presence of the endpoints that we explicitly invoke. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110873#comment-16110873 ] ASF GitHub Bot commented on NIFI-4210: -- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130872958 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java --- @@ -125,6 +142,160 @@ public Response getLoginConfig(@Context HttpServletRequest httpServletRequest) { return generateOkResponse(entity).build(); } +@GET +@Consumes(MediaType.WILDCARD) +@Produces(MediaType.WILDCARD) +@Path("oidc/request") +@ApiOperation( +value = "Initiates a request to authenticate through the configured OpenId Connect provider." +) +public void oidcRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { +// only consider user specific access over https +if (!httpServletRequest.isSecure()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); +return; +} + +// ensure oidc is enabled +if (!oidcService.isOidcEnabled()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); +return; +} + +final String oidcRequestIdentifier = UUID.randomUUID().toString(); + +// generate a cookie to associate this login sequence +final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, oidcRequestIdentifier); +cookie.setPath("/"); +cookie.setHttpOnly(true); +cookie.setMaxAge(60); +cookie.setSecure(true); +httpServletResponse.addCookie(cookie); + +// get the state for this request +final State state = oidcService.createState(oidcRequestIdentifier); + +// build the authorization uri +final URI authorizationUri = UriBuilder.fromUri(oidcService.getAuthorizationEndpoint()) --- End diff -- The only value that isn't checked here is the authorization endpoint. The remainder of the checks are done during start up in the `StandardOidcIdentityProvider` constructor. I'll update it to verify the presence of the endpoints that we explicitly invoke. > Add OpenId Connect support for authenticating users > --- > > Key: NIFI-4210 > URL: https://issues.apache.org/jira/browse/NIFI-4210 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework, Core UI >Reporter: Matt Gilman >Assignee: Matt Gilman > > Add support for authenticating users with the OpenId Connection > specification. Evaluate whether a new extension point is necessary to allow > for a given provider to supply custom code for instance to implement custom > token validation. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130873359 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java --- @@ -125,6 +142,160 @@ public Response getLoginConfig(@Context HttpServletRequest httpServletRequest) { return generateOkResponse(entity).build(); } +@GET +@Consumes(MediaType.WILDCARD) +@Produces(MediaType.WILDCARD) +@Path("oidc/request") +@ApiOperation( +value = "Initiates a request to authenticate through the configured OpenId Connect provider." +) +public void oidcRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { +// only consider user specific access over https +if (!httpServletRequest.isSecure()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); +return; +} + +// ensure oidc is enabled +if (!oidcService.isOidcEnabled()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); +return; +} + +final String oidcRequestIdentifier = UUID.randomUUID().toString(); + +// generate a cookie to associate this login sequence +final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, oidcRequestIdentifier); +cookie.setPath("/"); +cookie.setHttpOnly(true); +cookie.setMaxAge(60); +cookie.setSecure(true); +httpServletResponse.addCookie(cookie); + +// get the state for this request +final State state = oidcService.createState(oidcRequestIdentifier); + +// build the authorization uri +final URI authorizationUri = UriBuilder.fromUri(oidcService.getAuthorizationEndpoint()) +.queryParam("client_id", oidcService.getClientId()) +.queryParam("response_type", "code") +.queryParam("scope", oidcService.getScope().toString()) +.queryParam("state", state.getValue()) +.queryParam("redirect_uri", getOidcCallback()) +.build(); + +// generate the response +httpServletResponse.sendRedirect(authorizationUri.toString()); +} + +@GET +@Consumes(MediaType.WILDCARD) +@Produces(MediaType.WILDCARD) +@Path("oidc/callback") +@ApiOperation( +value = "Redirect/callback URI for processing the result of the OpenId Connect login sequence." +) +public void oidcCallback(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { +// only consider user specific access over https +if (!httpServletRequest.isSecure()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); +return; +} + +// ensure oidc is enabled +if (!oidcService.isOidcEnabled()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); +return; +} + +final String oidcRequestIdentifier = getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER); +if (oidcRequestIdentifier == null) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "The login request identifier was not found in the request. Unable to continue."); +return; +} + +final com.nimbusds.openid.connect.sdk.AuthenticationResponse oidcResponse = AuthenticationResponseParser.parse(getRequestUri()); +if (oidcResponse.indicatesSuccess()) { +final AuthenticationSuccessResponse successfulOidcResponse = (AuthenticationSuccessResponse) oidcResponse; + +// confirm state +final State state = successfulOidcResponse.getState(); +if (!oidcService.isStateValid(oidcRequestIdentifier, state)) { +logger.error("Purposed state does not match the stored state. Unable to continue login process."); --- End diff -- That's a typo. It was meant to say the "Proposed state". I'll update accordingly. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wish
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110875#comment-16110875 ] ASF GitHub Bot commented on NIFI-4210: -- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130873359 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java --- @@ -125,6 +142,160 @@ public Response getLoginConfig(@Context HttpServletRequest httpServletRequest) { return generateOkResponse(entity).build(); } +@GET +@Consumes(MediaType.WILDCARD) +@Produces(MediaType.WILDCARD) +@Path("oidc/request") +@ApiOperation( +value = "Initiates a request to authenticate through the configured OpenId Connect provider." +) +public void oidcRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { +// only consider user specific access over https +if (!httpServletRequest.isSecure()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); +return; +} + +// ensure oidc is enabled +if (!oidcService.isOidcEnabled()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); +return; +} + +final String oidcRequestIdentifier = UUID.randomUUID().toString(); + +// generate a cookie to associate this login sequence +final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, oidcRequestIdentifier); +cookie.setPath("/"); +cookie.setHttpOnly(true); +cookie.setMaxAge(60); +cookie.setSecure(true); +httpServletResponse.addCookie(cookie); + +// get the state for this request +final State state = oidcService.createState(oidcRequestIdentifier); + +// build the authorization uri +final URI authorizationUri = UriBuilder.fromUri(oidcService.getAuthorizationEndpoint()) +.queryParam("client_id", oidcService.getClientId()) +.queryParam("response_type", "code") +.queryParam("scope", oidcService.getScope().toString()) +.queryParam("state", state.getValue()) +.queryParam("redirect_uri", getOidcCallback()) +.build(); + +// generate the response +httpServletResponse.sendRedirect(authorizationUri.toString()); +} + +@GET +@Consumes(MediaType.WILDCARD) +@Produces(MediaType.WILDCARD) +@Path("oidc/callback") +@ApiOperation( +value = "Redirect/callback URI for processing the result of the OpenId Connect login sequence." +) +public void oidcCallback(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { +// only consider user specific access over https +if (!httpServletRequest.isSecure()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); +return; +} + +// ensure oidc is enabled +if (!oidcService.isOidcEnabled()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); +return; +} + +final String oidcRequestIdentifier = getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER); +if (oidcRequestIdentifier == null) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "The login request identifier was not found in the request. Unable to continue."); +return; +} + +final com.nimbusds.openid.connect.sdk.AuthenticationResponse oidcResponse = AuthenticationResponseParser.parse(getRequestUri()); +if (oidcResponse.indicatesSuccess()) { +final AuthenticationSuccessResponse successfulOidcResponse = (AuthenticationSuccessResponse) oidcResponse; + +// confirm state +final State state = successfulOidcResponse.getState(); +if (!oidcService.isStateValid(oidcRequestIdentifier, state)) { +logger.error("Purposed state does not match the stored state. Unable to continue login process."); --- End diff -- Tha
[GitHub] nifi issue #1945: NIFI-4124 Added org.apache.nifi.mongo.PutMongoRecord.
Github user MikeThomsen commented on the issue: https://github.com/apache/nifi/pull/1945 @markap14 @joewitt Any chance of getting this reviewed? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi pull request #1961: NIFI-4024 Added org.apache.nifi.hbase.PutHBaseRecor...
Github user MikeThomsen commented on a diff in the pull request: https://github.com/apache/nifi/pull/1961#discussion_r130873950 --- Diff: nifi-nar-bundles/nifi-hbase-bundle/nifi-hbase-processors/src/main/java/org/apache/nifi/hbase/PutHBaseRecord.java --- @@ -0,0 +1,323 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.hbase; + +import org.apache.nifi.annotation.behavior.EventDriven; +import org.apache.nifi.annotation.behavior.InputRequirement; +import org.apache.nifi.annotation.behavior.ReadsAttribute; +import org.apache.nifi.annotation.behavior.SupportsBatching; +import org.apache.nifi.annotation.behavior.WritesAttribute; +import org.apache.nifi.annotation.documentation.CapabilityDescription; +import org.apache.nifi.annotation.documentation.Tags; +import org.apache.nifi.components.AllowableValue; +import org.apache.nifi.components.PropertyDescriptor; +import org.apache.nifi.flowfile.FlowFile; +import org.apache.nifi.hbase.put.PutColumn; +import org.apache.nifi.hbase.put.PutFlowFile; +import org.apache.nifi.processor.ProcessContext; +import org.apache.nifi.processor.ProcessSession; +import org.apache.nifi.processor.Relationship; +import org.apache.nifi.processor.exception.ProcessException; +import org.apache.nifi.processor.util.StandardValidators; +import org.apache.nifi.serialization.RecordReader; +import org.apache.nifi.serialization.RecordReaderFactory; +import org.apache.nifi.serialization.record.Record; +import org.apache.nifi.serialization.record.RecordFieldType; +import org.apache.nifi.serialization.record.RecordSchema; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +@EventDriven +@SupportsBatching +@InputRequirement(InputRequirement.Requirement.INPUT_REQUIRED) +@Tags({"hadoop", "hbase", "put", "record"}) +@CapabilityDescription("Adds rows to HBase based on the contents of a flowfile using a configured record reader.") +@ReadsAttribute(attribute = "restart.index", description = "Reads restart.index when it needs to replay part of a record set that did not get into HBase.") +@WritesAttribute(attribute = "restart.index", description = "Writes restart.index when a batch fails to be insert into HBase") +public class PutHBaseRecord extends AbstractPutHBase { + +protected static final PropertyDescriptor ROW_FIELD_NAME = new PropertyDescriptor.Builder() +.name("Row Identifier Field Path") +.description("Specifies the name of a record field whose value should be used as the row id for the given record.") +.expressionLanguageSupported(true) +.addValidator(StandardValidators.NON_EMPTY_VALIDATOR) +.build(); + +protected static final String FAIL_VALUE = "Fail"; +protected static final String WARN_VALUE = "Warn"; +protected static final String IGNORE_VALUE = "Ignore"; +protected static final String TEXT_VALUE = "Text"; + +protected static final AllowableValue COMPLEX_FIELD_FAIL = new AllowableValue(FAIL_VALUE, FAIL_VALUE, "Route entire FlowFile to failure if any elements contain complex values."); +protected static final AllowableValue COMPLEX_FIELD_WARN = new AllowableValue(WARN_VALUE, WARN_VALUE, "Provide a warning and do not include field in row sent to HBase."); +protected static final AllowableValue COMPLEX_FIELD_IGNORE = new AllowableValue(IGNORE_VALUE, IGNORE_VALUE, "Silently ignore and do not include in row sent to HBase."); +protected static final AllowableValue COMPLEX_FIELD_TEXT = new AllowableValue(TEXT_VALUE, TEXT_VALUE, "Use the string representation of the complex field as the value of the given column."); + +static final PropertyDescriptor RECORD_READER_FACTORY = new PropertyDescriptor.Builder() +.name("record-reader") +.displayName("Record Reader") +.descripti
[jira] [Commented] (NIFI-4024) Create EvaluateRecordPath processor
[ https://issues.apache.org/jira/browse/NIFI-4024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110880#comment-16110880 ] ASF GitHub Bot commented on NIFI-4024: -- Github user MikeThomsen commented on a diff in the pull request: https://github.com/apache/nifi/pull/1961#discussion_r130873950 --- Diff: nifi-nar-bundles/nifi-hbase-bundle/nifi-hbase-processors/src/main/java/org/apache/nifi/hbase/PutHBaseRecord.java --- @@ -0,0 +1,323 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.hbase; + +import org.apache.nifi.annotation.behavior.EventDriven; +import org.apache.nifi.annotation.behavior.InputRequirement; +import org.apache.nifi.annotation.behavior.ReadsAttribute; +import org.apache.nifi.annotation.behavior.SupportsBatching; +import org.apache.nifi.annotation.behavior.WritesAttribute; +import org.apache.nifi.annotation.documentation.CapabilityDescription; +import org.apache.nifi.annotation.documentation.Tags; +import org.apache.nifi.components.AllowableValue; +import org.apache.nifi.components.PropertyDescriptor; +import org.apache.nifi.flowfile.FlowFile; +import org.apache.nifi.hbase.put.PutColumn; +import org.apache.nifi.hbase.put.PutFlowFile; +import org.apache.nifi.processor.ProcessContext; +import org.apache.nifi.processor.ProcessSession; +import org.apache.nifi.processor.Relationship; +import org.apache.nifi.processor.exception.ProcessException; +import org.apache.nifi.processor.util.StandardValidators; +import org.apache.nifi.serialization.RecordReader; +import org.apache.nifi.serialization.RecordReaderFactory; +import org.apache.nifi.serialization.record.Record; +import org.apache.nifi.serialization.record.RecordFieldType; +import org.apache.nifi.serialization.record.RecordSchema; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +@EventDriven +@SupportsBatching +@InputRequirement(InputRequirement.Requirement.INPUT_REQUIRED) +@Tags({"hadoop", "hbase", "put", "record"}) +@CapabilityDescription("Adds rows to HBase based on the contents of a flowfile using a configured record reader.") +@ReadsAttribute(attribute = "restart.index", description = "Reads restart.index when it needs to replay part of a record set that did not get into HBase.") +@WritesAttribute(attribute = "restart.index", description = "Writes restart.index when a batch fails to be insert into HBase") +public class PutHBaseRecord extends AbstractPutHBase { + +protected static final PropertyDescriptor ROW_FIELD_NAME = new PropertyDescriptor.Builder() +.name("Row Identifier Field Path") +.description("Specifies the name of a record field whose value should be used as the row id for the given record.") +.expressionLanguageSupported(true) +.addValidator(StandardValidators.NON_EMPTY_VALIDATOR) +.build(); + +protected static final String FAIL_VALUE = "Fail"; +protected static final String WARN_VALUE = "Warn"; +protected static final String IGNORE_VALUE = "Ignore"; +protected static final String TEXT_VALUE = "Text"; + +protected static final AllowableValue COMPLEX_FIELD_FAIL = new AllowableValue(FAIL_VALUE, FAIL_VALUE, "Route entire FlowFile to failure if any elements contain complex values."); +protected static final AllowableValue COMPLEX_FIELD_WARN = new AllowableValue(WARN_VALUE, WARN_VALUE, "Provide a warning and do not include field in row sent to HBase."); +protected static final AllowableValue COMPLEX_FIELD_IGNORE = new AllowableValue(IGNORE_VALUE, IGNORE_VALUE, "Silently ignore and do not include in row sent to HBase."); +protected static final AllowableValue COMPLEX_FIELD_TEXT = new AllowableValue(TEXT_VALUE, TEXT_VALUE, "Use the string representation of the complex field as
[jira] [Commented] (NIFI-4124) Add a Record API-based PutMongo clone
[ https://issues.apache.org/jira/browse/NIFI-4124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110882#comment-16110882 ] ASF GitHub Bot commented on NIFI-4124: -- Github user MikeThomsen commented on the issue: https://github.com/apache/nifi/pull/1945 @markap14 @joewitt Any chance of getting this reviewed? > Add a Record API-based PutMongo clone > - > > Key: NIFI-4124 > URL: https://issues.apache.org/jira/browse/NIFI-4124 > Project: Apache NiFi > Issue Type: Improvement >Reporter: Mike Thomsen >Priority: Minor > Labels: mongodb, putmongo, records > > A new processor that can use the Record API to put data into Mongo is needed. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[GitHub] nifi issue #2043: NIFI-4248: Adding Rya processor.
Github user bbende commented on the issue: https://github.com/apache/nifi/pull/2043 @jzonthemtn sounds good, if you find that InvokeHttp doesn't work for some reason, or if there is some specific logic related to Rya that you need, then by all means re-open --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[jira] [Commented] (NIFI-4248) Create processor for Apache Rya
[ https://issues.apache.org/jira/browse/NIFI-4248?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110898#comment-16110898 ] ASF GitHub Bot commented on NIFI-4248: -- Github user bbende commented on the issue: https://github.com/apache/nifi/pull/2043 @jzonthemtn sounds good, if you find that InvokeHttp doesn't work for some reason, or if there is some specific logic related to Rya that you need, then by all means re-open > Create processor for Apache Rya > --- > > Key: NIFI-4248 > URL: https://issues.apache.org/jira/browse/NIFI-4248 > Project: Apache NiFi > Issue Type: Task > Components: Extensions >Reporter: Jeff Zemerick >Priority: Minor > > Create a processor to ingest triples into Apache Rya. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130878563 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java --- @@ -125,6 +142,160 @@ public Response getLoginConfig(@Context HttpServletRequest httpServletRequest) { return generateOkResponse(entity).build(); } +@GET +@Consumes(MediaType.WILDCARD) +@Produces(MediaType.WILDCARD) +@Path("oidc/request") +@ApiOperation( +value = "Initiates a request to authenticate through the configured OpenId Connect provider." +) +public void oidcRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { +// only consider user specific access over https +if (!httpServletRequest.isSecure()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); +return; +} + +// ensure oidc is enabled +if (!oidcService.isOidcEnabled()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); +return; +} + +final String oidcRequestIdentifier = UUID.randomUUID().toString(); + +// generate a cookie to associate this login sequence +final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, oidcRequestIdentifier); +cookie.setPath("/"); +cookie.setHttpOnly(true); +cookie.setMaxAge(60); +cookie.setSecure(true); +httpServletResponse.addCookie(cookie); + +// get the state for this request +final State state = oidcService.createState(oidcRequestIdentifier); + +// build the authorization uri +final URI authorizationUri = UriBuilder.fromUri(oidcService.getAuthorizationEndpoint()) +.queryParam("client_id", oidcService.getClientId()) +.queryParam("response_type", "code") +.queryParam("scope", oidcService.getScope().toString()) +.queryParam("state", state.getValue()) +.queryParam("redirect_uri", getOidcCallback()) +.build(); + +// generate the response +httpServletResponse.sendRedirect(authorizationUri.toString()); +} + +@GET +@Consumes(MediaType.WILDCARD) +@Produces(MediaType.WILDCARD) +@Path("oidc/callback") +@ApiOperation( +value = "Redirect/callback URI for processing the result of the OpenId Connect login sequence." +) +public void oidcCallback(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { +// only consider user specific access over https +if (!httpServletRequest.isSecure()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); +return; +} + +// ensure oidc is enabled +if (!oidcService.isOidcEnabled()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); +return; +} + +final String oidcRequestIdentifier = getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER); +if (oidcRequestIdentifier == null) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "The login request identifier was not found in the request. Unable to continue."); +return; +} + +final com.nimbusds.openid.connect.sdk.AuthenticationResponse oidcResponse = AuthenticationResponseParser.parse(getRequestUri()); +if (oidcResponse.indicatesSuccess()) { +final AuthenticationSuccessResponse successfulOidcResponse = (AuthenticationSuccessResponse) oidcResponse; + +// confirm state +final State state = successfulOidcResponse.getState(); +if (!oidcService.isStateValid(oidcRequestIdentifier, state)) { +logger.error("Purposed state does not match the stored state. Unable to continue login process."); + +// remove the oidc request cookie +removeOidcRequestCookie(httpServletResponse); + +// forward to the error page +forwardToMessagePage(httpServletRequest, httpServletResponse, "Purposed state d
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110914#comment-16110914 ] ASF GitHub Bot commented on NIFI-4210: -- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130878563 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java --- @@ -125,6 +142,160 @@ public Response getLoginConfig(@Context HttpServletRequest httpServletRequest) { return generateOkResponse(entity).build(); } +@GET +@Consumes(MediaType.WILDCARD) +@Produces(MediaType.WILDCARD) +@Path("oidc/request") +@ApiOperation( +value = "Initiates a request to authenticate through the configured OpenId Connect provider." +) +public void oidcRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { +// only consider user specific access over https +if (!httpServletRequest.isSecure()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); +return; +} + +// ensure oidc is enabled +if (!oidcService.isOidcEnabled()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); +return; +} + +final String oidcRequestIdentifier = UUID.randomUUID().toString(); + +// generate a cookie to associate this login sequence +final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, oidcRequestIdentifier); +cookie.setPath("/"); +cookie.setHttpOnly(true); +cookie.setMaxAge(60); +cookie.setSecure(true); +httpServletResponse.addCookie(cookie); + +// get the state for this request +final State state = oidcService.createState(oidcRequestIdentifier); + +// build the authorization uri +final URI authorizationUri = UriBuilder.fromUri(oidcService.getAuthorizationEndpoint()) +.queryParam("client_id", oidcService.getClientId()) +.queryParam("response_type", "code") +.queryParam("scope", oidcService.getScope().toString()) +.queryParam("state", state.getValue()) +.queryParam("redirect_uri", getOidcCallback()) +.build(); + +// generate the response +httpServletResponse.sendRedirect(authorizationUri.toString()); +} + +@GET +@Consumes(MediaType.WILDCARD) +@Produces(MediaType.WILDCARD) +@Path("oidc/callback") +@ApiOperation( +value = "Redirect/callback URI for processing the result of the OpenId Connect login sequence." +) +public void oidcCallback(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { +// only consider user specific access over https +if (!httpServletRequest.isSecure()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); +return; +} + +// ensure oidc is enabled +if (!oidcService.isOidcEnabled()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); +return; +} + +final String oidcRequestIdentifier = getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER); +if (oidcRequestIdentifier == null) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "The login request identifier was not found in the request. Unable to continue."); +return; +} + +final com.nimbusds.openid.connect.sdk.AuthenticationResponse oidcResponse = AuthenticationResponseParser.parse(getRequestUri()); +if (oidcResponse.indicatesSuccess()) { +final AuthenticationSuccessResponse successfulOidcResponse = (AuthenticationSuccessResponse) oidcResponse; + +// confirm state +final State state = successfulOidcResponse.getState(); +if (!oidcService.isStateValid(oidcRequestIdentifier, state)) { +logger.error("Purposed state does not match the stored state. Unable to continue login process."); + +// re
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130878806 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java --- @@ -0,0 +1,207 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.google.common.cache.Cache; +import com.google.common.cache.CacheBuilder; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.id.State; +import org.apache.nifi.web.security.util.CacheKey; + +import java.io.IOException; +import java.math.BigInteger; +import java.net.URI; +import java.security.SecureRandom; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; + +import static org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED; + +/** + * OidcService is a service for managing the OpenId Connect Authorization flow. + */ +public class OidcService { + +private OidcIdentityProvider identityProvider; +private Cache stateLookupForPendingRequests; // identifier from cookie -> state value +private Cache jwtLookupForCompletedRequests; // identifier from cookie -> jwt or identity (and generate jwt on retrieval) + +/** + * Creates a new OtpService with an expiration of 5 minutes. + */ +public OidcService(final OidcIdentityProvider identityProvider) { +this(identityProvider, 60, TimeUnit.SECONDS); +} + +/** + * Creates a new OtpService. + * + * @param duration The expiration duration --- End diff -- Got it. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130878847 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java --- @@ -0,0 +1,207 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.google.common.cache.Cache; +import com.google.common.cache.CacheBuilder; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.id.State; +import org.apache.nifi.web.security.util.CacheKey; + +import java.io.IOException; +import java.math.BigInteger; +import java.net.URI; +import java.security.SecureRandom; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; + +import static org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED; + +/** + * OidcService is a service for managing the OpenId Connect Authorization flow. + */ +public class OidcService { + +private OidcIdentityProvider identityProvider; +private Cache stateLookupForPendingRequests; // identifier from cookie -> state value +private Cache jwtLookupForCompletedRequests; // identifier from cookie -> jwt or identity (and generate jwt on retrieval) + +/** + * Creates a new OtpService with an expiration of 5 minutes. + */ +public OidcService(final OidcIdentityProvider identityProvider) { +this(identityProvider, 60, TimeUnit.SECONDS); --- End diff -- Got it. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110915#comment-16110915 ] ASF GitHub Bot commented on NIFI-4210: -- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130878806 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java --- @@ -0,0 +1,207 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.google.common.cache.Cache; +import com.google.common.cache.CacheBuilder; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.id.State; +import org.apache.nifi.web.security.util.CacheKey; + +import java.io.IOException; +import java.math.BigInteger; +import java.net.URI; +import java.security.SecureRandom; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; + +import static org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED; + +/** + * OidcService is a service for managing the OpenId Connect Authorization flow. + */ +public class OidcService { + +private OidcIdentityProvider identityProvider; +private Cache stateLookupForPendingRequests; // identifier from cookie -> state value +private Cache jwtLookupForCompletedRequests; // identifier from cookie -> jwt or identity (and generate jwt on retrieval) + +/** + * Creates a new OtpService with an expiration of 5 minutes. + */ +public OidcService(final OidcIdentityProvider identityProvider) { +this(identityProvider, 60, TimeUnit.SECONDS); +} + +/** + * Creates a new OtpService. + * + * @param duration The expiration duration --- End diff -- Got it. > Add OpenId Connect support for authenticating users > --- > > Key: NIFI-4210 > URL: https://issues.apache.org/jira/browse/NIFI-4210 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework, Core UI >Reporter: Matt Gilman >Assignee: Matt Gilman > > Add support for authenticating users with the OpenId Connection > specification. Evaluate whether a new extension point is necessary to allow > for a given provider to supply custom code for instance to implement custom > token validation. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110916#comment-16110916 ] ASF GitHub Bot commented on NIFI-4210: -- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130878847 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java --- @@ -0,0 +1,207 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.google.common.cache.Cache; +import com.google.common.cache.CacheBuilder; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.id.State; +import org.apache.nifi.web.security.util.CacheKey; + +import java.io.IOException; +import java.math.BigInteger; +import java.net.URI; +import java.security.SecureRandom; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; + +import static org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED; + +/** + * OidcService is a service for managing the OpenId Connect Authorization flow. + */ +public class OidcService { + +private OidcIdentityProvider identityProvider; +private Cache stateLookupForPendingRequests; // identifier from cookie -> state value +private Cache jwtLookupForCompletedRequests; // identifier from cookie -> jwt or identity (and generate jwt on retrieval) + +/** + * Creates a new OtpService with an expiration of 5 minutes. + */ +public OidcService(final OidcIdentityProvider identityProvider) { +this(identityProvider, 60, TimeUnit.SECONDS); --- End diff -- Got it. > Add OpenId Connect support for authenticating users > --- > > Key: NIFI-4210 > URL: https://issues.apache.org/jira/browse/NIFI-4210 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework, Core UI >Reporter: Matt Gilman >Assignee: Matt Gilman > > Add support for authenticating users with the OpenId Connection > specification. Evaluate whether a new extension point is necessary to allow > for a given provider to supply custom code for instance to implement custom > token validation. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Assigned] (NIFI-4218) ElasticsearchHttp processors should support dynamic properties as query parameters
[ https://issues.apache.org/jira/browse/NIFI-4218?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Matt Burgess reassigned NIFI-4218: -- Assignee: Matt Burgess > ElasticsearchHttp processors should support dynamic properties as query > parameters > -- > > Key: NIFI-4218 > URL: https://issues.apache.org/jira/browse/NIFI-4218 > Project: Apache NiFi > Issue Type: Improvement > Components: Extensions >Reporter: Matt Burgess >Assignee: Matt Burgess >Priority: Minor > > The Elasticsearch HTTP API has a number of fields that can be specified as > query parameters in the URL, such as support for > [pipelines|https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html]. > Rather than including all possibilities as processor properties, it might be > more flexible to allow the user to specify dynamic properties on > ElasticsearchHttp processors, and then use those to set query parameters on > the API URL. > Documentation should include a note that not all features are available to > all versions of Elasticsearch, and thus the ES documentation should be > consulted before adding dynamic properties. For example, pipelines were > introduced in ES 5.x, so using pipeline parameters in an ElasticsearchHttp > processor will not work if connecting to an ES 2.x cluster. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[GitHub] nifi pull request #2049: NIFI-4218: Dynamic properties as query parameters i...
GitHub user mattyb149 opened a pull request: https://github.com/apache/nifi/pull/2049 NIFI-4218: Dynamic properties as query parameters in ESHttp processors ### For all changes: - [x] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [x] Does your PR title start with NIFI- where is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. - [x] Has your PR been rebased against the latest commit within the target branch (typically master)? - [x] Is your initial contribution a single, squashed commit? ### For code changes: - [x] Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder? - [x] Have you written or updated unit tests to verify your changes? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [ ] If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly? - [ ] If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly? - [ ] If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties? ### For documentation related changes: - [x] Have you ensured that format looks appropriate for the output in which it is rendered? ### Note: Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible. You can merge this pull request into a Git repository by running: $ git pull https://github.com/mattyb149/nifi NIFI-4218 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi/pull/2049.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #2049 commit e6fe6dc3adc953b5eea938e0750efe38f92b88ab Author: Matt Burgess Date: 2017-08-02T13:41:12Z NIFI-4218: Dynamic properties as query parameters in ESHttp processors --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110920#comment-16110920 ] ASF GitHub Bot commented on NIFI-4210: -- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130879118 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java --- @@ -0,0 +1,207 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.google.common.cache.Cache; +import com.google.common.cache.CacheBuilder; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.id.State; +import org.apache.nifi.web.security.util.CacheKey; + +import java.io.IOException; +import java.math.BigInteger; +import java.net.URI; +import java.security.SecureRandom; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; + +import static org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED; + +/** + * OidcService is a service for managing the OpenId Connect Authorization flow. + */ +public class OidcService { + +private OidcIdentityProvider identityProvider; +private Cache stateLookupForPendingRequests; // identifier from cookie -> state value +private Cache jwtLookupForCompletedRequests; // identifier from cookie -> jwt or identity (and generate jwt on retrieval) + +/** + * Creates a new OtpService with an expiration of 5 minutes. + */ +public OidcService(final OidcIdentityProvider identityProvider) { +this(identityProvider, 60, TimeUnit.SECONDS); +} + +/** + * Creates a new OtpService. + * + * @param duration The expiration duration + * @param units The expiration units + * @throws NullPointerException If units is null + * @throws IllegalArgumentException If duration is negative + */ +public OidcService(final OidcIdentityProvider identityProvider, final int duration, final TimeUnit units) { +this.identityProvider = identityProvider; +this.stateLookupForPendingRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build(); +this.jwtLookupForCompletedRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build(); +} + +/** + * Returns whether OpenId Connect is enabled. + * + * @return whether OpenId Connect is enabled + */ +public boolean isOidcEnabled() { +return identityProvider.isOidcEnabled(); --- End diff -- Got it. > Add OpenId Connect support for authenticating users > --- > > Key: NIFI-4210 > URL: https://issues.apache.org/jira/browse/NIFI-4210 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework, Core UI >Reporter: Matt Gilman >Assignee: Matt Gilman > > Add support for authenticating users with the OpenId Connection > specification. Evaluate whether a new extension point is necessary to allow > for a given provider to supply custom code for instance to implement custom > token validation. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (NIFI-4218) ElasticsearchHttp processors should support dynamic properties as query parameters
[ https://issues.apache.org/jira/browse/NIFI-4218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110919#comment-16110919 ] ASF GitHub Bot commented on NIFI-4218: -- GitHub user mattyb149 opened a pull request: https://github.com/apache/nifi/pull/2049 NIFI-4218: Dynamic properties as query parameters in ESHttp processors ### For all changes: - [x] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [x] Does your PR title start with NIFI- where is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. - [x] Has your PR been rebased against the latest commit within the target branch (typically master)? - [x] Is your initial contribution a single, squashed commit? ### For code changes: - [x] Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder? - [x] Have you written or updated unit tests to verify your changes? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [ ] If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly? - [ ] If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly? - [ ] If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties? ### For documentation related changes: - [x] Have you ensured that format looks appropriate for the output in which it is rendered? ### Note: Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible. You can merge this pull request into a Git repository by running: $ git pull https://github.com/mattyb149/nifi NIFI-4218 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi/pull/2049.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #2049 commit e6fe6dc3adc953b5eea938e0750efe38f92b88ab Author: Matt Burgess Date: 2017-08-02T13:41:12Z NIFI-4218: Dynamic properties as query parameters in ESHttp processors > ElasticsearchHttp processors should support dynamic properties as query > parameters > -- > > Key: NIFI-4218 > URL: https://issues.apache.org/jira/browse/NIFI-4218 > Project: Apache NiFi > Issue Type: Improvement > Components: Extensions >Reporter: Matt Burgess >Assignee: Matt Burgess >Priority: Minor > > The Elasticsearch HTTP API has a number of fields that can be specified as > query parameters in the URL, such as support for > [pipelines|https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html]. > Rather than including all possibilities as processor properties, it might be > more flexible to allow the user to specify dynamic properties on > ElasticsearchHttp processors, and then use those to set query parameters on > the API URL. > Documentation should include a note that not all features are available to > all versions of Elasticsearch, and thus the ES documentation should be > consulted before adding dynamic properties. For example, pipelines were > introduced in ES 5.x, so using pipeline parameters in an ElasticsearchHttp > processor will not work if connecting to an ES 2.x cluster. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130879118 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java --- @@ -0,0 +1,207 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.google.common.cache.Cache; +import com.google.common.cache.CacheBuilder; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.id.State; +import org.apache.nifi.web.security.util.CacheKey; + +import java.io.IOException; +import java.math.BigInteger; +import java.net.URI; +import java.security.SecureRandom; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; + +import static org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED; + +/** + * OidcService is a service for managing the OpenId Connect Authorization flow. + */ +public class OidcService { + +private OidcIdentityProvider identityProvider; +private Cache stateLookupForPendingRequests; // identifier from cookie -> state value +private Cache jwtLookupForCompletedRequests; // identifier from cookie -> jwt or identity (and generate jwt on retrieval) + +/** + * Creates a new OtpService with an expiration of 5 minutes. + */ +public OidcService(final OidcIdentityProvider identityProvider) { +this(identityProvider, 60, TimeUnit.SECONDS); +} + +/** + * Creates a new OtpService. + * + * @param duration The expiration duration + * @param units The expiration units + * @throws NullPointerException If units is null + * @throws IllegalArgumentException If duration is negative + */ +public OidcService(final OidcIdentityProvider identityProvider, final int duration, final TimeUnit units) { +this.identityProvider = identityProvider; +this.stateLookupForPendingRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build(); +this.jwtLookupForCompletedRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build(); +} + +/** + * Returns whether OpenId Connect is enabled. + * + * @return whether OpenId Connect is enabled + */ +public boolean isOidcEnabled() { +return identityProvider.isOidcEnabled(); --- End diff -- Got it. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[jira] [Updated] (NIFI-4218) ElasticsearchHttp processors should support dynamic properties as query parameters
[ https://issues.apache.org/jira/browse/NIFI-4218?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Matt Burgess updated NIFI-4218: --- Status: Patch Available (was: In Progress) > ElasticsearchHttp processors should support dynamic properties as query > parameters > -- > > Key: NIFI-4218 > URL: https://issues.apache.org/jira/browse/NIFI-4218 > Project: Apache NiFi > Issue Type: Improvement > Components: Extensions >Reporter: Matt Burgess >Assignee: Matt Burgess >Priority: Minor > > The Elasticsearch HTTP API has a number of fields that can be specified as > query parameters in the URL, such as support for > [pipelines|https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html]. > Rather than including all possibilities as processor properties, it might be > more flexible to allow the user to specify dynamic properties on > ElasticsearchHttp processors, and then use those to set query parameters on > the API URL. > Documentation should include a note that not all features are available to > all versions of Elasticsearch, and thus the ES documentation should be > consulted before adding dynamic properties. For example, pipelines were > introduced in ES 5.x, so using pipeline parameters in an ElasticsearchHttp > processor will not work if connecting to an ES 2.x cluster. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[GitHub] nifi issue #1969: NIFI-4082 - Added EL on GetMongo properties
Github user nicholasmhughes commented on the issue: https://github.com/apache/nifi/pull/1969 @pvillard31 @jfrazee I'm very interested in this functionality. The Jira for this issue doesn't have a fix version identified. Do you think it will make it into 1.4.0 (or the next formal release)? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[jira] [Commented] (NIFI-4082) Enable nifi expression language for GetMongo - Query property
[ https://issues.apache.org/jira/browse/NIFI-4082?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110944#comment-16110944 ] ASF GitHub Bot commented on NIFI-4082: -- Github user nicholasmhughes commented on the issue: https://github.com/apache/nifi/pull/1969 @pvillard31 @jfrazee I'm very interested in this functionality. The Jira for this issue doesn't have a fix version identified. Do you think it will make it into 1.4.0 (or the next formal release)? > Enable nifi expression language for GetMongo - Query property > - > > Key: NIFI-4082 > URL: https://issues.apache.org/jira/browse/NIFI-4082 > Project: Apache NiFi > Issue Type: Improvement > Components: Extensions >Affects Versions: 1.3.0 >Reporter: Dmitry Lukyanov >Assignee: Pierre Villard >Priority: Trivial > > Currently the `Query` property of the `GetMongo` processor does not support > expression language. > That disables query parametrization. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130882716 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java --- @@ -0,0 +1,207 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.google.common.cache.Cache; +import com.google.common.cache.CacheBuilder; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.id.State; +import org.apache.nifi.web.security.util.CacheKey; + +import java.io.IOException; +import java.math.BigInteger; +import java.net.URI; +import java.security.SecureRandom; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; + +import static org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED; + +/** + * OidcService is a service for managing the OpenId Connect Authorization flow. + */ +public class OidcService { + +private OidcIdentityProvider identityProvider; +private Cache stateLookupForPendingRequests; // identifier from cookie -> state value +private Cache jwtLookupForCompletedRequests; // identifier from cookie -> jwt or identity (and generate jwt on retrieval) + +/** + * Creates a new OtpService with an expiration of 5 minutes. + */ +public OidcService(final OidcIdentityProvider identityProvider) { +this(identityProvider, 60, TimeUnit.SECONDS); +} + +/** + * Creates a new OtpService. + * + * @param duration The expiration duration + * @param units The expiration units + * @throws NullPointerException If units is null + * @throws IllegalArgumentException If duration is negative + */ +public OidcService(final OidcIdentityProvider identityProvider, final int duration, final TimeUnit units) { +this.identityProvider = identityProvider; +this.stateLookupForPendingRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build(); +this.jwtLookupForCompletedRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build(); +} + +/** + * Returns whether OpenId Connect is enabled. + * + * @return whether OpenId Connect is enabled + */ +public boolean isOidcEnabled() { +return identityProvider.isOidcEnabled(); +} + +/** + * Returns the OpenId Connect authorization endpoint. + * + * @return the authorization endpoint + */ +public URI getAuthorizationEndpoint() { +return identityProvider.getAuthorizationEndpoint(); +} + +/** + * Returns the OpenId Connect scope. + * + * @return scope + */ +public Scope getScope() { +return identityProvider.getScope(); +} + +/** + * Returns the OpenId Connect client id. + * + * @return client id + */ +public String getClientId() { +return identityProvider.getClientId().getValue(); +} + +/** + * Initiates an OpenId Connection authorization code flow using the specified request identifier to maintain state. + * + * @param oidcRequestIdentifier request identifier + * @return state + */ +public State createState(final String oidcRequestIdentifier) { +if (!isOidcEnabled()) { +throw new IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED); +} + +final CacheKey oidcRequestIdentifierKey = new CacheKey(oidcRequestIdentifier); +final State state = new State(new BigInteger(130, new Se
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110946#comment-16110946 ] ASF GitHub Bot commented on NIFI-4210: -- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130882716 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java --- @@ -0,0 +1,207 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.google.common.cache.Cache; +import com.google.common.cache.CacheBuilder; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.id.State; +import org.apache.nifi.web.security.util.CacheKey; + +import java.io.IOException; +import java.math.BigInteger; +import java.net.URI; +import java.security.SecureRandom; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; + +import static org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED; + +/** + * OidcService is a service for managing the OpenId Connect Authorization flow. + */ +public class OidcService { + +private OidcIdentityProvider identityProvider; +private Cache stateLookupForPendingRequests; // identifier from cookie -> state value +private Cache jwtLookupForCompletedRequests; // identifier from cookie -> jwt or identity (and generate jwt on retrieval) + +/** + * Creates a new OtpService with an expiration of 5 minutes. + */ +public OidcService(final OidcIdentityProvider identityProvider) { +this(identityProvider, 60, TimeUnit.SECONDS); +} + +/** + * Creates a new OtpService. + * + * @param duration The expiration duration + * @param units The expiration units + * @throws NullPointerException If units is null + * @throws IllegalArgumentException If duration is negative + */ +public OidcService(final OidcIdentityProvider identityProvider, final int duration, final TimeUnit units) { +this.identityProvider = identityProvider; +this.stateLookupForPendingRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build(); +this.jwtLookupForCompletedRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build(); +} + +/** + * Returns whether OpenId Connect is enabled. + * + * @return whether OpenId Connect is enabled + */ +public boolean isOidcEnabled() { +return identityProvider.isOidcEnabled(); +} + +/** + * Returns the OpenId Connect authorization endpoint. + * + * @return the authorization endpoint + */ +public URI getAuthorizationEndpoint() { +return identityProvider.getAuthorizationEndpoint(); +} + +/** + * Returns the OpenId Connect scope. + * + * @return scope + */ +public Scope getScope() { +return identityProvider.getScope(); +} + +/** + * Returns the OpenId Connect client id. + * + * @return client id + */ +public String getClientId() { +return identityProvider.getClientId().getValue(); +} + +/** + * Initiates an OpenId Connection authorization code flow using the specified request identifier to maintain state. + * + * @param oidcRequestIdentifier request identifier + * @return state + */ +public State createState(final String oidcRequestIdentifier) { +if (!isOidcEnabled()) { +throw ne
[GitHub] nifi issue #1513: NIFI-3484 GenerateTableFetch Should Allow for Right Bounda...
Github user pvillard31 commented on the issue: https://github.com/apache/nifi/pull/1513 Hey @patricker, thanks for this PR and sorry it took so long to get into it. I just reviewed your work and it looks valid. I was able to confirm that it fixes the data duplication issue I was seeing in my environment. I have pushed a commit here: https://github.com/pvillard31/nifi/tree/PR1513 It fixes a check style issue in your PR and also adds a unit test to show the existing data duplication possibility. If you agree with it, can you add it into your PR and I'll get everything merged? Thanks a lot! --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[jira] [Commented] (NIFI-3484) GenerateTableFetch Should Allow for Right Boundary
[ https://issues.apache.org/jira/browse/NIFI-3484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110950#comment-16110950 ] ASF GitHub Bot commented on NIFI-3484: -- Github user pvillard31 commented on the issue: https://github.com/apache/nifi/pull/1513 Hey @patricker, thanks for this PR and sorry it took so long to get into it. I just reviewed your work and it looks valid. I was able to confirm that it fixes the data duplication issue I was seeing in my environment. I have pushed a commit here: https://github.com/pvillard31/nifi/tree/PR1513 It fixes a check style issue in your PR and also adds a unit test to show the existing data duplication possibility. If you agree with it, can you add it into your PR and I'll get everything merged? Thanks a lot! > GenerateTableFetch Should Allow for Right Boundary > -- > > Key: NIFI-3484 > URL: https://issues.apache.org/jira/browse/NIFI-3484 > Project: Apache NiFi > Issue Type: New Feature > Components: Core Framework >Affects Versions: 1.2.0 >Reporter: Peter Wicks >Assignee: Peter Wicks >Priority: Minor > > When using GenerateTableFetch it places no right hand boundary on pages of > data. This can lead to issues when the statement says to get the next 1000 > records greater then a specific key, but records were added to the table > between the time the processor executed and when the SQL is being executed. > As a result it pulls in records that did not exist when the processor was > run. On the next execution of the processor these records will be pulled in > a second time. > Example: > Partition Size = 1000 > First run (no state): Count(*)=4700 and MAX(ID)=4700. > 5 FlowFiles are generated, the last one will say to fetch 1000, not 700. (But > I don't think this is really a bug, just an observation). > 5 Flow Files are now in queue to be executed by ExecuteSQL. Before the 5th > file can execute 400 new rows are added to the table. When the final SQL > statement is executed 300 extra records, with higher ID values, will also be > pulled into NiFi. > Second run (state: ID=4700). Count(*) ID>4700 = 400 and MAX(ID)=5100. > 1 Flow File is generated, but includes 300 records already pulled into NiFI. > The solution is to have an optional property that will let users use the new > MAX(ID) as a right boundary when generating queries. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[GitHub] nifi-minifi-cpp issue #123: MINIFI-363: Set format macro declaration to avoi...
Github user achristianson commented on the issue: https://github.com/apache/nifi-minifi-cpp/pull/123 +1 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi-minifi-cpp issue #122: MINIFI-359: Add PutFile test to test a variety o...
Github user achristianson commented on the issue: https://github.com/apache/nifi-minifi-cpp/pull/122 +1 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110964#comment-16110964 ] ASF GitHub Bot commented on NIFI-4210: -- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130884930 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java --- @@ -0,0 +1,207 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.google.common.cache.Cache; +import com.google.common.cache.CacheBuilder; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.id.State; +import org.apache.nifi.web.security.util.CacheKey; + +import java.io.IOException; +import java.math.BigInteger; +import java.net.URI; +import java.security.SecureRandom; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; + +import static org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED; + +/** + * OidcService is a service for managing the OpenId Connect Authorization flow. + */ +public class OidcService { + +private OidcIdentityProvider identityProvider; +private Cache stateLookupForPendingRequests; // identifier from cookie -> state value +private Cache jwtLookupForCompletedRequests; // identifier from cookie -> jwt or identity (and generate jwt on retrieval) + +/** + * Creates a new OtpService with an expiration of 5 minutes. + */ +public OidcService(final OidcIdentityProvider identityProvider) { +this(identityProvider, 60, TimeUnit.SECONDS); +} + +/** + * Creates a new OtpService. + * + * @param duration The expiration duration + * @param units The expiration units + * @throws NullPointerException If units is null + * @throws IllegalArgumentException If duration is negative + */ +public OidcService(final OidcIdentityProvider identityProvider, final int duration, final TimeUnit units) { +this.identityProvider = identityProvider; +this.stateLookupForPendingRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build(); +this.jwtLookupForCompletedRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build(); +} + +/** + * Returns whether OpenId Connect is enabled. + * + * @return whether OpenId Connect is enabled + */ +public boolean isOidcEnabled() { +return identityProvider.isOidcEnabled(); +} + +/** + * Returns the OpenId Connect authorization endpoint. + * + * @return the authorization endpoint + */ +public URI getAuthorizationEndpoint() { +return identityProvider.getAuthorizationEndpoint(); +} + +/** + * Returns the OpenId Connect scope. + * + * @return scope + */ +public Scope getScope() { +return identityProvider.getScope(); +} + +/** + * Returns the OpenId Connect client id. + * + * @return client id + */ +public String getClientId() { +return identityProvider.getClientId().getValue(); +} + +/** + * Initiates an OpenId Connection authorization code flow using the specified request identifier to maintain state. + * + * @param oidcRequestIdentifier request identifier + * @return state + */ +public State createState(final String oidcRequestIdentifier) { +if (!isOidcEnabled()) { +throw ne
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110963#comment-16110963 ] ASF GitHub Bot commented on NIFI-4210: -- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130884901 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java --- @@ -0,0 +1,207 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.google.common.cache.Cache; +import com.google.common.cache.CacheBuilder; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.id.State; +import org.apache.nifi.web.security.util.CacheKey; + +import java.io.IOException; +import java.math.BigInteger; +import java.net.URI; +import java.security.SecureRandom; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; + +import static org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED; + +/** + * OidcService is a service for managing the OpenId Connect Authorization flow. + */ +public class OidcService { + +private OidcIdentityProvider identityProvider; +private Cache stateLookupForPendingRequests; // identifier from cookie -> state value +private Cache jwtLookupForCompletedRequests; // identifier from cookie -> jwt or identity (and generate jwt on retrieval) + +/** + * Creates a new OtpService with an expiration of 5 minutes. + */ +public OidcService(final OidcIdentityProvider identityProvider) { +this(identityProvider, 60, TimeUnit.SECONDS); +} + +/** + * Creates a new OtpService. + * + * @param duration The expiration duration + * @param units The expiration units + * @throws NullPointerException If units is null + * @throws IllegalArgumentException If duration is negative + */ +public OidcService(final OidcIdentityProvider identityProvider, final int duration, final TimeUnit units) { +this.identityProvider = identityProvider; +this.stateLookupForPendingRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build(); +this.jwtLookupForCompletedRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build(); +} + +/** + * Returns whether OpenId Connect is enabled. + * + * @return whether OpenId Connect is enabled + */ +public boolean isOidcEnabled() { +return identityProvider.isOidcEnabled(); +} + +/** + * Returns the OpenId Connect authorization endpoint. + * + * @return the authorization endpoint + */ +public URI getAuthorizationEndpoint() { +return identityProvider.getAuthorizationEndpoint(); +} + +/** + * Returns the OpenId Connect scope. + * + * @return scope + */ +public Scope getScope() { +return identityProvider.getScope(); +} + +/** + * Returns the OpenId Connect client id. + * + * @return client id + */ +public String getClientId() { +return identityProvider.getClientId().getValue(); +} + +/** + * Initiates an OpenId Connection authorization code flow using the specified request identifier to maintain state. + * + * @param oidcRequestIdentifier request identifier + * @return state + */ +public State createState(final String oidcRequestIdentifier) { +if (!isOidcEnabled()) { +throw ne
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130884901 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java --- @@ -0,0 +1,207 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.google.common.cache.Cache; +import com.google.common.cache.CacheBuilder; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.id.State; +import org.apache.nifi.web.security.util.CacheKey; + +import java.io.IOException; +import java.math.BigInteger; +import java.net.URI; +import java.security.SecureRandom; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; + +import static org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED; + +/** + * OidcService is a service for managing the OpenId Connect Authorization flow. + */ +public class OidcService { + +private OidcIdentityProvider identityProvider; +private Cache stateLookupForPendingRequests; // identifier from cookie -> state value +private Cache jwtLookupForCompletedRequests; // identifier from cookie -> jwt or identity (and generate jwt on retrieval) + +/** + * Creates a new OtpService with an expiration of 5 minutes. + */ +public OidcService(final OidcIdentityProvider identityProvider) { +this(identityProvider, 60, TimeUnit.SECONDS); +} + +/** + * Creates a new OtpService. + * + * @param duration The expiration duration + * @param units The expiration units + * @throws NullPointerException If units is null + * @throws IllegalArgumentException If duration is negative + */ +public OidcService(final OidcIdentityProvider identityProvider, final int duration, final TimeUnit units) { +this.identityProvider = identityProvider; +this.stateLookupForPendingRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build(); +this.jwtLookupForCompletedRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build(); +} + +/** + * Returns whether OpenId Connect is enabled. + * + * @return whether OpenId Connect is enabled + */ +public boolean isOidcEnabled() { +return identityProvider.isOidcEnabled(); +} + +/** + * Returns the OpenId Connect authorization endpoint. + * + * @return the authorization endpoint + */ +public URI getAuthorizationEndpoint() { +return identityProvider.getAuthorizationEndpoint(); +} + +/** + * Returns the OpenId Connect scope. + * + * @return scope + */ +public Scope getScope() { +return identityProvider.getScope(); +} + +/** + * Returns the OpenId Connect client id. + * + * @return client id + */ +public String getClientId() { +return identityProvider.getClientId().getValue(); +} + +/** + * Initiates an OpenId Connection authorization code flow using the specified request identifier to maintain state. + * + * @param oidcRequestIdentifier request identifier + * @return state + */ +public State createState(final String oidcRequestIdentifier) { +if (!isOidcEnabled()) { +throw new IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED); +} + +final CacheKey oidcRequestIdentifierKey = new CacheKey(oidcRequestIdentifier); +final State state = new State(new BigInteger(130, new Se
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130884930 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java --- @@ -0,0 +1,207 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.google.common.cache.Cache; +import com.google.common.cache.CacheBuilder; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.id.State; +import org.apache.nifi.web.security.util.CacheKey; + +import java.io.IOException; +import java.math.BigInteger; +import java.net.URI; +import java.security.SecureRandom; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; + +import static org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED; + +/** + * OidcService is a service for managing the OpenId Connect Authorization flow. + */ +public class OidcService { + +private OidcIdentityProvider identityProvider; +private Cache stateLookupForPendingRequests; // identifier from cookie -> state value +private Cache jwtLookupForCompletedRequests; // identifier from cookie -> jwt or identity (and generate jwt on retrieval) + +/** + * Creates a new OtpService with an expiration of 5 minutes. + */ +public OidcService(final OidcIdentityProvider identityProvider) { +this(identityProvider, 60, TimeUnit.SECONDS); +} + +/** + * Creates a new OtpService. + * + * @param duration The expiration duration + * @param units The expiration units + * @throws NullPointerException If units is null + * @throws IllegalArgumentException If duration is negative + */ +public OidcService(final OidcIdentityProvider identityProvider, final int duration, final TimeUnit units) { +this.identityProvider = identityProvider; +this.stateLookupForPendingRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build(); +this.jwtLookupForCompletedRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build(); +} + +/** + * Returns whether OpenId Connect is enabled. + * + * @return whether OpenId Connect is enabled + */ +public boolean isOidcEnabled() { +return identityProvider.isOidcEnabled(); +} + +/** + * Returns the OpenId Connect authorization endpoint. + * + * @return the authorization endpoint + */ +public URI getAuthorizationEndpoint() { +return identityProvider.getAuthorizationEndpoint(); +} + +/** + * Returns the OpenId Connect scope. + * + * @return scope + */ +public Scope getScope() { +return identityProvider.getScope(); +} + +/** + * Returns the OpenId Connect client id. + * + * @return client id + */ +public String getClientId() { +return identityProvider.getClientId().getValue(); +} + +/** + * Initiates an OpenId Connection authorization code flow using the specified request identifier to maintain state. + * + * @param oidcRequestIdentifier request identifier + * @return state + */ +public State createState(final String oidcRequestIdentifier) { +if (!isOidcEnabled()) { +throw new IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED); +} + +final CacheKey oidcRequestIdentifierKey = new CacheKey(oidcRequestIdentifier); +final State state = new State(new BigInteger(130, new Se
[GitHub] nifi-minifi-cpp issue #118: MINIFI-311 Move to alpine base for docker image.
Github user apiri commented on the issue: https://github.com/apache/nifi-minifi-cpp/pull/118 reviewing changes --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi-minifi-cpp issue #118: MINIFI-311 Move to alpine base for docker image.
Github user apiri commented on the issue: https://github.com/apache/nifi-minifi-cpp/pull/118 hey @achristianson, everything looks good here. will get this merged in. thanks for your adjustments! --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi-minifi-cpp pull request #118: MINIFI-311 Move to alpine base for docker...
Github user asfgit closed the pull request at: https://github.com/apache/nifi-minifi-cpp/pull/118 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi-minifi-cpp issue #123: MINIFI-363: Set format macro declaration to avoi...
Github user benqiu2016 commented on the issue: https://github.com/apache/nifi-minifi-cpp/pull/123 @phrocker the CI build is failing. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi issue #1961: NIFI-4024 Added org.apache.nifi.hbase.PutHBaseRecord
Github user MikeThomsen commented on the issue: https://github.com/apache/nifi/pull/1961 @bbende Done. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[jira] [Commented] (NIFI-4024) Create EvaluateRecordPath processor
[ https://issues.apache.org/jira/browse/NIFI-4024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1669#comment-1669 ] ASF GitHub Bot commented on NIFI-4024: -- Github user MikeThomsen commented on the issue: https://github.com/apache/nifi/pull/1961 @bbende Done. > Create EvaluateRecordPath processor > --- > > Key: NIFI-4024 > URL: https://issues.apache.org/jira/browse/NIFI-4024 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Steve Champagne >Priority: Minor > > With the new RecordPath DSL, it would be nice if there was a processor that > could pull fields into attributes of the flowfile based on a RecordPath. This > would be similar to the EvaluateJsonPath processor that currently exists, > except it could be used to pull fields from arbitrary record formats. My > current use case for it would be pulling fields out of Avro records while > skipping the steps of having to convert Avro to JSON, evaluate JsonPath, and > then converting back to Avro. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130939060 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java --- @@ -0,0 +1,339 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.util.DefaultResourceRetriever; +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenErrorResponse; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.TokenResponse; +import com.nimbusds.oauth2.sdk.auth.ClientAuthentication; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.openid.connect.sdk.OIDCScopeValue; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser; +import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import net.minidev.json.JSONObject; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.JwtService; +import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.URL; +import java.util.Calendar; +import java.util.Date; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME; + +/** + * OidcProvider for managing the OpenId Connect Authorization flow. + */ +public class StandardOidcIdentityProvider implements OidcIdentityProvider { + +private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class); + +private NiFiProperties properties; +private JwtService jwtService; +private OIDCProviderMetadata oidcProviderMetadata; +private int oidcConnectTimeout; +private int oidcReadTimeout; +private IDTokenValidator tokenValidator; +private ClientID clientId; +private Secret clientSecret; + +/** + * Creates a new StandardOidcIdentityProvider. + * + * @param jwtService jwt service + * @param properties properties + */ +public StandardOidcIdentityProvider(final JwtService jwtService, final NiFiProperties properties) { +this.properties = properties; +this.jwtService = jwtService; + +// attempt to process the oidc configuration if configured +if (properties.isOidcEnable
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111344#comment-16111344 ] ASF GitHub Bot commented on NIFI-4210: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130939060 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java --- @@ -0,0 +1,339 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.util.DefaultResourceRetriever; +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenErrorResponse; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.TokenResponse; +import com.nimbusds.oauth2.sdk.auth.ClientAuthentication; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.openid.connect.sdk.OIDCScopeValue; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser; +import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import net.minidev.json.JSONObject; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.JwtService; +import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.URL; +import java.util.Calendar; +import java.util.Date; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME; + +/** + * OidcProvider for managing the OpenId Connect Authorization flow. + */ +public class StandardOidcIdentityProvider implements OidcIdentityProvider { + +private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class); + +private NiFiProperties properties; +private JwtService jwtService; +private OIDCProviderMetadata oidcProviderMetadata; +private int oidcConnectTimeout; +private int oidcReadTimeout; +private IDTokenValidator tokenValidator; +private ClientID clientId; +private Secret clientSecret; + +/** + * Creates a new StandardOidcIdentityProvider. + * + * @param jwtService jwt service + * @param properties properties + */ +public StandardOidcIdentityProvider(final JwtService
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130940968 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java --- @@ -0,0 +1,339 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.util.DefaultResourceRetriever; +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenErrorResponse; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.TokenResponse; +import com.nimbusds.oauth2.sdk.auth.ClientAuthentication; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.openid.connect.sdk.OIDCScopeValue; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser; +import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import net.minidev.json.JSONObject; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.JwtService; +import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.URL; +import java.util.Calendar; +import java.util.Date; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME; + +/** + * OidcProvider for managing the OpenId Connect Authorization flow. + */ +public class StandardOidcIdentityProvider implements OidcIdentityProvider { + +private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class); + +private NiFiProperties properties; +private JwtService jwtService; +private OIDCProviderMetadata oidcProviderMetadata; +private int oidcConnectTimeout; +private int oidcReadTimeout; +private IDTokenValidator tokenValidator; +private ClientID clientId; +private Secret clientSecret; + +/** + * Creates a new StandardOidcIdentityProvider. + * + * @param jwtService jwt service + * @param properties properties + */ +public StandardOidcIdentityProvider(final JwtService jwtService, final NiFiProperties properties) { +this.properties = properties; +this.jwtService = jwtService; + +// attempt to process the oidc configuration if configured +if (properties.isOidcEnable
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111360#comment-16111360 ] ASF GitHub Bot commented on NIFI-4210: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130940968 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java --- @@ -0,0 +1,339 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.util.DefaultResourceRetriever; +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenErrorResponse; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.TokenResponse; +import com.nimbusds.oauth2.sdk.auth.ClientAuthentication; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.openid.connect.sdk.OIDCScopeValue; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser; +import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import net.minidev.json.JSONObject; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.JwtService; +import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.URL; +import java.util.Calendar; +import java.util.Date; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME; + +/** + * OidcProvider for managing the OpenId Connect Authorization flow. + */ +public class StandardOidcIdentityProvider implements OidcIdentityProvider { + +private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class); + +private NiFiProperties properties; +private JwtService jwtService; +private OIDCProviderMetadata oidcProviderMetadata; +private int oidcConnectTimeout; +private int oidcReadTimeout; +private IDTokenValidator tokenValidator; +private ClientID clientId; +private Secret clientSecret; + +/** + * Creates a new StandardOidcIdentityProvider. + * + * @param jwtService jwt service + * @param properties properties + */ +public StandardOidcIdentityProvider(final JwtService
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130943341 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java --- @@ -0,0 +1,339 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.util.DefaultResourceRetriever; +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenErrorResponse; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.TokenResponse; +import com.nimbusds.oauth2.sdk.auth.ClientAuthentication; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.openid.connect.sdk.OIDCScopeValue; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser; +import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import net.minidev.json.JSONObject; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.JwtService; +import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.URL; +import java.util.Calendar; +import java.util.Date; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME; + +/** + * OidcProvider for managing the OpenId Connect Authorization flow. + */ +public class StandardOidcIdentityProvider implements OidcIdentityProvider { + +private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class); + +private NiFiProperties properties; +private JwtService jwtService; +private OIDCProviderMetadata oidcProviderMetadata; +private int oidcConnectTimeout; +private int oidcReadTimeout; +private IDTokenValidator tokenValidator; +private ClientID clientId; +private Secret clientSecret; + +/** + * Creates a new StandardOidcIdentityProvider. + * + * @param jwtService jwt service + * @param properties properties + */ +public StandardOidcIdentityProvider(final JwtService jwtService, final NiFiProperties properties) { +this.properties = properties; +this.jwtService = jwtService; + +// attempt to process the oidc configuration if configured +if (properties.isOidcEnabled
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111380#comment-16111380 ] ASF GitHub Bot commented on NIFI-4210: -- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130943341 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java --- @@ -0,0 +1,339 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.util.DefaultResourceRetriever; +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenErrorResponse; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.TokenResponse; +import com.nimbusds.oauth2.sdk.auth.ClientAuthentication; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.openid.connect.sdk.OIDCScopeValue; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser; +import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import net.minidev.json.JSONObject; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.JwtService; +import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.URL; +import java.util.Calendar; +import java.util.Date; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME; + +/** + * OidcProvider for managing the OpenId Connect Authorization flow. + */ +public class StandardOidcIdentityProvider implements OidcIdentityProvider { + +private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class); + +private NiFiProperties properties; +private JwtService jwtService; +private OIDCProviderMetadata oidcProviderMetadata; +private int oidcConnectTimeout; +private int oidcReadTimeout; +private IDTokenValidator tokenValidator; +private ClientID clientId; +private Secret clientSecret; + +/** + * Creates a new StandardOidcIdentityProvider. + * + * @param jwtService jwt service + * @param properties properties + */ +public StandardOidcIdentityProvider(final JwtService
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130951002 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java --- @@ -0,0 +1,339 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.util.DefaultResourceRetriever; +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenErrorResponse; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.TokenResponse; +import com.nimbusds.oauth2.sdk.auth.ClientAuthentication; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.openid.connect.sdk.OIDCScopeValue; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser; +import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import net.minidev.json.JSONObject; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.JwtService; +import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.URL; +import java.util.Calendar; +import java.util.Date; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME; + +/** + * OidcProvider for managing the OpenId Connect Authorization flow. + */ +public class StandardOidcIdentityProvider implements OidcIdentityProvider { + +private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class); + +private NiFiProperties properties; +private JwtService jwtService; +private OIDCProviderMetadata oidcProviderMetadata; +private int oidcConnectTimeout; +private int oidcReadTimeout; +private IDTokenValidator tokenValidator; +private ClientID clientId; +private Secret clientSecret; + +/** + * Creates a new StandardOidcIdentityProvider. + * + * @param jwtService jwt service + * @param properties properties + */ +public StandardOidcIdentityProvider(final JwtService jwtService, final NiFiProperties properties) { +this.properties = properties; +this.jwtService = jwtService; + +// attempt to process the oidc configuration if configured +if (properties.isOidcEnable
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111433#comment-16111433 ] ASF GitHub Bot commented on NIFI-4210: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130951002 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java --- @@ -0,0 +1,339 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.util.DefaultResourceRetriever; +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenErrorResponse; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.TokenResponse; +import com.nimbusds.oauth2.sdk.auth.ClientAuthentication; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.openid.connect.sdk.OIDCScopeValue; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser; +import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import net.minidev.json.JSONObject; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.JwtService; +import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.URL; +import java.util.Calendar; +import java.util.Date; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME; + +/** + * OidcProvider for managing the OpenId Connect Authorization flow. + */ +public class StandardOidcIdentityProvider implements OidcIdentityProvider { + +private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class); + +private NiFiProperties properties; +private JwtService jwtService; +private OIDCProviderMetadata oidcProviderMetadata; +private int oidcConnectTimeout; +private int oidcReadTimeout; +private IDTokenValidator tokenValidator; +private ClientID clientId; +private Secret clientSecret; + +/** + * Creates a new StandardOidcIdentityProvider. + * + * @param jwtService jwt service + * @param properties properties + */ +public StandardOidcIdentityProvider(final JwtService
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130951566 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java --- @@ -0,0 +1,339 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.util.DefaultResourceRetriever; +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenErrorResponse; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.TokenResponse; +import com.nimbusds.oauth2.sdk.auth.ClientAuthentication; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.openid.connect.sdk.OIDCScopeValue; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser; +import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import net.minidev.json.JSONObject; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.JwtService; +import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.URL; +import java.util.Calendar; +import java.util.Date; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME; + +/** + * OidcProvider for managing the OpenId Connect Authorization flow. + */ +public class StandardOidcIdentityProvider implements OidcIdentityProvider { + +private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class); + +private NiFiProperties properties; +private JwtService jwtService; +private OIDCProviderMetadata oidcProviderMetadata; +private int oidcConnectTimeout; +private int oidcReadTimeout; +private IDTokenValidator tokenValidator; +private ClientID clientId; +private Secret clientSecret; + +/** + * Creates a new StandardOidcIdentityProvider. + * + * @param jwtService jwt service + * @param properties properties + */ +public StandardOidcIdentityProvider(final JwtService jwtService, final NiFiProperties properties) { +this.properties = properties; +this.jwtService = jwtService; + +// attempt to process the oidc configuration if configured +if (properties.isOidcEnable
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111436#comment-16111436 ] ASF GitHub Bot commented on NIFI-4210: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130951566 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java --- @@ -0,0 +1,339 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.util.DefaultResourceRetriever; +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenErrorResponse; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.TokenResponse; +import com.nimbusds.oauth2.sdk.auth.ClientAuthentication; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.openid.connect.sdk.OIDCScopeValue; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser; +import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import net.minidev.json.JSONObject; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.JwtService; +import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.URL; +import java.util.Calendar; +import java.util.Date; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME; + +/** + * OidcProvider for managing the OpenId Connect Authorization flow. + */ +public class StandardOidcIdentityProvider implements OidcIdentityProvider { + +private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class); + +private NiFiProperties properties; +private JwtService jwtService; +private OIDCProviderMetadata oidcProviderMetadata; +private int oidcConnectTimeout; +private int oidcReadTimeout; +private IDTokenValidator tokenValidator; +private ClientID clientId; +private Secret clientSecret; + +/** + * Creates a new StandardOidcIdentityProvider. + * + * @param jwtService jwt service + * @param properties properties + */ +public StandardOidcIdentityProvider(final JwtService
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130954077 --- Diff: pom.xml --- @@ -95,7 +95,7 @@ 9.4.3.v20170317 4.10.4 4.2.4.RELEASE -4.0.3.RELEASE +4.2.3.RELEASE --- End diff -- Any big changes in going from 4.0 to 4.2? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111453#comment-16111453 ] ASF GitHub Bot commented on NIFI-4210: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130954077 --- Diff: pom.xml --- @@ -95,7 +95,7 @@ 9.4.3.v20170317 4.10.4 4.2.4.RELEASE -4.0.3.RELEASE +4.2.3.RELEASE --- End diff -- Any big changes in going from 4.0 to 4.2? > Add OpenId Connect support for authenticating users > --- > > Key: NIFI-4210 > URL: https://issues.apache.org/jira/browse/NIFI-4210 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework, Core UI >Reporter: Matt Gilman >Assignee: Matt Gilman > > Add support for authenticating users with the OpenId Connection > specification. Evaluate whether a new extension point is necessary to allow > for a given provider to supply custom code for instance to implement custom > token validation. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130961276 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java --- @@ -0,0 +1,339 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.util.DefaultResourceRetriever; +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenErrorResponse; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.TokenResponse; +import com.nimbusds.oauth2.sdk.auth.ClientAuthentication; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.openid.connect.sdk.OIDCScopeValue; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser; +import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import net.minidev.json.JSONObject; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.JwtService; +import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.URL; +import java.util.Calendar; +import java.util.Date; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME; + +/** + * OidcProvider for managing the OpenId Connect Authorization flow. + */ +public class StandardOidcIdentityProvider implements OidcIdentityProvider { + +private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class); + +private NiFiProperties properties; +private JwtService jwtService; +private OIDCProviderMetadata oidcProviderMetadata; +private int oidcConnectTimeout; +private int oidcReadTimeout; +private IDTokenValidator tokenValidator; +private ClientID clientId; +private Secret clientSecret; + +/** + * Creates a new StandardOidcIdentityProvider. + * + * @param jwtService jwt service + * @param properties properties + */ +public StandardOidcIdentityProvider(final JwtService jwtService, final NiFiProperties properties) { +this.properties = properties; +this.jwtService = jwtService; + +// attempt to process the oidc configuration if configured +if (properties.isOidcEnabled
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111503#comment-16111503 ] ASF GitHub Bot commented on NIFI-4210: -- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130961276 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java --- @@ -0,0 +1,339 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.util.DefaultResourceRetriever; +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenErrorResponse; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.TokenResponse; +import com.nimbusds.oauth2.sdk.auth.ClientAuthentication; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.openid.connect.sdk.OIDCScopeValue; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser; +import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import net.minidev.json.JSONObject; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.JwtService; +import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.URL; +import java.util.Calendar; +import java.util.Date; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME; + +/** + * OidcProvider for managing the OpenId Connect Authorization flow. + */ +public class StandardOidcIdentityProvider implements OidcIdentityProvider { + +private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class); + +private NiFiProperties properties; +private JwtService jwtService; +private OIDCProviderMetadata oidcProviderMetadata; +private int oidcConnectTimeout; +private int oidcReadTimeout; +private IDTokenValidator tokenValidator; +private ClientID clientId; +private Secret clientSecret; + +/** + * Creates a new StandardOidcIdentityProvider. + * + * @param jwtService jwt service + * @param properties properties + */ +public StandardOidcIdentityProvider(final JwtService
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111510#comment-16111510 ] ASF GitHub Bot commented on NIFI-4210: -- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130962379 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java --- @@ -0,0 +1,339 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.util.DefaultResourceRetriever; +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenErrorResponse; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.TokenResponse; +import com.nimbusds.oauth2.sdk.auth.ClientAuthentication; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.openid.connect.sdk.OIDCScopeValue; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser; +import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import net.minidev.json.JSONObject; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.JwtService; +import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.URL; +import java.util.Calendar; +import java.util.Date; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME; + +/** + * OidcProvider for managing the OpenId Connect Authorization flow. + */ +public class StandardOidcIdentityProvider implements OidcIdentityProvider { + +private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class); + +private NiFiProperties properties; +private JwtService jwtService; +private OIDCProviderMetadata oidcProviderMetadata; +private int oidcConnectTimeout; +private int oidcReadTimeout; +private IDTokenValidator tokenValidator; +private ClientID clientId; +private Secret clientSecret; + +/** + * Creates a new StandardOidcIdentityProvider. + * + * @param jwtService jwt service + * @param properties properties + */ +public StandardOidcIdentityProvider(final JwtService
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130962379 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java --- @@ -0,0 +1,339 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.util.DefaultResourceRetriever; +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenErrorResponse; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.TokenResponse; +import com.nimbusds.oauth2.sdk.auth.ClientAuthentication; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.openid.connect.sdk.OIDCScopeValue; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser; +import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import net.minidev.json.JSONObject; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.JwtService; +import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.URL; +import java.util.Calendar; +import java.util.Date; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME; + +/** + * OidcProvider for managing the OpenId Connect Authorization flow. + */ +public class StandardOidcIdentityProvider implements OidcIdentityProvider { + +private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class); + +private NiFiProperties properties; +private JwtService jwtService; +private OIDCProviderMetadata oidcProviderMetadata; +private int oidcConnectTimeout; +private int oidcReadTimeout; +private IDTokenValidator tokenValidator; +private ClientID clientId; +private Secret clientSecret; + +/** + * Creates a new StandardOidcIdentityProvider. + * + * @param jwtService jwt service + * @param properties properties + */ +public StandardOidcIdentityProvider(final JwtService jwtService, final NiFiProperties properties) { +this.properties = properties; +this.jwtService = jwtService; + +// attempt to process the oidc configuration if configured +if (properties.isOidcEnabled
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130962746 --- Diff: pom.xml --- @@ -95,7 +95,7 @@ 9.4.3.v20170317 4.10.4 4.2.4.RELEASE -4.0.3.RELEASE +4.2.3.RELEASE --- End diff -- I'm not aware of the changes. Just realized we hadn't upgraded in awhile. I'm happy to back this out and create another JIRA to investigate further. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111512#comment-16111512 ] ASF GitHub Bot commented on NIFI-4210: -- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130962746 --- Diff: pom.xml --- @@ -95,7 +95,7 @@ 9.4.3.v20170317 4.10.4 4.2.4.RELEASE -4.0.3.RELEASE +4.2.3.RELEASE --- End diff -- I'm not aware of the changes. Just realized we hadn't upgraded in awhile. I'm happy to back this out and create another JIRA to investigate further. > Add OpenId Connect support for authenticating users > --- > > Key: NIFI-4210 > URL: https://issues.apache.org/jira/browse/NIFI-4210 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework, Core UI >Reporter: Matt Gilman >Assignee: Matt Gilman > > Add support for authenticating users with the OpenId Connection > specification. Evaluate whether a new extension point is necessary to allow > for a given provider to supply custom code for instance to implement custom > token validation. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[GitHub] nifi-registry pull request #3: NIFIREG-6 Adding nifi-registry-bootstrap modu...
GitHub user bbende opened a pull request: https://github.com/apache/nifi-registry/pull/3 NIFIREG-6 Adding nifi-registry-bootstrap module - Enables registry to have the same setup as NiFi where a bootstrap process is started first which launches the main process - All the standard operations such as start, stop, dump, etc, should now work from nifi-registry.sh - Added placeholder LICENSE and NOTICE files to the assembly, need to fill in later - Create nifi-registry-utils to hold utility code You can merge this pull request into a Git repository by running: $ git pull https://github.com/bbende/nifi-registry NIFIREG-6 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi-registry/pull/3.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #3 commit 10857d551cc48b67e5188a059406bd045c19bce7 Author: Bryan Bende Date: 2017-08-01T18:59:47Z NIFIREG-6 Adding nifi-registry-bootstrap module --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[jira] [Commented] (NIFIREG-6) Add nifi-registry-bootstrap module
[ https://issues.apache.org/jira/browse/NIFIREG-6?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111670#comment-16111670 ] ASF GitHub Bot commented on NIFIREG-6: -- GitHub user bbende opened a pull request: https://github.com/apache/nifi-registry/pull/3 NIFIREG-6 Adding nifi-registry-bootstrap module - Enables registry to have the same setup as NiFi where a bootstrap process is started first which launches the main process - All the standard operations such as start, stop, dump, etc, should now work from nifi-registry.sh - Added placeholder LICENSE and NOTICE files to the assembly, need to fill in later - Create nifi-registry-utils to hold utility code You can merge this pull request into a Git repository by running: $ git pull https://github.com/bbende/nifi-registry NIFIREG-6 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi-registry/pull/3.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #3 commit 10857d551cc48b67e5188a059406bd045c19bce7 Author: Bryan Bende Date: 2017-08-01T18:59:47Z NIFIREG-6 Adding nifi-registry-bootstrap module > Add nifi-registry-bootstrap module > -- > > Key: NIFIREG-6 > URL: https://issues.apache.org/jira/browse/NIFIREG-6 > Project: NiFi Registry > Issue Type: Improvement >Affects Versions: 0.0.1 >Reporter: Bryan Bende >Assignee: Bryan Bende >Priority: Minor > > Currently NiFiRegistry is the entry point of the application, and in its > current state the main method starts a new Jetty server every time. > We should take a similar approach to NiFi where we have a bootstrap process > that launches and communicates with the application process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[GitHub] nifi-minifi-cpp pull request #123: MINIFI-363: Set format macro declaration ...
Github user asfgit closed the pull request at: https://github.com/apache/nifi-minifi-cpp/pull/123 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[jira] [Created] (NIFI-4258) CSVUtils uses same AllowableValue for 'Informix Unload' and 'Informix Unload Escape Disabled'
Wesley L Lawrence created NIFI-4258: --- Summary: CSVUtils uses same AllowableValue for 'Informix Unload' and 'Informix Unload Escape Disabled' Key: NIFI-4258 URL: https://issues.apache.org/jira/browse/NIFI-4258 Project: Apache NiFi Issue Type: Bug Affects Versions: 1.4.0 Reporter: Wesley L Lawrence Priority: Minor Related to NIFI-4242, if you can't use 'Informix Unload Escape Disabled' as a pre-defined CSV format, because 'Informix Unload' has the same allowable value. The WebUI for CSVRedaer/CSVRecordSetWriter seems to always display 'Informix Unload', and when choosing from the drop down, says 'Informix Unload Escape Delimited'. Given that within CSVUtils, 'Informix Unload' is checked against first, I suspect that's the one that gets chosen. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[GitHub] nifi-minifi-cpp pull request #122: MINIFI-359: Add PutFile test to test a va...
Github user asfgit closed the pull request at: https://github.com/apache/nifi-minifi-cpp/pull/122 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi pull request #2050: NIFI-4257 - add custom WHERE clause in database fet...
GitHub user pvillard31 opened a pull request: https://github.com/apache/nifi/pull/2050 NIFI-4257 - add custom WHERE clause in database fetch processors Thank you for submitting a contribution to Apache NiFi. In order to streamline the review of the contribution we ask you to ensure the following steps have been taken: ### For all changes: - [ ] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [ ] Does your PR title start with NIFI- where is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. - [ ] Has your PR been rebased against the latest commit within the target branch (typically master)? - [ ] Is your initial contribution a single, squashed commit? ### For code changes: - [ ] Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder? - [ ] Have you written or updated unit tests to verify your changes? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [ ] If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly? - [ ] If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly? - [ ] If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties? ### For documentation related changes: - [ ] Have you ensured that format looks appropriate for the output in which it is rendered? ### Note: Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible. You can merge this pull request into a Git repository by running: $ git pull https://github.com/pvillard31/nifi NIFI-4257 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi/pull/2050.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #2050 commit 1f0fa6e97c6e357f0e3c796c084dca1fd5de942f Author: Pierre Villard Date: 2017-08-02T13:22:31Z NIFI-4257 - add custom WHERE clause in database fetch processors --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[jira] [Commented] (NIFI-4257) Allow a custom WHERE clause in AbstractDatabaseFetchProcessor
[ https://issues.apache.org/jira/browse/NIFI-4257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111745#comment-16111745 ] ASF GitHub Bot commented on NIFI-4257: -- GitHub user pvillard31 opened a pull request: https://github.com/apache/nifi/pull/2050 NIFI-4257 - add custom WHERE clause in database fetch processors Thank you for submitting a contribution to Apache NiFi. In order to streamline the review of the contribution we ask you to ensure the following steps have been taken: ### For all changes: - [ ] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [ ] Does your PR title start with NIFI- where is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. - [ ] Has your PR been rebased against the latest commit within the target branch (typically master)? - [ ] Is your initial contribution a single, squashed commit? ### For code changes: - [ ] Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder? - [ ] Have you written or updated unit tests to verify your changes? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [ ] If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly? - [ ] If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly? - [ ] If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties? ### For documentation related changes: - [ ] Have you ensured that format looks appropriate for the output in which it is rendered? ### Note: Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible. You can merge this pull request into a Git repository by running: $ git pull https://github.com/pvillard31/nifi NIFI-4257 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi/pull/2050.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #2050 commit 1f0fa6e97c6e357f0e3c796c084dca1fd5de942f Author: Pierre Villard Date: 2017-08-02T13:22:31Z NIFI-4257 - add custom WHERE clause in database fetch processors > Allow a custom WHERE clause in AbstractDatabaseFetchProcessor > - > > Key: NIFI-4257 > URL: https://issues.apache.org/jira/browse/NIFI-4257 > Project: Apache NiFi > Issue Type: Improvement > Components: Extensions >Reporter: Pierre Villard >Assignee: Pierre Villard > > It could be useful allowing a user to set a custom WHERE clause in > AbstractDatabaseFetchProcessor in case not all of the data in the table is > required. > In case the WHERE clause is changed after the processor has already been > running, the user will probably have to set the initial maximum values to > ensure the expected behaviour. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (NIFI-4257) Allow a custom WHERE clause in AbstractDatabaseFetchProcessor
[ https://issues.apache.org/jira/browse/NIFI-4257?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pierre Villard updated NIFI-4257: - Status: Patch Available (was: Open) > Allow a custom WHERE clause in AbstractDatabaseFetchProcessor > - > > Key: NIFI-4257 > URL: https://issues.apache.org/jira/browse/NIFI-4257 > Project: Apache NiFi > Issue Type: Improvement > Components: Extensions >Reporter: Pierre Villard >Assignee: Pierre Villard > > It could be useful allowing a user to set a custom WHERE clause in > AbstractDatabaseFetchProcessor in case not all of the data in the table is > required. > In case the WHERE clause is changed after the processor has already been > running, the user will probably have to set the initial maximum values to > ensure the expected behaviour. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r131015276 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java --- @@ -125,6 +142,160 @@ public Response getLoginConfig(@Context HttpServletRequest httpServletRequest) { return generateOkResponse(entity).build(); } +@GET +@Consumes(MediaType.WILDCARD) +@Produces(MediaType.WILDCARD) +@Path("oidc/request") +@ApiOperation( +value = "Initiates a request to authenticate through the configured OpenId Connect provider." +) +public void oidcRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { +// only consider user specific access over https +if (!httpServletRequest.isSecure()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); +return; +} + +// ensure oidc is enabled +if (!oidcService.isOidcEnabled()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); +return; +} + +final String oidcRequestIdentifier = UUID.randomUUID().toString(); + +// generate a cookie to associate this login sequence +final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, oidcRequestIdentifier); +cookie.setPath("/"); +cookie.setHttpOnly(true); +cookie.setMaxAge(60); +cookie.setSecure(true); +httpServletResponse.addCookie(cookie); + +// get the state for this request +final State state = oidcService.createState(oidcRequestIdentifier); + +// build the authorization uri +final URI authorizationUri = UriBuilder.fromUri(oidcService.getAuthorizationEndpoint()) +.queryParam("client_id", oidcService.getClientId()) +.queryParam("response_type", "code") +.queryParam("scope", oidcService.getScope().toString()) +.queryParam("state", state.getValue()) +.queryParam("redirect_uri", getOidcCallback()) +.build(); + +// generate the response +httpServletResponse.sendRedirect(authorizationUri.toString()); +} + +@GET +@Consumes(MediaType.WILDCARD) +@Produces(MediaType.WILDCARD) +@Path("oidc/callback") +@ApiOperation( +value = "Redirect/callback URI for processing the result of the OpenId Connect login sequence." +) +public void oidcCallback(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { +// only consider user specific access over https +if (!httpServletRequest.isSecure()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); +return; +} + +// ensure oidc is enabled +if (!oidcService.isOidcEnabled()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); +return; +} + +final String oidcRequestIdentifier = getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER); +if (oidcRequestIdentifier == null) { --- End diff -- I was concerned that a malformed cookie could have an empty/whitespace content but not be `null`. Looks like the cookie spec and browser implementations prevent that, so this is resolved. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111861#comment-16111861 ] ASF GitHub Bot commented on NIFI-4210: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r131015276 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java --- @@ -125,6 +142,160 @@ public Response getLoginConfig(@Context HttpServletRequest httpServletRequest) { return generateOkResponse(entity).build(); } +@GET +@Consumes(MediaType.WILDCARD) +@Produces(MediaType.WILDCARD) +@Path("oidc/request") +@ApiOperation( +value = "Initiates a request to authenticate through the configured OpenId Connect provider." +) +public void oidcRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { +// only consider user specific access over https +if (!httpServletRequest.isSecure()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); +return; +} + +// ensure oidc is enabled +if (!oidcService.isOidcEnabled()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); +return; +} + +final String oidcRequestIdentifier = UUID.randomUUID().toString(); + +// generate a cookie to associate this login sequence +final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, oidcRequestIdentifier); +cookie.setPath("/"); +cookie.setHttpOnly(true); +cookie.setMaxAge(60); +cookie.setSecure(true); +httpServletResponse.addCookie(cookie); + +// get the state for this request +final State state = oidcService.createState(oidcRequestIdentifier); + +// build the authorization uri +final URI authorizationUri = UriBuilder.fromUri(oidcService.getAuthorizationEndpoint()) +.queryParam("client_id", oidcService.getClientId()) +.queryParam("response_type", "code") +.queryParam("scope", oidcService.getScope().toString()) +.queryParam("state", state.getValue()) +.queryParam("redirect_uri", getOidcCallback()) +.build(); + +// generate the response +httpServletResponse.sendRedirect(authorizationUri.toString()); +} + +@GET +@Consumes(MediaType.WILDCARD) +@Produces(MediaType.WILDCARD) +@Path("oidc/callback") +@ApiOperation( +value = "Redirect/callback URI for processing the result of the OpenId Connect login sequence." +) +public void oidcCallback(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { +// only consider user specific access over https +if (!httpServletRequest.isSecure()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); +return; +} + +// ensure oidc is enabled +if (!oidcService.isOidcEnabled()) { +forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); +return; +} + +final String oidcRequestIdentifier = getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER); +if (oidcRequestIdentifier == null) { --- End diff -- I was concerned that a malformed cookie could have an empty/whitespace content but not be `null`. Looks like the cookie spec and browser implementations prevent that, so this is resolved. > Add OpenId Connect support for authenticating users > --- > > Key: NIFI-4210 > URL: https://issues.apache.org/jira/browse/NIFI-4210 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework, Core UI >Reporter: Matt Gilman >Assignee: Matt Gilman > > Add support for authenticating users with the OpenId Connection > specification. Evaluate whether a new extension point is necessary to allow > for a given provider to supply custom code for instance to implement custom > token validation. -
[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users
[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111867#comment-16111867 ] ASF GitHub Bot commented on NIFI-4210: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r131015708 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java --- @@ -0,0 +1,339 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.util.DefaultResourceRetriever; +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenErrorResponse; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.TokenResponse; +import com.nimbusds.oauth2.sdk.auth.ClientAuthentication; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.openid.connect.sdk.OIDCScopeValue; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser; +import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import net.minidev.json.JSONObject; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.JwtService; +import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.URL; +import java.util.Calendar; +import java.util.Date; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME; + +/** + * OidcProvider for managing the OpenId Connect Authorization flow. + */ +public class StandardOidcIdentityProvider implements OidcIdentityProvider { + +private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class); + +private NiFiProperties properties; +private JwtService jwtService; +private OIDCProviderMetadata oidcProviderMetadata; +private int oidcConnectTimeout; +private int oidcReadTimeout; +private IDTokenValidator tokenValidator; +private ClientID clientId; +private Secret clientSecret; + +/** + * Creates a new StandardOidcIdentityProvider. + * + * @param jwtService jwt service + * @param properties properties + */ +public StandardOidcIdentityProvider(final JwtService
[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r131015708 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java --- @@ -0,0 +1,339 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.util.DefaultResourceRetriever; +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenErrorResponse; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.TokenResponse; +import com.nimbusds.oauth2.sdk.auth.ClientAuthentication; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.openid.connect.sdk.OIDCScopeValue; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser; +import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import net.minidev.json.JSONObject; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.JwtService; +import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.URL; +import java.util.Calendar; +import java.util.Date; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME; + +/** + * OidcProvider for managing the OpenId Connect Authorization flow. + */ +public class StandardOidcIdentityProvider implements OidcIdentityProvider { + +private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class); + +private NiFiProperties properties; +private JwtService jwtService; +private OIDCProviderMetadata oidcProviderMetadata; +private int oidcConnectTimeout; +private int oidcReadTimeout; +private IDTokenValidator tokenValidator; +private ClientID clientId; +private Secret clientSecret; + +/** + * Creates a new StandardOidcIdentityProvider. + * + * @param jwtService jwt service + * @param properties properties + */ +public StandardOidcIdentityProvider(final JwtService jwtService, final NiFiProperties properties) { +this.properties = properties; +this.jwtService = jwtService; + +// attempt to process the oidc configuration if configured +if (properties.isOidcEnable
[jira] [Commented] (NIFI-4256) Add support for all AWS S3 Encryption Options
[ https://issues.apache.org/jira/browse/NIFI-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111896#comment-16111896 ] Franco commented on NIFI-4256: -- More than happy to support the existing Server-Side-Encryption property. Is there a pattern in the UI for flagging to users that a property is deprecated ? > Add support for all AWS S3 Encryption Options > - > > Key: NIFI-4256 > URL: https://issues.apache.org/jira/browse/NIFI-4256 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework >Affects Versions: 1.2.0 >Reporter: Franco > Labels: aws, aws-s3, security > Fix For: 1.4.0 > > > NiFi currently only supportsĀ SSE-S3 encryption (AES256). > Support needs to be added for: > * SSE-S3 > * SSE-KMS > * SSE-C > * CSE-KMS CMK > * CSE-Master Key > With all of the appropriate configuration options and such that SSE is > available only for PutS3Object whilst CSE is available also for FetchS3Object. > Given that this will add another 20 or so UI properties the intention is to > split it into a Client Side Encryption Service and Server Side Encryption > Service. This will allow users to reuse "encryption" across different > workflows. > Note: We will not support the existing server-side-encryption option so this > will be a breaking change for existing users. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[GitHub] nifi-minifi-cpp pull request #117: MINIFI-338: Convert processor threads to ...
Github user asfgit closed the pull request at: https://github.com/apache/nifi-minifi-cpp/pull/117 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[jira] [Updated] (NIFI-4259) Run-init.bat show permission error as org.apache.nifi.bootstrap.Command Failed to set permissions so that only the owner can read pid file
[ https://issues.apache.org/jira/browse/NIFI-4259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] chatsiri updated NIFI-4259: --- Description: Hello Contributor, I build Apache-nifi on Windows OS enviorment by use maven simple command references from official build steps. After built core jar file success in nifi-assembly folder. I run command line as below. That warning did I cannot loaded web URL : http://localhost:8080/nifi. {panel:title=My title} PS C:\workspacejava\nifi\nifi-assembly\target\nifi-1.4.0-SNAPSHOT\bin> .\run-nifi.bat 2017-08-03 10:18:03,086 INFO [main] org.apache.nifi.bootstrap.Command Starting Apache NiFi... 2017-08-03 10:18:03,088 INFO [main] org.apache.nifi.bootstrap.Command Working Directory: C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S 2017-08-03 10:18:03,089 INFO [main] org.apache.nifi.bootstrap.Command Command: C:\Program Files\Java\jdk1.8.0_131\bin\java.exe -classpath C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\conf;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0- S\.\lib\javax.servlet-api-3.1.0.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\jcl-over-slf4j-1.7.25.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\jetty-schemas-3.1.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\tar get\NIFI-1~2.0-S\.\lib\jul-to-slf4j-1.7.25.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\log4j-over-slf4j-1.7.25.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\logback-classic-1.2.3.jar;C:\Users\R2C06~1.CHA\WOA236~1\ nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\logback-core-1.2.3.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-api-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-framework-api-1.4.0-SNAPSHOT.jar;C: \Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-nar-utils-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-properties-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\ .\lib\nifi-runtime-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\slf4j-api-1.7.25.jar -Dorg.apache.jasper.compiler.disablejsr199=true -Xmx512m -Xms512m -Djava.security.egd=file:/dev/urandom -Dsun.net.http.allowRestrictedHeaders= true -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseG1GC -Djava.protocol.handler.pkgs=sun.net.www.protocol -Dnifi.properties.file.path=C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\conf\nifi.properties -Dnifi.bootstrap.listen.port=53 626 -Dapp=NiFi -Dorg.apache.nifi.bootstrap.config.log.dir=C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\\logs org.apache.nifi.NiFi 2017-08-03 10:18:03,975 WARN [main] org.apache.nifi.bootstrap.Command Failed to set permissions so that only the owner can read pid file C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\run\nifi.pid; this may allows others to have access to the key needed to communicate with NiFi. Permissions should be changed so that only the owner can read this file 2017-08-03 10:18:04,000 WARN [main] org.apache.nifi.bootstrap.Command Failed to set permissions so that only the owner can read status file C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\run\nifi.status; this may allows others to have access to th e key needed to communicate with NiFi. Permissions should be changed so that only the owner can read this file 2017-08-03 10:18:04,051 INFO [main] org.apache.nifi.bootstrap.Command Launched Apache NiFi with Process ID 18036 {panel} It shows warning from console log is {panel:title=Console log} 2017-08-03 10:18:04,000 WARN [main] org.apache.nifi.bootstrap.Command Failed to set permissions so that only the owner can read status file C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\run\nifi.status; this may allows others to have access to th e key needed to communicate with NiFi. Permissions should be changed so that only the owner can read this file {panel} I paste log from Nifi-app.log {panel:title=Nifi-app.log} 2017-08-02 23:55:08,101 WARN [main] org.apache.nifi.nar.ExtensionManager Component org.apache.nifi.processors.aws.dynamodb.PutDynamoDB is bundled with its referenced Controller Service APIs org.apache.nifi.processors.aws.credentials.pr ovider.service.AWSCredentialsProviderService. The service APIs should not be bundled with component implementations that reference it. 2017-08-02 23:55:08,116 WARN [main] org.apache.nifi.nar.ExtensionManager Component org.apache.nifi.processors.aws.dynamodb.DeleteDynamoDB is bundled with its referenced Controller Service APIs org.apache.nifi.processors.aws.credentials .provider.service.AWSCredentialsProviderServi
[jira] [Created] (NIFI-4259) Run-init.bat show permission error as org.apache.nifi.bootstrap.Command Failed to set permissions so that only the owner can read pid file
chatsiri created NIFI-4259: -- Summary: Run-init.bat show permission error as org.apache.nifi.bootstrap.Command Failed to set permissions so that only the owner can read pid file Key: NIFI-4259 URL: https://issues.apache.org/jira/browse/NIFI-4259 Project: Apache NiFi Issue Type: Bug Components: Configuration Affects Versions: 2.0.0 Reporter: chatsiri Hello Contributor, I build Apache-nifi on Windows OS enviorment by use maven simple command references from official build steps. After built core jar file success in nifi-assembly folder. I run command line as below. That warning did I cannot loaded web URL : http://localhost:8080/nifi. {panel:title=My title} PS C:\workspacejava\nifi\nifi-assembly\target\nifi-1.4.0-SNAPSHOT\bin> .\run-nifi.bat 2017-08-03 10:18:03,086 INFO [main] org.apache.nifi.bootstrap.Command Starting Apache NiFi... 2017-08-03 10:18:03,088 INFO [main] org.apache.nifi.bootstrap.Command Working Directory: C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S 2017-08-03 10:18:03,089 INFO [main] org.apache.nifi.bootstrap.Command Command: C:\Program Files\Java\jdk1.8.0_131\bin\java.exe -classpath C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\conf;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0- S\.\lib\javax.servlet-api-3.1.0.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\jcl-over-slf4j-1.7.25.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\jetty-schemas-3.1.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\tar get\NIFI-1~2.0-S\.\lib\jul-to-slf4j-1.7.25.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\log4j-over-slf4j-1.7.25.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\logback-classic-1.2.3.jar;C:\Users\R2C06~1.CHA\WOA236~1\ nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\logback-core-1.2.3.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-api-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-framework-api-1.4.0-SNAPSHOT.jar;C: \Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-nar-utils-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-properties-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\ .\lib\nifi-runtime-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\slf4j-api-1.7.25.jar -Dorg.apache.jasper.compiler.disablejsr199=true -Xmx512m -Xms512m -Djava.security.egd=file:/dev/urandom -Dsun.net.http.allowRestrictedHeaders= true -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseG1GC -Djava.protocol.handler.pkgs=sun.net.www.protocol -Dnifi.properties.file.path=C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\conf\nifi.properties -Dnifi.bootstrap.listen.port=53 626 -Dapp=NiFi -Dorg.apache.nifi.bootstrap.config.log.dir=C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\\logs org.apache.nifi.NiFi 2017-08-03 10:18:03,975 WARN [main] org.apache.nifi.bootstrap.Command Failed to set permissions so that only the owner can read pid file C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\run\nifi.pid; this may allows others to have access to the key needed to communicate with NiFi. Permissions should be changed so that only the owner can read this file 2017-08-03 10:18:04,000 WARN [main] org.apache.nifi.bootstrap.Command Failed to set permissions so that only the owner can read status file C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\run\nifi.status; this may allows others to have access to th e key needed to communicate with NiFi. Permissions should be changed so that only the owner can read this file 2017-08-03 10:18:04,051 INFO [main] org.apache.nifi.bootstrap.Command Launched Apache NiFi with Process ID 18036 {panel} It shows warning from console log is {panel:title=My title} 2017-08-03 10:18:04,000 WARN [main] org.apache.nifi.bootstrap.Command Failed to set permissions so that only the owner can read status file C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\run\nifi.status; this may allows others to have access to th e key needed to communicate with NiFi. Permissions should be changed so that only the owner can read this file {panel} I paste log from Nifi-app.log {panel:title=My title} 2017-08-02 23:55:08,101 WARN [main] org.apache.nifi.nar.ExtensionManager Component org.apache.nifi.processors.aws.dynamodb.PutDynamoDB is bundled with its referenced Controller Service APIs org.apache.nifi.processors.aws.credentials.pr ovider.service.AWSCredentialsProviderService. The service APIs should not be bundled with component implementations that reference it. 2017-08-02
[jira] [Updated] (NIFI-4259) Run-init.bat show permission error as org.apache.nifi.bootstrap.Command Failed to set permissions so that only the owner can read pid file
[ https://issues.apache.org/jira/browse/NIFI-4259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] chatsiri updated NIFI-4259: --- Description: Hello Contributor, I build Apache-nifi on Windows OS enviorment by use maven simple command references from official build steps. After built core jar file success in nifi-assembly folder. I run command line as below. That warning did I cannot loaded web URL : http://localhost:8080/nifi. {panel:title=Console log after cal call command line ./run-nifi.bat} PS C:\workspacejava\nifi\nifi-assembly\target\nifi-1.4.0-SNAPSHOT\bin> .\run-nifi.bat 2017-08-03 10:18:03,086 INFO [main] org.apache.nifi.bootstrap.Command Starting Apache NiFi... 2017-08-03 10:18:03,088 INFO [main] org.apache.nifi.bootstrap.Command Working Directory: C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S 2017-08-03 10:18:03,089 INFO [main] org.apache.nifi.bootstrap.Command Command: C:\Program Files\Java\jdk1.8.0_131\bin\java.exe -classpath C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\conf;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0- S\.\lib\javax.servlet-api-3.1.0.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\jcl-over-slf4j-1.7.25.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\jetty-schemas-3.1.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\tar get\NIFI-1~2.0-S\.\lib\jul-to-slf4j-1.7.25.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\log4j-over-slf4j-1.7.25.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\logback-classic-1.2.3.jar;C:\Users\R2C06~1.CHA\WOA236~1\ nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\logback-core-1.2.3.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-api-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-framework-api-1.4.0-SNAPSHOT.jar;C: \Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-nar-utils-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\nifi-properties-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\ .\lib\nifi-runtime-1.4.0-SNAPSHOT.jar;C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\lib\slf4j-api-1.7.25.jar -Dorg.apache.jasper.compiler.disablejsr199=true -Xmx512m -Xms512m -Djava.security.egd=file:/dev/urandom -Dsun.net.http.allowRestrictedHeaders= true -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseG1GC -Djava.protocol.handler.pkgs=sun.net.www.protocol -Dnifi.properties.file.path=C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\.\conf\nifi.properties -Dnifi.bootstrap.listen.port=53 626 -Dapp=NiFi -Dorg.apache.nifi.bootstrap.config.log.dir=C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\\logs org.apache.nifi.NiFi 2017-08-03 10:18:03,975 WARN [main] org.apache.nifi.bootstrap.Command Failed to set permissions so that only the owner can read pid file C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\run\nifi.pid; this may allows others to have access to the key needed to communicate with NiFi. Permissions should be changed so that only the owner can read this file 2017-08-03 10:18:04,000 WARN [main] org.apache.nifi.bootstrap.Command Failed to set permissions so that only the owner can read status file C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\run\nifi.status; this may allows others to have access to th e key needed to communicate with NiFi. Permissions should be changed so that only the owner can read this file 2017-08-03 10:18:04,051 INFO [main] org.apache.nifi.bootstrap.Command Launched Apache NiFi with Process ID 18036 {panel} It shows warning from console log is {panel:title=Console log} 2017-08-03 10:18:04,000 WARN [main] org.apache.nifi.bootstrap.Command Failed to set permissions so that only the owner can read status file C:\Users\R2C06~1.CHA\WOA236~1\nifi\NIFI-A~1\target\NIFI-1~2.0-S\bin\..\run\nifi.status; this may allows others to have access to th e key needed to communicate with NiFi. Permissions should be changed so that only the owner can read this file {panel} I paste log from Nifi-app.log {panel:title=Nifi-app.log} 2017-08-02 23:55:08,101 WARN [main] org.apache.nifi.nar.ExtensionManager Component org.apache.nifi.processors.aws.dynamodb.PutDynamoDB is bundled with its referenced Controller Service APIs org.apache.nifi.processors.aws.credentials.pr ovider.service.AWSCredentialsProviderService. The service APIs should not be bundled with component implementations that reference it. 2017-08-02 23:55:08,116 WARN [main] org.apache.nifi.nar.ExtensionManager Component org.apache.nifi.processors.aws.dynamodb.DeleteDynamoDB is bundled with its referenced Controller Service APIs org.apache.nifi.processors.aws.credentials
[jira] [Commented] (NIFI-4215) Avro schemas with records that have a field of themselves fail to parse, causing stackoverflow exception
[ https://issues.apache.org/jira/browse/NIFI-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16112166#comment-16112166 ] James Wing commented on NIFI-4215: -- [~markap14], would you please expand a bit on the immutability concern and what criteria we should apply to a solution? Although the changes we introduced would mutate the SimpleRecordSchema once after creation, I don't believe it would have introduced or permitted widespread updates outside the initial creation and configuration. Are you worried about immediate multi-threaded changes we introduced, future developers abusing the access, or the JVM not performing the right optimizations without the benefit of {{final}} guidance? > Avro schemas with records that have a field of themselves fail to parse, > causing stackoverflow exception > > > Key: NIFI-4215 > URL: https://issues.apache.org/jira/browse/NIFI-4215 > Project: Apache NiFi > Issue Type: Bug >Affects Versions: 1.4.0 >Reporter: Wesley L Lawrence >Priority: Minor > Attachments: nifi-4215.patch > > > Noticed this while attempting to use the AvroSchemaRegsitry with some complex > schema. Boiled down, Avro lets you define a schema such as; > {code} > { > "namespace": "org.apache.nifi.testing", > "name": "CompositRecord", > "type": "record", > "fields": [ > { > "name": "id", > "type": "int" > }, > { > "name": "value", > "type": "string" > }, > { > "name": "parent", > "type": [ > "null", > "CompositRecord" > ] > } > ] > } > {code} > The AvroSchemaRegistry (AvroTypeUtil specifically) will fail to parse, and > generate a stackoverflow exception. > I've whipped up a fix, tested it out in 1.4.0, and am just running through > the contrib build before I submit a patch. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[GitHub] nifi issue #2020: [NiFi-3973] Add PutKudu Processor for ingesting data to Ku...
Github user cammach commented on the issue: https://github.com/apache/nifi/pull/2020 Hi @rickysaltzer , I have figured out the Record Reader reference issue, and fixed. Would you please continue to review the code? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---