[GitHub] nifi pull request #1978: NIFI-4127: Composite User Group Providers

2017-07-11 Thread asfgit 
Github user asfgit closed the pull request at:

https://github.com/apache/nifi/pull/1978


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #1978: NIFI-4127: Composite User Group Providers

2017-07-06 Thread mcgilman 
Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1978#discussion_r125994624
  
--- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
@@ -464,6 +464,17 @@ Another option for the UserGroupProvider is the 
LdapUserGroupProvider. By defaul
 * Group Name Attribute - Attribute to use to extract group name (i.e. cn). 
Optional. If not set, the entire DN is used.
 * Group Member Attribute - Attribute to use to define group membership 
(i.e. member). Optional. If not set group membership will not be calculated 
through the groups. Will rely on group member being defined through 'User Group 
Name Attribute' if set.
 
+Another option for the UserGroupProvider are composite implementations. 
This means that multiple sources/implementations can be configured and 
composed. For instance, an admin can configure users/groups to be loaded from a 
file and an directory server. There are two composite implementations, one that 
supports multiple UserGroupProviders and one that supports multiple 
UserGroupProviders and a single configurable UserGroupProvider.
+
+The CompositeUserGroupProvider will provide support for retrieving users 
and groups from multiple sources.
--- End diff --

Ah. Sorry your totally right. I forgot about those checks. They have been 
in place for awhile. So that constraint shouldn't be unique to the composite 
providers. Regardless, I will update the documentation accordingly. I suppose I 
could remove those tests I referenced since they will never hit when running in 
the app. However, they still ensure the order the providers are invoked so I'll 
probably leave them in place. Anyways, thanks for confirming.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #1978: NIFI-4127: Composite User Group Providers

2017-07-06 Thread pvillard31 
Github user pvillard31 commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1978#discussion_r125993273
  
--- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
@@ -464,6 +464,17 @@ Another option for the UserGroupProvider is the 
LdapUserGroupProvider. By defaul
 * Group Name Attribute - Attribute to use to extract group name (i.e. cn). 
Optional. If not set, the entire DN is used.
 * Group Member Attribute - Attribute to use to define group membership 
(i.e. member). Optional. If not set group membership will not be calculated 
through the groups. Will rely on group member being defined through 'User Group 
Name Attribute' if set.
 
+Another option for the UserGroupProvider are composite implementations. 
This means that multiple sources/implementations can be configured and 
composed. For instance, an admin can configure users/groups to be loaded from a 
file and an directory server. There are two composite implementations, one that 
supports multiple UserGroupProviders and one that supports multiple 
UserGroupProviders and a single configurable UserGroupProvider.
+
+The CompositeUserGroupProvider will provide support for retrieving users 
and groups from multiple sources.
--- End diff --

Hmm you're right but here is what I did: a first test with the configurable 
provider and two LDAP servers, no collision, everything starting as expected. 
Then, I stopped nifi, manually modified the file of the configurable provider 
to add a user already existing in one of the LDAP providers. In that case, NiFi 
failed to start with the following stack trace:


2017-07-06 21:19:53,484 WARN [main] org.apache.nifi.web.server.JettyServer 
Failed to start web server... shutting down.
org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 'niFiWebApiSecurityConfiguration': Injection of autowired 
dependencies failed; nested exception is 
org.springframework.beans.factory.BeanCreationException: Could not autowire 
method: public void 
org.apache.nifi.web.NiFiWebApiSecurityConfiguration.setJwtAuthenticationProvider(org.apache.nifi.web.security.jwt.JwtAuthenticationProvider);
 nested exception is org.springframework.beans.factory.BeanCreationException: 
Error creating bean with name 'jwtAuthenticationProvider' defined in class path 
resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 
'authorizer' while setting constructor argument; nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating bean 
with name 'authorizer': FactoryBean threw exception on object creation; nested 
exception is 
org.apache.nifi.authorization.exception.AuthorizerCreationException: Found 
multiple users/user group
 s with identity 'test'.
at 
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:334)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1214)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:543)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:482)
at 
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
at 
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
at 
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
at 
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
at 
org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:772)
at 
org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:839)
at 
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:538)
at 
org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:446)
at 
org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:328)
at 
org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:107)
at 
org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:876)
at 
org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:532)
at 
org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:839)

[GitHub] nifi pull request #1978: NIFI-4127: Composite User Group Providers

2017-07-06 Thread mcgilman 
Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1978#discussion_r125987445
  
--- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
@@ -464,6 +464,17 @@ Another option for the UserGroupProvider is the 
LdapUserGroupProvider. By defaul
 * Group Name Attribute - Attribute to use to extract group name (i.e. cn). 
Optional. If not set, the entire DN is used.
 * Group Member Attribute - Attribute to use to define group membership 
(i.e. member). Optional. If not set group membership will not be calculated 
through the groups. Will rely on group member being defined through 'User Group 
Name Attribute' if set.
 
+Another option for the UserGroupProvider are composite implementations. 
This means that multiple sources/implementations can be configured and 
composed. For instance, an admin can configure users/groups to be loaded from a 
file and an directory server. There are two composite implementations, one that 
supports multiple UserGroupProviders and one that supports multiple 
UserGroupProviders and a single configurable UserGroupProvider.
+
+The CompositeUserGroupProvider will provide support for retrieving users 
and groups from multiple sources.
--- End diff --

Multiple users should be supported in this PR. Did you see otherwise? There 
are a couple test cases that verify this [1] [2]. Order does matter and I can 
update the docs to describe this fact. UserGroupProviders are invoked in the 
order they appear in the authorizers.xml.

[1] 
https://github.com/mcgilman/nifi/blob/0e679007e59bfea050f73b046f52b2a772a281ae/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/test/java/org/apache/nifi/authorization/CompositeUserGroupProviderTest.java#L139
[2] 
https://github.com/mcgilman/nifi/blob/0e679007e59bfea050f73b046f52b2a772a281ae/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/test/java/org/apache/nifi/authorization/CompositeConfigurableUserGroupProviderTest.java#L93


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #1978: NIFI-4127: Composite User Group Providers

2017-07-06 Thread pvillard31 
Github user pvillard31 commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1978#discussion_r125983064
  
--- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
@@ -464,6 +464,17 @@ Another option for the UserGroupProvider is the 
LdapUserGroupProvider. By defaul
 * Group Name Attribute - Attribute to use to extract group name (i.e. cn). 
Optional. If not set, the entire DN is used.
 * Group Member Attribute - Attribute to use to define group membership 
(i.e. member). Optional. If not set group membership will not be calculated 
through the groups. Will rely on group member being defined through 'User Group 
Name Attribute' if set.
 
+Another option for the UserGroupProvider are composite implementations. 
This means that multiple sources/implementations can be configured and 
composed. For instance, an admin can configure users/groups to be loaded from a 
file and an directory server. There are two composite implementations, one that 
supports multiple UserGroupProviders and one that supports multiple 
UserGroupProviders and a single configurable UserGroupProvider.
+
+The CompositeUserGroupProvider will provide support for retrieving users 
and groups from multiple sources.
--- End diff --

I think we should indicate that if we have users/groups collisions between 
the sources, NiFi won't start successfully.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #1978: NIFI-4127: Composite User Group Providers

2017-07-06 Thread pvillard31 
Github user pvillard31 commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1978#discussion_r125982809
  
--- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
@@ -464,6 +464,17 @@ Another option for the UserGroupProvider is the 
LdapUserGroupProvider. By defaul
 * Group Name Attribute - Attribute to use to extract group name (i.e. cn). 
Optional. If not set, the entire DN is used.
 * Group Member Attribute - Attribute to use to define group membership 
(i.e. member). Optional. If not set group membership will not be calculated 
through the groups. Will rely on group member being defined through 'User Group 
Name Attribute' if set.
 
+Another option for the UserGroupProvider are composite implementations. 
This means that multiple sources/implementations can be configured and 
composed. For instance, an admin can configure users/groups to be loaded from a 
file and an directory server. There are two composite implementations, one that 
supports multiple UserGroupProviders and one that supports multiple 
UserGroupProviders and a single configurable UserGroupProvider.
--- End diff --

typo: and a directory server


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #1978: NIFI-4127: Composite User Group Providers

2017-07-06 Thread pvillard31 
Github user pvillard31 commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1978#discussion_r125983712
  
--- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
@@ -464,6 +464,17 @@ Another option for the UserGroupProvider is the 
LdapUserGroupProvider. By defaul
 * Group Name Attribute - Attribute to use to extract group name (i.e. cn). 
Optional. If not set, the entire DN is used.
 * Group Member Attribute - Attribute to use to define group membership 
(i.e. member). Optional. If not set group membership will not be calculated 
through the groups. Will rely on group member being defined through 'User Group 
Name Attribute' if set.
 
+Another option for the UserGroupProvider are composite implementations. 
This means that multiple sources/implementations can be configured and 
composed. For instance, an admin can configure users/groups to be loaded from a 
file and an directory server. There are two composite implementations, one that 
supports multiple UserGroupProviders and one that supports multiple 
UserGroupProviders and a single configurable UserGroupProvider.
+
+The CompositeUserGroupProvider will provide support for retrieving users 
and groups from multiple sources.
+
+* User Group Provider - The identifier of user group providers to load 
from. The name of each property must be unique, for example: "User Group 
Provider A", "User Group Provider B", "User Group Provider C" or "User Group 
Provider 1", "User Group Provider 2", "User Group Provider 3"
+
+The CompositeConfigurableUserGroupProvider will provide support for 
retrieving users and groups from multiple sources. Additionally, a single 
configurable user group provider is required. Users from the configurable user 
group provider are configurable, however users loaded from one of the User 
Group Provider [unique key] will not be.
--- End diff --

It's really a detail, but for uniformity, could you add "The X has the 
following properties:"?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #1978: NIFI-4127: Composite User Group Providers

2017-07-06 Thread pvillard31 
Github user pvillard31 commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1978#discussion_r125984210
  
--- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
@@ -464,6 +464,17 @@ Another option for the UserGroupProvider is the 
LdapUserGroupProvider. By defaul
 * Group Name Attribute - Attribute to use to extract group name (i.e. cn). 
Optional. If not set, the entire DN is used.
 * Group Member Attribute - Attribute to use to define group membership 
(i.e. member). Optional. If not set group membership will not be calculated 
through the groups. Will rely on group member being defined through 'User Group 
Name Attribute' if set.
 
+Another option for the UserGroupProvider are composite implementations. 
This means that multiple sources/implementations can be configured and 
composed. For instance, an admin can configure users/groups to be loaded from a 
file and an directory server. There are two composite implementations, one that 
supports multiple UserGroupProviders and one that supports multiple 
UserGroupProviders and a single configurable UserGroupProvider.
+
+The CompositeUserGroupProvider will provide support for retrieving users 
and groups from multiple sources.
+
+* User Group Provider - The identifier of user group providers to load 
from. The name of each property must be unique, for example: "User Group 
Provider A", "User Group Provider B", "User Group Provider C" or "User Group 
Provider 1", "User Group Provider 2", "User Group Provider 3"
+
+The CompositeConfigurableUserGroupProvider will provide support for 
retrieving users and groups from multiple sources. Additionally, a single 
configurable user group provider is required. Users from the configurable user 
group provider are configurable, however users loaded from one of the User 
Group Provider [unique key] will not be.
+
+* Configurable User Group Provider - A configurable user group provider.
--- End diff --

I would add an example or update the example below in the documentation to 
show the configuration of the CompositeConfigurableUserGroupProvider as I 
believe it'll be largely used.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #1978: NIFI-4127: Composite User Group Providers

2017-07-05 Thread mcgilman 
GitHub user mcgilman opened a pull request:

https://github.com/apache/nifi/pull/1978

NIFI-4127: Composite User Group Providers

NIFI-4127:
- Introducing composite ConfigurableUserGroupProvider and UserGroupProvider.
- Adding appropriate unit tests.
- Updating object model to support per resource (user/group/policy) 
configuration.
- Updating UI to support per resource (user/group/policy) configuration.
- Adding necessary documentation.

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/mcgilman/nifi NIFI-4127

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/nifi/pull/1978.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1978


commit 0e679007e59bfea050f73b046f52b2a772a281ae
Author: Matt Gilman 
Date:   2017-06-28T20:40:41Z

NIFI-4127:
- Introducing composite ConfigurableUserGroupProvider and UserGroupProvider.
- Adding appropriate unit tests.
- Updating object model to support per resource (user/group/policy) 
configuration.
- Updating UI to support per resource (user/group/policy) configuration.
- Adding necessary documentation.




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---