Greetings,We discovered with NiFi 2.0.0-M4 that if a personal X.509 certificate is set in user accounts under Windows, that certificate is getting used by NiFi for authorization instead of the normal OpenID/SSO headers. The user id in the X.509 certificate is not the same as the one in OpenID/SSO (Okta) and thus, the person is denied access to NiFi.
This particular certificate is not meant to be used by NiFi to authenticate and authorize users in NiFi even though it is recognized by our Identity Provider. We desire that NiFi only authenticate and authorize users with OpenID/SSO (which works when I remove the personal certificate from user's Windows workstations).
Seams that there is no option available in nifi.properties to prevent this behaviour. Thus, my following questions/remarks:
- Is there a way to disable this behaviour?- If not, would it be acceptable to add a parameter in nifi.properties to disable the X.509 certificate extraction? What name this parameter should have and how should it be implemented? I could submit a pull request, but would be nice to have some guidance from a NiFi developer.
- Or... is there a way to change the program so that authorization does not fail as soon as one method tested fails, but succeeds if any other method succeed?
Technicalities:Changing the code in X509AuthenticationFilter.attemptAuthentication() to return always 'null' fixes our problem by making NiFi believe that no X.509 certificate is available and leaves the others filters to be tested, including the one handling OpenID/SSO.
For my tests, I recompiled NiFi's code at Git tag 'rel/nifi-2.0.0-M4'. Best regards, Hans Deragon
OpenPGP_signature.asc
Description: OpenPGP digital signature
