Skip to content
This repository has been archived by the owner on Feb 12, 2024. It is now read-only.

Commit

Permalink
Update LDAP parameters
Browse files Browse the repository at this point in the history
* Add few new parameters in 03-ldap-values.yaml for test
* Add envFrom for loading env from secrets, and subsets them
* Upgrade app version
* Fix format for nifi.provenance.repository.debug.frequency
* Add comments for ingress in values.yaml
* Fix hardcoded busybox image tag in ca app
* Fix hardcoded ldap parameters in authorizers.xml
* Add logback.xml for log level
* Fix hardcode and add new parameters in login-identity-providers-ldap.xml
* Update hardcode and add new parameters in nifi.properties
* Replace command cat to envsubst for using env vars aka source of params in configs
* Update app version
* Add clusterDomain aka global parameter
* Update README
* Remove file-provider in authorizers.xml, and set composite-configurable-user-group-provider
* fix hardcoded schema for registry url
* fix sa name for nifi app
  • Loading branch information
dmitrii-dmnk committed Dec 10, 2022
1 parent e796d1a commit 67606f2
Show file tree
Hide file tree
Showing 13 changed files with 596 additions and 300 deletions.
4 changes: 2 additions & 2 deletions Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
---
apiVersion: v2
name: nifi
version: 1.1.3
appVersion: 1.16.3
version: 1.1.4
appVersion: 1.19.0
description: Apache NiFi is a software project from the Apache Software Foundation designed to automate the flow of data between software systems.
keywords:
- nifi
Expand Down
328 changes: 174 additions & 154 deletions README.md

Large diffs are not rendered by default.

6 changes: 5 additions & 1 deletion charts/ca/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,10 @@ spec:
OPTIONS="--configJson config.json --useConfigJson"
fi
exec ${NIFI_TOOLKIT_HOME}/bin/tls-toolkit.sh server -c "{{ template "ca.fullname" . }}" -t {{ .Values.token }} -p {{ .Values.app_port }} ${OPTIONS}
{{- if .Values.envFrom }}
envFrom:
{{- toYaml .Values.envFrom | nindent 10 }}
{{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}
ports:
Expand All @@ -58,7 +62,7 @@ spec:
- sh
- -c
- chown -R 1000:1000 /ca
image: busybox
image: "{{ .Values.persistence.initContainer.image }}"
imagePullPolicy: IfNotPresent
name: volume-permissions
resources: {}
Expand Down
7 changes: 7 additions & 0 deletions charts/ca/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,18 @@ service:
type: ClusterIP
port: 9090

envFrom: {}
# - secretRef:
# name: test

## Enable persistence using Persistent Volume Claims
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
##
persistence:
enabled: false
# when persistence is enabled, define image for busybox
initContainer:
image: busybox

# When creating persistent storage, the NiFi helm chart can either reference an already-defined
# storage class by name, such as "standard" or can define a custom storage class by specifying
Expand Down
92 changes: 32 additions & 60 deletions configs/authorizers.xml
Original file line number Diff line number Diff line change
Expand Up @@ -48,10 +48,10 @@
<property name="Users File">./auth-conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
{{- range $i := until $replicas }}
<property name="Initial User Identity {{ $i }}">CN={{ $fullname }}-{{ $i }}.{{ $fullname }}-headless.{{ $namespace }}.svc.cluster.local, OU=NIFI</property>
<property name="Initial User Identity {{ $i }}">CN={{ $fullname }}-{{ $i }}.{{ $fullname }}-headless.{{ $namespace }}.svc.{{ $.Values.clusterDomain }}, OU=NIFI</property>
{{- end }}
{{- if and .Values.auth.ldap.enabled (not .Values.auth.admin) }}
<property name="Initial User Identity admin">{{.Values.auth.ldap.admin}}</property>
<property name="Initial User Identity admin">{{.Values.auth.ldap.initialAdmin}}</property>
{{- else }}
<property name="Initial User Identity admin">{{ .Values.auth.admin }}</property>
{{- end}}
Expand Down Expand Up @@ -117,44 +117,50 @@
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the user identities.
Group names are not mapped.
-->
{{- if .Values.auth.ldap.enabled}}
{{- if .Values.auth.ldap.enabled }}
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">{{.Values.auth.ldap.admin}}</property>
<property name="Manager Password">{{.Values.auth.ldap.pass}}</property>
<property name="TLS - Keystore">/opt/nifi/nifi-current/conf/{{.Release.Name}}-nifi-0.{{.Release.Name}}-nifi-headless.{{.Values.properties.namespace}}.svc.cluster.local/keystore.jks</property>
<property name="Authentication Strategy">{{.Values.auth.ldap.authenticationStrategy}}</property>
<property name="Manager DN">{{.Values.auth.ldap.managerDN}}</property>
<property name="Manager Password">{{.Values.auth.ldap.managerPassword}}</property>
<property name="TLS - Keystore Password">{{.Values.auth.SSL.keystorePasswd}}</property>
<property name="TLS - Keystore Type">jks</property>
<property name="TLS - Truststore">/opt/nifi/nifi-current/conf/{{.Release.Name}}-nifi-0.{{.Release.Name}}-nifi-headless.{{.Values.properties.namespace}}.svc.cluster.local/truststore.jks</property>
<property name="TLS - Keystore Type">JKS</property>
{{- if .Values.certManager.enabled }}
<property name="TLS - Keystore">/opt/nifi/nifi-current/tls/keystore.jks</property>
<property name="TLS - Truststore">/opt/nifi/nifi-current/tls/truststore.jks</property>
{{- else }}
<property name="TLS - Keystore">/opt/nifi/nifi-current/tls/{{.Release.Name}}-0.{{.Release.Name}}-headless.{{.Release.Namespace}}.svc.{{.Values.clusterDomain}}/keystore.jks</property>
<property name="TLS - Truststore">/opt/nifi/nifi-current/tls/{{.Release.Name}}-0.{{.Release.Name}}-headless.{{.Release.Namespace}}.svc.{{.Values.clusterDomain}}/truststore.jks</property>
{{- end }}
<property name="TLS - Truststore Password">{{.Values.auth.SSL.truststorePasswd}}</property>
<property name="TLS - Truststore Type">JKS</property>
<property name="TLS - Client Auth">NONE</property>
<property name="TLS - Protocol">TLS</property>
<property name="TLS - Shutdown Gracefully">false</property>
<property name="Referral Strategy">IGNORE</property>
<property name="Referral Strategy">{{.Values.auth.ldap.referralStrategy}}</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">{{.Values.auth.ldap.host}}</property>
<property name="Page Size"></property>
<property name="Sync Interval">30 mins</property>
<property name="User Search Base">{{.Values.auth.ldap.searchBase}}</property>
<property name="Sync Interval">{{.Values.auth.ldap.syncInterval}}</property>
<property name="Group Membership - Enforce Case Sensitivity">false</property>
<property name="User Search Base">{{.Values.auth.ldap.userSearchBase}}</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">{{.Values.auth.ldap.userSearchScope}}</property>
<property name="User Search Filter">{{.Values.auth.ldap.searchFilter}}</property>
<property name="User Identity Attribute">{{.Values.auth.ldap.UserIdentityAttribute}}</property>
<property name="User Group Name Attribute"></property>
<property name="User Search Filter">{{.Values.auth.ldap.userSearchFilter}}</property>
<property name="User Identity Attribute">{{.Values.auth.ldap.userIdentityAttribute}}</property>
<property name="User Group Name Attribute">{{.Values.auth.ldap.userGroupNameAttribute}}</property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base"></property>
<property name="Group Object Class">group</property>
<property name="Group Search Base">{{.Values.auth.ldap.groupSearchBase}}</property>
<property name="Group Object Class">{{.Values.auth.ldap.groupObjectClass}}</property>
<property name="Group Search Scope">{{.Values.auth.ldap.groupSearchScope}}</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute"></property>
<property name="Group Member Attribute"></property>
<property name="Group Name Attribute">{{.Values.auth.ldap.groupNameAttribute}}</property>
<property name="Group Member Attribute">{{.Values.auth.ldap.groupMemberAttribute}}</property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>
{{- end}}
{{- end }}

<!--
The CompositeUserGroupProvider will provide support for retrieving users and groups from multiple sources.
Expand All @@ -164,14 +170,14 @@
NOTE: Any identity mapping rules specified in nifi.properties are not applied in this implementation. This behavior
would need to be applied by the base implementation.
-->
{{- if .Values.auth.ldap.enabled}}
{{- if .Values.auth.ldap.enabled }}
<userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="Configurable User Group Provider">file-user-group-provider</property>
<property name="User Group Provider 1">ldap-user-group-provider</property>
</userGroupProvider>
{{- end}}
{{- end }}

<!--
The CompositeConfigurableUserGroupProvider will provide support for retrieving users and groups from multiple sources.
Expand Down Expand Up @@ -220,16 +226,16 @@
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="User Group Provider">composite-configurable-user-group-provider</property>
<property name="Authorizations File">./auth-conf/authorizations.xml</property>
{{- if and .Values.auth.ldap.enabled (not .Values.auth.admin) }}
<property name="Initial Admin Identity">{{.Values.auth.ldap.admin}}</property>
<property name="Initial Admin Identity">{{.Values.auth.ldap.initialAdmin}}</property>
{{- else }}
<property name="Initial Admin Identity">{{ .Values.auth.admin }}</property>
{{- end}}
<property name="Legacy Authorized Users File"></property>
{{- range $i := until $replicas }}
<property name="Node Identity {{ $i }}">CN={{ $fullname }}-{{ $i }}.{{ $fullname }}-headless.{{ $namespace }}.svc.cluster.local, OU=NIFI</property>
<property name="Node Identity {{ $i }}">CN={{ $fullname }}-{{ $i }}.{{ $fullname }}-headless.{{ $namespace }}.svc.{{ $.Values.clusterDomain }}, OU=NIFI</property>
{{- end }}
<property name="Node Identity"></property>
</accessPolicyProvider>
Expand All @@ -245,38 +251,4 @@
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
<!--
NOTE: This Authorizer has been replaced with the more granular approach configured above with the Standard
Managed Authorizer. However, it is still available for backwards compatibility reasons.
The FileAuthorizer is NiFi's provided authorizer and has the following properties:
- Authorizations File - The file where the FileAuthorizer will store policies.
- Users File - The file where the FileAuthorizer will store users and groups.
- Initial Admin Identity - The identity of an initial admin user that will be granted access to the UI and
given the ability to create additional users, groups, and policies. The value of this property could be
a DN when using certificates or LDAP, or a Kerberos principal. This property will only be used when there
are no other users, groups, and policies defined. If this property is specified then a Legacy Authorized
Users File can not be specified.
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the initial admin identity,
so the value should be the unmapped identity.
- Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically
converted to the new authorizations model. If this property is specified then an Initial Admin Identity can
not be specified, and this property will only be used when there are no other users, groups, and policies defined.
- Node Identity [unique key] - The identity of a NiFi cluster node. When clustered, a property for each node
should be defined, so that every node knows about every other node. If not clustered these properties can be ignored.
The name of each property must be unique, for example for a three node cluster:
"Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1", "Node Identity 2", "Node Identity 3"
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the node identities,
so the values should be the unmapped identities (i.e. full DN from a certificate).
-->
{{- if .Values.auth.ldap.enabled}}
<authorizer>
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.FileAuthorizer</class>
<property name="Authorizations File">./auth-conf/authorizations.xml</property>
<property name="Users File">./auth-conf/users.xml</property>
<property name="Initial Admin Identity">{{.Values.auth.ldap.admin}}</property>
<property name="Legacy Authorized Users File"></property>

</authorizer>
{{- end}}
</authorizers>
</authorizers>
Loading

0 comments on commit 67606f2

Please sign in to comment.