NIFI-4059: Introduce LdapUserGroupProvider #1923
Conversation
- Introducing the LdapUserGroupProvider. - Updating documentation accordingly. - Moving the IdentityMapping utilities so they were accessible.
|
Reviewing - first remark: ;) |
| @@ -395,6 +395,39 @@ The default UserGroupProvider is the FileUserGroupProvider, however, you can dev | |||
| * Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically be used to load the users and groups into the Users File. | |||
| * Initial User Identity - The identity of a users and systems to seed the Users File. The name of each property must be unique, for example: "Initial User Identity A", "Initial User Identity B", "Initial User Identity C" or "Initial User Identity 1", "Initial User Identity 2", "Initial User Identity 3" | |||
|
|
|||
| Another option for the UserGroupProvider is the LdapUserGroupProvider. Be default, this option is commented out but can be configured in lieu of the FileUserGroupProvider. This will sync users and groups from a directory server and will present them in NiFi UI in read only form. The LdapUserGroupProvider has the following properties: | |||
|
Hey @mcgilman, I played a bit with it and that's really great. It's going to be super useful. It also gave me the occasion to have a look at the Managed Authorizer stuff - it's neat! Tested using Apache Directory Studio and tried multiple scenarios: users first, groups first, both users and groups. All is working as expected. I've just one remark: when using users only search, but also setting the group name attribute, the full DN of the group is used. Would be nice to also take into account the group name attribute in that case (Note: the other way is working - if searching for groups and defining the user name attribute, we don't have the full DN for users). Overall LGTM. |
- Fixing contrib check issues. - Fixing typo in admin guide.
|
Thanks @pvillard31 for having a look at this PR! I've addressed the two issues above and I think resolving the group name when searching users only and detecting group membership is supported. Check out this unit test here [1]. Please let me know if I misunderstood. Thanks again! |
|
Hey @mcgilman, just tried again and it's working... I guess I made a typo when I tried the first time. Thanks for the corrections. Will wait for travis build and will merge by eod. Thanks! |
|
+1, squashed and merged, thanks! |
NIFI-4059: