Skip to content

Commit

Permalink
Add settings for doing secure auth LDAPS/AD (konpyutaika#391)
Browse files Browse the repository at this point in the history
* add ldaps settings

* update changelog

* remove duplicate ClientAuth

* Update pkg/resources/templates/config/login_identity_providers.go

Co-authored-by: Michael H <[email protected]>

* update comments and docs

* Update api/v1/nificluster_types.go

- indent fix

Co-authored-by: Juldrixx <[email protected]>

* Update site/docs/5_references/1_nifi_cluster/1_nifi_cluster.md

Co-authored-by: Michael H <[email protected]>

---------

Co-authored-by: Wes <[email protected]>
Co-authored-by: Michael H <[email protected]>
Co-authored-by: Juldrixx <[email protected]>
  • Loading branch information
4 people authored Mar 8, 2024
1 parent ca7dcc9 commit 659312a
Show file tree
Hide file tree
Showing 7 changed files with 115 additions and 16 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

### Added

- [PR #391](https://github.com/konpyutaika/nifikop/pull/391) - **[Operator/NifiUserGroup]** Added settings missing for secure LDAP connections in login_identity_providers.xml

- [PR #381](https://github.com/konpyutaika/nifikop/pull/381) - **[Operator/NifiUserGroup]** Added ability to set `NifiUserGroup.Spec.Identity` when users need to override the default naming convention.

### Changed
Expand Down
23 changes: 23 additions & 0 deletions api/v1/nificluster_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -576,11 +576,34 @@ type LdapConfiguration struct {
ManagerDn string `json:"managerDn,omitempty"`
// The password of the manager that is used to bind to the LDAP server to search for users.
ManagerPassword string `json:"managerPassword,omitempty"`
// Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
// The TLS Keystore settings are optional and only used if your LDAP/AD server needs mutual TLS.
TLSKeystore string `json:"tlsKeystore,omitempty"`
// Password for the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
TLSKeystorePassword string `json:"tlsKeystorePassword,omitempty"`
// Type of the Keystore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12).
TLSKeystoretype string `json:"tlsKeystoreType,omitempty"`
// Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
// The Truststore should contain the valid CA that your LDAPS/AD server is in to allow NiFi to trust it
TLSTruststore string `json:"tlsTruststore,omitempty"`
// Password for the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
TLSTruststorePassword string `json:"tlsTruststorePassword,omitempty"`
// Type of the Truststore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12).
TLSTruststoreType string `json:"tlsTruststoreType,omitempty"`
// Client authentication policy when connecting to LDAP using LDAPS or START_TLS. Possible values are REQUIRED, WANT, NONE.
ClientAuth string `json:"clientAuth,omitempty"`
// Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS, TLSv1.1, TLSv1.2, etc).
Protocol string `json:"protocol,omitempty"`
// Specifies whether the TLS should be shut down gracefully before the target context is closed. Defaults to false.
ShutdownGracefully string `json:"shutdownGracefully,omitempty"`
// Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.
ReferralStrategy string `json:"referralStrategy,omitempty"`
// Strategy to identify users. Possible values are USE_DN and USE_USERNAME.
// The default functionality if this property is missing is USE_DN in order to retain backward compatibility.
// USE_DN will use the full DN of the user entry if possible.
// USE_USERNAME will use the username the user logged in with.
IdentityStrategy string `json:"identityStrategy,omitempty"`

}

// NifiClusterTaskSpec specifies the configuration of the nifi cluster Tasks.
Expand Down
20 changes: 20 additions & 0 deletions config/crd/bases/nifi.konpyutaika.com_nificlusters.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -759,6 +759,26 @@ spec:
type: string
managerPassword:
type: string
tlsKeystore:
type: string
tlsKeytorePassword:
type: string
tlsKeytoreType:
type: string
tlsTruststore:
type: string
tlsTruststorePassword:
type: string
tlsTruststoreType:
type: string
clientAuth:
type: string
protocol:
type: string
shutdownGracefully:
type: string
referralStrategy:
type: string
searchBase:
type: string
searchFilter:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1116,6 +1116,26 @@ spec:
type: string
identityStrategy:
type: string
tlsKeystore:
type: string
tlsKeytorePassword:
type: string
tlsKeytoreType:
type: string
tlsTruststore:
type: string
tlsTruststorePassword:
type: string
tlsTruststoreType:
type: string
clientAuth:
type: string
protocol:
type: string
shutdownGracefully:
type: string
referralStrategy:
type: string
type: object
listenersConfig:
description: listenerConfig specifies nifi's listener specifig configs
Expand Down
20 changes: 20 additions & 0 deletions helm/nifikop/crds/nifi.konpyutaika.com_nificlusters.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -759,6 +759,26 @@ spec:
type: string
managerPassword:
type: string
tlsKeystore:
type: string
tlsKeytorePassword:
type: string
tlsKeytoreType:
type: string
tlsTruststore:
type: string
tlsTruststorePassword:
type: string
tlsTruststoreType:
type: string
clientAuth:
type: string
protocol:
type: string
shutdownGracefully:
type: string
referralStrategy:
type: string
searchBase:
type: string
searchFilter:
Expand Down
20 changes: 10 additions & 10 deletions pkg/resources/templates/config/login_identity_providers.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,17 +73,17 @@ var LoginIdentityProvidersTemplate = `<?xml version="1.0" encoding="UTF-8" stand
<property name="Authentication Strategy">{{or .LdapConfiguration.AuthenticationStrategy "START_TLS"}}</property>
<property name="Manager DN">{{.LdapConfiguration.ManagerDn}}</property>
<property name="Manager Password">{{.LdapConfiguration.ManagerPassword}}</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="TLS - Keystore">{{.LdapConfiguration.TLSKeystore}}</property>
<property name="TLS - Keystore Password">{{.LdapConfiguration.TLSKeystorePassword}}</property>
<property name="TLS - Keystore Type">{{.LdapConfiguration.TLSKeystoreType}}</property>
<property name="TLS - Truststore">{{.LdapConfiguration.TLSTruststore}}</property>
<property name="TLS - Truststore Password">{{.LdapConfiguration.TLSTruststorePassword}}</property>
<property name="TLS - Truststore Type">{{.LdapConfiguration.TLSTruststoreType}}</property>
<property name="TLS - Client Auth">{{.LdapConfiguration.ClientAuth}}</property>
<property name="TLS - Protocol">{{.LdapConfiguration.Protocol}}</property>
<property name="TLS - Shutdown Gracefully">{{.LdapConfiguration.ShutdownGracefully}}</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Referral Strategy">{{or .LdapConfiguration.ReferralStrategy "FOLLOW"}}</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">{{.LdapConfiguration.Url}}</property>
Expand Down
26 changes: 20 additions & 6 deletions site/docs/5_references/1_nifi_cluster/1_nifi_cluster.md
Original file line number Diff line number Diff line change
Expand Up @@ -188,12 +188,26 @@ spec:

## LdapConfiguration

| Field | Type | Description | Required | Default |
| ------------ | ------- | ----------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------- |
| enabled | boolean | if set to true, we will enable ldap usage into nifi.properties configuration. | No | false |
| url | string | space-separated list of URLs of the LDAP servers (i.e. ldap://$\{hostname}:$\{port}). | No | "" |
| searchBase | string | base DN for searching for users (i.e. CN=Users,DC=example,DC=com). | No | "" |
| searchFilter | string | Filter for searching for users against the 'User Search Base'. (i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'. | No | "" |
| Field | Type | Description | Required | Default |
| ----------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------- |
| enabled | boolean | if set to true, we will enable ldap usage into nifi.properties configuration. | No | false |
| url | string | space-separated list of URLs of the LDAP servers (i.e. ldap://$\{hostname}:$\{port}). | No | "" |
| searchBase | string | base DN for searching for users (i.e. CN=Users,DC=example,DC=com). | No | "" |
| searchFilter | string | Filter for searching for users against the 'User Search Base'. (i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'. | No | "" |
| authenticationStrategy | string | How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS. | No | START_TLS |
| managerDn | string | The DN of the manager that is used to bind to the LDAP server to search for users. | No | "" |
| managerPassword | string | The password of the manager that is used to bind to the LDAP server to search for users. | No | "" |
| tlsKeystore | string | Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS. Not required for LDAPS. Only used for mutual TLS | No | "" |
| tlsKeystorePassword | string | Password for the Keystore that is used when connecting to LDAP using LDAPS or START_TLS. | No | "" |
| tlsKeystoreType | string | Type of the Keystore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12). | No | "" |
| tlsTruststore | string | Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS. Required for LDAPS | No | "" |
| tlsTruststorePassword | string | Password for the Truststore that is used when connecting to LDAP using LDAPS or START_TLS. | No | "" |
| tlsTruststoreType | string | Type of the Truststore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12). | No | "" |
| clientAuth | string | Client authentication policy when connecting to LDAP using LDAPS or START_TLS. Possible values are REQUIRED, WANT, NONE. | No | "" |
| protocol | string | Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS, TLSv1.1, TLSv1.2, etc). | No | "" |
| shutdownGracefully | string | Specifies whether the TLS should be shut down gracefully before the target context is closed. Defaults to false. | No | "" |
| referralStrategy | string | Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW. | No | FOLLOW |
| identityStrategy | string | Strategy to identify users. Possible values are USE_DN and USE_USERNAME. | No | USE_DN |

## SingleUserConfiguration

Expand Down

0 comments on commit 659312a

Please sign in to comment.