From 659312a1d57cba6d374c7092e112a957f8927de9 Mon Sep 17 00:00:00 2001 From: Wesley Render Date: Fri, 8 Mar 2024 11:17:55 -0500 Subject: [PATCH] Add settings for doing secure auth LDAPS/AD (#391) * add ldaps settings * update changelog * remove duplicate ClientAuth * Update pkg/resources/templates/config/login_identity_providers.go Co-authored-by: Michael H <86672176+mh013370@users.noreply.github.com> * update comments and docs * Update api/v1/nificluster_types.go - indent fix Co-authored-by: Juldrixx <31806759+juldrixx@users.noreply.github.com> * Update site/docs/5_references/1_nifi_cluster/1_nifi_cluster.md Co-authored-by: Michael H <86672176+mh013370@users.noreply.github.com> --------- Co-authored-by: Wes Co-authored-by: Michael H <86672176+mh013370@users.noreply.github.com> Co-authored-by: Juldrixx <31806759+juldrixx@users.noreply.github.com> --- CHANGELOG.md | 2 ++ api/v1/nificluster_types.go | 23 ++++++++++++++++ .../nifi.konpyutaika.com_nificlusters.yaml | 20 ++++++++++++++ .../nifi.orange.com_nificlusters_crd.yaml | 20 ++++++++++++++ .../nifi.konpyutaika.com_nificlusters.yaml | 20 ++++++++++++++ .../config/login_identity_providers.go | 20 +++++++------- .../1_nifi_cluster/1_nifi_cluster.md | 26 ++++++++++++++----- 7 files changed, 115 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f7315c5156..be0a3caf94 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ ### Added +- [PR #391](https://github.com/konpyutaika/nifikop/pull/391) - **[Operator/NifiUserGroup]** Added settings missing for secure LDAP connections in login_identity_providers.xml + - [PR #381](https://github.com/konpyutaika/nifikop/pull/381) - **[Operator/NifiUserGroup]** Added ability to set `NifiUserGroup.Spec.Identity` when users need to override the default naming convention. ### Changed diff --git a/api/v1/nificluster_types.go b/api/v1/nificluster_types.go index 45aaf31458..b29dbe29e9 100644 --- a/api/v1/nificluster_types.go +++ b/api/v1/nificluster_types.go @@ -576,11 +576,34 @@ type LdapConfiguration struct { ManagerDn string `json:"managerDn,omitempty"` // The password of the manager that is used to bind to the LDAP server to search for users. ManagerPassword string `json:"managerPassword,omitempty"` + // Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS. + // The TLS Keystore settings are optional and only used if your LDAP/AD server needs mutual TLS. + TLSKeystore string `json:"tlsKeystore,omitempty"` + // Password for the Keystore that is used when connecting to LDAP using LDAPS or START_TLS. + TLSKeystorePassword string `json:"tlsKeystorePassword,omitempty"` + // Type of the Keystore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12). + TLSKeystoretype string `json:"tlsKeystoreType,omitempty"` + // Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS. + // The Truststore should contain the valid CA that your LDAPS/AD server is in to allow NiFi to trust it + TLSTruststore string `json:"tlsTruststore,omitempty"` + // Password for the Truststore that is used when connecting to LDAP using LDAPS or START_TLS. + TLSTruststorePassword string `json:"tlsTruststorePassword,omitempty"` + // Type of the Truststore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12). + TLSTruststoreType string `json:"tlsTruststoreType,omitempty"` + // Client authentication policy when connecting to LDAP using LDAPS or START_TLS. Possible values are REQUIRED, WANT, NONE. + ClientAuth string `json:"clientAuth,omitempty"` + // Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS, TLSv1.1, TLSv1.2, etc). + Protocol string `json:"protocol,omitempty"` + // Specifies whether the TLS should be shut down gracefully before the target context is closed. Defaults to false. + ShutdownGracefully string `json:"shutdownGracefully,omitempty"` + // Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW. + ReferralStrategy string `json:"referralStrategy,omitempty"` // Strategy to identify users. Possible values are USE_DN and USE_USERNAME. // The default functionality if this property is missing is USE_DN in order to retain backward compatibility. // USE_DN will use the full DN of the user entry if possible. // USE_USERNAME will use the username the user logged in with. IdentityStrategy string `json:"identityStrategy,omitempty"` + } // NifiClusterTaskSpec specifies the configuration of the nifi cluster Tasks. diff --git a/config/crd/bases/nifi.konpyutaika.com_nificlusters.yaml b/config/crd/bases/nifi.konpyutaika.com_nificlusters.yaml index 3ac14a4724..f0f5a9ffa0 100644 --- a/config/crd/bases/nifi.konpyutaika.com_nificlusters.yaml +++ b/config/crd/bases/nifi.konpyutaika.com_nificlusters.yaml @@ -759,6 +759,26 @@ spec: type: string managerPassword: type: string + tlsKeystore: + type: string + tlsKeytorePassword: + type: string + tlsKeytoreType: + type: string + tlsTruststore: + type: string + tlsTruststorePassword: + type: string + tlsTruststoreType: + type: string + clientAuth: + type: string + protocol: + type: string + shutdownGracefully: + type: string + referralStrategy: + type: string searchBase: type: string searchFilter: diff --git a/docs/tutorials/secured_nifi_cluster_on_gcp/kubernetes/nifikop/nifi.orange.com_nificlusters_crd.yaml b/docs/tutorials/secured_nifi_cluster_on_gcp/kubernetes/nifikop/nifi.orange.com_nificlusters_crd.yaml index ad3dc034e9..01a35c12ed 100644 --- a/docs/tutorials/secured_nifi_cluster_on_gcp/kubernetes/nifikop/nifi.orange.com_nificlusters_crd.yaml +++ b/docs/tutorials/secured_nifi_cluster_on_gcp/kubernetes/nifikop/nifi.orange.com_nificlusters_crd.yaml @@ -1116,6 +1116,26 @@ spec: type: string identityStrategy: type: string + tlsKeystore: + type: string + tlsKeytorePassword: + type: string + tlsKeytoreType: + type: string + tlsTruststore: + type: string + tlsTruststorePassword: + type: string + tlsTruststoreType: + type: string + clientAuth: + type: string + protocol: + type: string + shutdownGracefully: + type: string + referralStrategy: + type: string type: object listenersConfig: description: listenerConfig specifies nifi's listener specifig configs diff --git a/helm/nifikop/crds/nifi.konpyutaika.com_nificlusters.yaml b/helm/nifikop/crds/nifi.konpyutaika.com_nificlusters.yaml index 3ac14a4724..f0f5a9ffa0 100644 --- a/helm/nifikop/crds/nifi.konpyutaika.com_nificlusters.yaml +++ b/helm/nifikop/crds/nifi.konpyutaika.com_nificlusters.yaml @@ -759,6 +759,26 @@ spec: type: string managerPassword: type: string + tlsKeystore: + type: string + tlsKeytorePassword: + type: string + tlsKeytoreType: + type: string + tlsTruststore: + type: string + tlsTruststorePassword: + type: string + tlsTruststoreType: + type: string + clientAuth: + type: string + protocol: + type: string + shutdownGracefully: + type: string + referralStrategy: + type: string searchBase: type: string searchFilter: diff --git a/pkg/resources/templates/config/login_identity_providers.go b/pkg/resources/templates/config/login_identity_providers.go index 08d1012952..a096737ff6 100644 --- a/pkg/resources/templates/config/login_identity_providers.go +++ b/pkg/resources/templates/config/login_identity_providers.go @@ -73,17 +73,17 @@ var LoginIdentityProvidersTemplate = `{{or .LdapConfiguration.AuthenticationStrategy "START_TLS"}} {{.LdapConfiguration.ManagerDn}} {{.LdapConfiguration.ManagerPassword}} - - - - - - - - - + {{.LdapConfiguration.TLSKeystore}} + {{.LdapConfiguration.TLSKeystorePassword}} + {{.LdapConfiguration.TLSKeystoreType}} + {{.LdapConfiguration.TLSTruststore}} + {{.LdapConfiguration.TLSTruststorePassword}} + {{.LdapConfiguration.TLSTruststoreType}} + {{.LdapConfiguration.ClientAuth}} + {{.LdapConfiguration.Protocol}} + {{.LdapConfiguration.ShutdownGracefully}} - FOLLOW + {{or .LdapConfiguration.ReferralStrategy "FOLLOW"}} 10 secs 10 secs {{.LdapConfiguration.Url}} diff --git a/site/docs/5_references/1_nifi_cluster/1_nifi_cluster.md b/site/docs/5_references/1_nifi_cluster/1_nifi_cluster.md index e3a6a99ec7..a468f150b7 100644 --- a/site/docs/5_references/1_nifi_cluster/1_nifi_cluster.md +++ b/site/docs/5_references/1_nifi_cluster/1_nifi_cluster.md @@ -188,12 +188,26 @@ spec: ## LdapConfiguration -| Field | Type | Description | Required | Default | -| ------------ | ------- | ----------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------- | -| enabled | boolean | if set to true, we will enable ldap usage into nifi.properties configuration. | No | false | -| url | string | space-separated list of URLs of the LDAP servers (i.e. ldap://$\{hostname}:$\{port}). | No | "" | -| searchBase | string | base DN for searching for users (i.e. CN=Users,DC=example,DC=com). | No | "" | -| searchFilter | string | Filter for searching for users against the 'User Search Base'. (i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'. | No | "" | +| Field | Type | Description | Required | Default | +| ----------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------- | +| enabled | boolean | if set to true, we will enable ldap usage into nifi.properties configuration. | No | false | +| url | string | space-separated list of URLs of the LDAP servers (i.e. ldap://$\{hostname}:$\{port}). | No | "" | +| searchBase | string | base DN for searching for users (i.e. CN=Users,DC=example,DC=com). | No | "" | +| searchFilter | string | Filter for searching for users against the 'User Search Base'. (i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'. | No | "" | +| authenticationStrategy | string | How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS. | No | START_TLS | +| managerDn | string | The DN of the manager that is used to bind to the LDAP server to search for users. | No | "" | +| managerPassword | string | The password of the manager that is used to bind to the LDAP server to search for users. | No | "" | +| tlsKeystore | string | Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS. Not required for LDAPS. Only used for mutual TLS | No | "" | +| tlsKeystorePassword | string | Password for the Keystore that is used when connecting to LDAP using LDAPS or START_TLS. | No | "" | +| tlsKeystoreType | string | Type of the Keystore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12). | No | "" | +| tlsTruststore | string | Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS. Required for LDAPS | No | "" | +| tlsTruststorePassword | string | Password for the Truststore that is used when connecting to LDAP using LDAPS or START_TLS. | No | "" | +| tlsTruststoreType | string | Type of the Truststore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12). | No | "" | +| clientAuth | string | Client authentication policy when connecting to LDAP using LDAPS or START_TLS. Possible values are REQUIRED, WANT, NONE. | No | "" | +| protocol | string | Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS, TLSv1.1, TLSv1.2, etc). | No | "" | +| shutdownGracefully | string | Specifies whether the TLS should be shut down gracefully before the target context is closed. Defaults to false. | No | "" | +| referralStrategy | string | Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW. | No | FOLLOW | +| identityStrategy | string | Strategy to identify users. Possible values are USE_DN and USE_USERNAME. | No | USE_DN | ## SingleUserConfiguration