Closed M9T closed 4 years ago
authorizers.xml
50% covered by replacing the volume with
-v $HOME/nifi/registry/conf/authorizers.xml:/opt/nifi-registry/nifi-registry-0.5.0/conf/authorizers.xml \
and deleting the INITIAL_ADMIN_IDENTITY env.
I tried to remove all NIFI_REGISTRY envs and add
-v $HOME/nifi/registry/conf/nifi-registry.properties:/opt/nifi-registry/nifi-registry-0.5.0/conf/nifi-registry.properties \
but it fails:
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apache.nifi.registry.security.authentication.IdentityProvider]: Factory method 'getIdentityProvider' threw exception; nested exception is java.lang.Exception: The specified login identity provider 'ldap-identity-provider' could not be found. at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185) at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:622) ... 57 common frames omitted Caused by: java.lang.Exception: The specified login identity provider 'ldap-identity-provider' could not be found. at org.apache.nifi.registry.security.authentication.IdentityProviderFactory.getIdentityProvider(IdentityProviderFactory.java:128) at org.apache.nifi.registry.security.authentication.IdentityProviderFactory$$EnhancerBySpringCGLIB$$1a9d8ad4.CGLIB$getIdentityProvider$0(<generated>) at org.apache.nifi.registry.security.authentication.IdentityProviderFactory$$EnhancerBySpringCGLIB$$1a9d8ad4$$FastClassBySpringCGLIB$$f58f9651.invoke(<generated>) at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:244) at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:363) at org.apache.nifi.registry.security.authentication.IdentityProviderFactory$$EnhancerBySpringCGLIB$$1a9d8ad4.getIdentityProvider(<generated>) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154) ... 58 common frames omitted 2020-01-23 21:16:03,202 INFO [Thread-1] org.apache.nifi.registry.NiFiRegistry Initiating shutdown of Jetty web server... 2020-01-23 21:16:03,209 INFO [Thread-1] o.eclipse.jetty.server.AbstractConnector Stopped ServerConnector@42f93a98{SSL,[ssl, http/1.1]}{0.0.0.0:18443} 2020-01-23 21:16:03,209 INFO [Thread-1] org.eclipse.jetty.server.session node0 Stopped scavenging Received trapped signal, beginning shutdown...
Hi,
as you found out, the authorizers.xml
are templated from env vars. Corresponding line in shell script is: https://github.com/michalklempa/docker-nifi-registry/blob/develop/sh/start.sh
if [[ -n "${INITIAL_ADMIN_IDENTITY}" ]]; then
/usr/local/bin/dockerize -template ${PROJECT_TEMPLATE_DIR}/authorizers.xml.gotemplate:${PROJECT_CONF_DIR}/authorizers.xml
fi
So not setting INITIAL_ADMIN_IDENTITY
should do the trick of not replacing the file again and again.
Regarding
<accessPolicyProvider>
<property name="User Group Provider">composite-configurable-user-group-provider
I can see, that I haven't done the templating of this file yet. If you can workaround by providing the file from outside until I put a new feature, would be fine.
Ad nifi-registry.properties file
, the https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#identity-mapping-properties should be able to set by:
NIFI_REGISTRY_SECURITY_IDENTITY_MAPPING_PATTERN_DN
and
NIFI_REGISTRY_SECURITY_IDENTITY_MAPPING_VALUE_DN
If you removed all NIFI_REGISTRY env vars and even after that the file nifi-registry.conf is overwritten, its a bug. It shouldnt be overwritten: https://github.com/michalklempa/docker-nifi-registry/blob/develop/sh/start.sh#L77
But the keys in nifi-registry.conf you need, are available, but are named differently. You stated:
nifi.security.identity.mapping.pattern.dn=^cn=(.?),o=(.?),dc=(.?),dc=(.?)$ nifi.security.identity.mapping.value.dn=$1 but the real ones are: nifi.registry.security.identity.mapping.pattern.dn=^cn=(.?),o=(.?),dc=(.?),dc=(.?)$ nifi.registry.security.identity.mapping.value.dn=$1
Let me know how it goes.
Note to myself, see #20 , templating should be re-worked. More and more people like to provide configuration k8s way by injecting the files from config-maps.
Hi @M9T,
I have created plain flavor of images. Tagged with suffix -plain
. These images run under root user (no UID:GID added) and no templating is done at all.
I wanted to change the authorizers.xml based on my needs.
What I did:
I haven't tested all files in the conf volume, but I guess it is a general overwriting.
What I would like to set:
authorizers.xml
nifi-registry.properties file