Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
- <!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- -->
- <!--
- This file lists the userGroupProviders, accessPolicyProviders, and authorizers to use when running securely. In order
- to use a specific authorizer it must be configured here and it's identifier must be specified in the nifi.properties file.
- If the authorizer is a managedAuthorizer, it may need to be configured with an accessPolicyProvider and an userGroupProvider.
- This file allows for configuration of them, but they must be configured in order:
- ...
- all userGroupProviders
- all accessPolicyProviders
- all Authorizers
- ...
- -->
- <authorizers>
- <!--
- The FileUserGroupProvider will provide support for managing users and groups which is backed by a file
- on the local file system.
- - Users File - The file where the FileUserGroupProvider will store users and groups.
- - Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically
- be used to load the users and groups into the Users File.
- - Initial User Identity [unique key] - The identity of a users and systems to seed the Users File. The name of
- each property must be unique, for example: "Initial User Identity A", "Initial User Identity B",
- "Initial User Identity C" or "Initial User Identity 1", "Initial User Identity 2", "Initial User Identity 3"
- NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the user identities,
- so the values should be the unmapped identities (i.e. full DN from a certificate).
- -->
- <userGroupProvider>
- <identifier>file-user-group-provider</identifier>
- <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
- <property name="Users File">./conf/users.xml</property>
- <property name="Legacy Authorized Users File"></property>
- <property name="Initial User Identity 1"></property>
- </userGroupProvider>
- <!--
- The LdapUserGroupProvider will retrieve users and groups from an LDAP server. The users and groups
- are not configurable.
- 'Authentication Strategy' - How the connection to the LDAP server is authenticated. Possible
- values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
- 'Manager DN' - The DN of the manager that is used to bind to the LDAP server to search for users.
- 'Manager Password' - The password of the manager that is used to bind to the LDAP server to
- search for users.
- 'TLS - Keystore' - Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
- 'TLS - Keystore Password' - Password for the Keystore that is used when connecting to LDAP
- using LDAPS or START_TLS.
- 'TLS - Keystore Type' - Type of the Keystore that is used when connecting to LDAP using
- LDAPS or START_TLS (i.e. JKS or PKCS12).
- 'TLS - Truststore' - Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
- 'TLS - Truststore Password' - Password for the Truststore that is used when connecting to
- LDAP using LDAPS or START_TLS.
- 'TLS - Truststore Type' - Type of the Truststore that is used when connecting to LDAP using
- LDAPS or START_TLS (i.e. JKS or PKCS12).
- 'TLS - Client Auth' - Client authentication policy when connecting to LDAP using LDAPS or START_TLS.
- Possible values are REQUIRED, WANT, NONE.
- 'TLS - Protocol' - Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS,
- TLSv1.1, TLSv1.2, etc).
- 'TLS - Shutdown Gracefully' - Specifies whether the TLS should be shut down gracefully
- before the target context is closed. Defaults to false.
- 'Referral Strategy' - Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.
- 'Connect Timeout' - Duration of connect timeout. (i.e. 10 secs).
- 'Read Timeout' - Duration of read timeout. (i.e. 10 secs).
- 'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
- 'Page Size' - Sets the page size when retrieving users and groups. If not specified, no paging is performed.
- 'Sync Interval' - Duration of time between syncing users and groups (i.e. 30 mins). Minimum allowable value is 10 secs.
- 'User Search Base' - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users.
- 'User Object Class' - Object class for identifying users (i.e. person). Required if searching users.
- 'User Search Scope' - Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users.
- 'User Search Filter' - Filter for searching for users against the 'User Search Base' (i.e. (memberof=cn=team1,ou=groups,o=nifi) ). Optional.
- 'User Identity Attribute' - Attribute to use to extract user identity (i.e. cn). Optional. If not set, the entire DN is used.
- 'User Group Name Attribute' - Attribute to use to define group membership (i.e. memberof). Optional. If not set
- group membership will not be calculated through the users. Will rely on group membership being defined
- through 'Group Member Attribute' if set. The value of this property is the name of the attribute in the user ldap entry that
- associates them with a group. The value of that user attribute could be a dn or group name for instance. What value is expected
- is configured in the 'User Group Name Attribute - Referenced Group Attribute'.
- 'User Group Name Attribute - Referenced Group Attribute' - If blank, the value of the attribute defined in 'User Group Name Attribute'
- is expected to be the full dn of the group. If not blank, this property will define the attribute of the group ldap entry that
- the value of the attribute defined in 'User Group Name Attribute' is referencing (i.e. name). Use of this property requires that
- 'Group Search Base' is also configured.
- 'Group Search Base' - Base DN for searching for groups (i.e. ou=groups,o=nifi). Required to search groups.
- 'Group Object Class' - Object class for identifying groups (i.e. groupOfNames). Required if searching groups.
- 'Group Search Scope' - Search scope for searching groups (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching groups.
- 'Group Search Filter' - Filter for searching for groups against the 'Group Search Base'. Optional.
- 'Group Name Attribute' - Attribute to use to extract group name (i.e. cn). Optional. If not set, the entire DN is used.
- 'Group Member Attribute' - Attribute to use to define group membership (i.e. member). Optional. If not set
- group membership will not be calculated through the groups. Will rely on group membership being defined
- through 'User Group Name Attribute' if set. The value of this property is the name of the attribute in the group ldap entry that
- associates them with a user. The value of that group attribute could be a dn or memberUid for instance. What value is expected
- is configured in the 'Group Member Attribute - Referenced User Attribute'. (i.e. member: cn=User 1,ou=users,o=nifi vs. memberUid: user1)
- 'Group Member Attribute - Referenced User Attribute' - If blank, the value of the attribute defined in 'Group Member Attribute'
- is expected to be the full dn of the user. If not blank, this property will define the attribute of the user ldap entry that
- the value of the attribute defined in 'Group Member Attribute' is referencing (i.e. uid). Use of this property requires that
- 'User Search Base' is also configured. (i.e. member: cn=User 1,ou=users,o=nifi vs. memberUid: user1)
- NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the user identities.
- Group names are not mapped.
- -->
- <!-- To enable the ldap-user-group-provider remove 2 lines. This is 1 of 2.
- <userGroupProvider>
- <identifier>ldap-user-group-provider</identifier>
- <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
- <property name="Authentication Strategy">START_TLS</property>
- <property name="Manager DN"></property>
- <property name="Manager Password"></property>
- <property name="TLS - Keystore"></property>
- <property name="TLS - Keystore Password"></property>
- <property name="TLS - Keystore Type"></property>
- <property name="TLS - Truststore"></property>
- <property name="TLS - Truststore Password"></property>
- <property name="TLS - Truststore Type"></property>
- <property name="TLS - Client Auth"></property>
- <property name="TLS - Protocol"></property>
- <property name="TLS - Shutdown Gracefully"></property>
- <property name="Referral Strategy">FOLLOW</property>
- <property name="Connect Timeout">10 secs</property>
- <property name="Read Timeout">10 secs</property>
- <property name="Url"></property>
- <property name="Page Size"></property>
- <property name="Sync Interval">30 mins</property>
- <property name="User Search Base"></property>
- <property name="User Object Class">person</property>
- <property name="User Search Scope">ONE_LEVEL</property>
- <property name="User Search Filter"></property>
- <property name="User Identity Attribute"></property>
- <property name="User Group Name Attribute"></property>
- <property name="User Group Name Attribute - Referenced Group Attribute"></property>
- <property name="Group Search Base"></property>
- <property name="Group Object Class">group</property>
- <property name="Group Search Scope">ONE_LEVEL</property>
- <property name="Group Search Filter"></property>
- <property name="Group Name Attribute"></property>
- <property name="Group Member Attribute"></property>
- <property name="Group Member Attribute - Referenced User Attribute"></property>
- </userGroupProvider>
- To enable the ldap-user-group-provider remove 2 lines. This is 2 of 2. -->
- <!--
- The CompositeUserGroupProvider will provide support for retrieving users and groups from multiple sources.
- - User Group Provider [unique key] - The identifier of user group providers to load from. The name of
- each property must be unique, for example: "User Group Provider A", "User Group Provider B",
- "User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"
- NOTE: Any identity mapping rules specified in nifi.properties are not applied in this implementation. This behavior
- would need to be applied by the base implementation.
- -->
- <!-- To enable the composite-user-group-provider remove 2 lines. This is 1 of 2.
- <userGroupProvider>
- <identifier>composite-user-group-provider</identifier>
- <class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
- <property name="User Group Provider 1"></property>
- </userGroupProvider>
- To enable the composite-user-group-provider remove 2 lines. This is 2 of 2. -->
- <!--
- The CompositeConfigurableUserGroupProvider will provide support for retrieving users and groups from multiple sources.
- Additionally, a single configurable user group provider is required. Users from the configurable user group provider
- are configurable, however users loaded from one of the User Group Provider [unique key] will not be.
- - Configurable User Group Provider - A configurable user group provider.
- - User Group Provider [unique key] - The identifier of user group providers to load from. The name of
- each property must be unique, for example: "User Group Provider A", "User Group Provider B",
- "User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"
- NOTE: Any identity mapping rules specified in nifi.properties are not applied in this implementation. This behavior
- would need to be applied by the base implementation.
- -->
- <!-- To enable the composite-configurable-user-group-provider remove 2 lines. This is 1 of 2.
- <userGroupProvider>
- <identifier>composite-configurable-user-group-provider</identifier>
- <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
- <property name="Configurable User Group Provider">file-user-group-provider</property>
- <property name="User Group Provider 1"></property>
- </userGroupProvider>
- To enable the composite-configurable-user-group-provider remove 2 lines. This is 2 of 2. -->
- <!--
- The FileAccessPolicyProvider will provide support for managing access policies which is backed by a file
- on the local file system.
- - User Group Provider - The identifier for an User Group Provider defined above that will be used to access
- users and groups for use in the managed access policies.
- - Authorizations File - The file where the FileAccessPolicyProvider will store policies.
- - Initial Admin Identity - The identity of an initial admin user that will be granted access to the UI and
- given the ability to create additional users, groups, and policies. The value of this property could be
- a DN when using certificates or LDAP, or a Kerberos principal. This property will only be used when there
- are no other policies defined. If this property is specified then a Legacy Authorized Users File can not be specified.
- NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the initial admin identity,
- so the value should be the unmapped identity. This identity must be found in the configured User Group Provider.
- - Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically
- converted to the new authorizations model. If this property is specified then an Initial Admin Identity can
- not be specified, and this property will only be used when there are no other users, groups, and policies defined.
- NOTE: Any users in the legacy users file must be found in the configured User Group Provider.
- - Node Identity [unique key] - The identity of a NiFi cluster node. When clustered, a property for each node
- should be defined, so that every node knows about every other node. If not clustered these properties can be ignored.
- The name of each property must be unique, for example for a three node cluster:
- "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1", "Node Identity 2", "Node Identity 3"
- NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the node identities,
- so the values should be the unmapped identities (i.e. full DN from a certificate). This identity must be found
- in the configured User Group Provider.
- -->
- <accessPolicyProvider>
- <identifier>file-access-policy-provider</identifier>
- <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
- <property name="User Group Provider">file-user-group-provider</property>
- <property name="Authorizations File">./conf/authorizations.xml</property>
- <property name="Initial Admin Identity"></property>
- <property name="Legacy Authorized Users File"></property>
- <property name="Node Identity 1"></property>
- </accessPolicyProvider>
- <!--
- The StandardManagedAuthorizer. This authorizer implementation must be configured with the
- Access Policy Provider which it will use to access and manage users, groups, and policies.
- These users, groups, and policies will be used to make all access decisions during authorization
- requests.
- - Access Policy Provider - The identifier for an Access Policy Provider defined above.
- -->
- <authorizer>
- <identifier>managed-authorizer</identifier>
- <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
- <property name="Access Policy Provider">file-access-policy-provider</property>
- </authorizer>
- <!--
- NOTE: This Authorizer has been replaced with the more granular approach configured above with the Standard
- Managed Authorizer. However, it is still available for backwards compatibility reasons.
- The FileAuthorizer is NiFi's provided authorizer and has the following properties:
- - Authorizations File - The file where the FileAuthorizer will store policies.
- - Users File - The file where the FileAuthorizer will store users and groups.
- - Initial Admin Identity - The identity of an initial admin user that will be granted access to the UI and
- given the ability to create additional users, groups, and policies. The value of this property could be
- a DN when using certificates or LDAP, or a Kerberos principal. This property will only be used when there
- are no other users, groups, and policies defined. If this property is specified then a Legacy Authorized
- Users File can not be specified.
- NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the initial admin identity,
- so the value should be the unmapped identity.
- - Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically
- converted to the new authorizations model. If this property is specified then an Initial Admin Identity can
- not be specified, and this property will only be used when there are no other users, groups, and policies defined.
- - Node Identity [unique key] - The identity of a NiFi cluster node. When clustered, a property for each node
- should be defined, so that every node knows about every other node. If not clustered these properties can be ignored.
- The name of each property must be unique, for example for a three node cluster:
- "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1", "Node Identity 2", "Node Identity 3"
- NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the node identities,
- so the values should be the unmapped identities (i.e. full DN from a certificate).
- -->
- <!-- <authorizer>
- <identifier>file-provider</identifier>
- <class>org.apache.nifi.authorization.FileAuthorizer</class>
- <property name="Authorizations File">./conf/authorizations.xml</property>
- <property name="Users File">./conf/users.xml</property>
- <property name="Initial Admin Identity"></property>
- <property name="Legacy Authorized Users File"></property>
- <property name="Node Identity 1"></property>
- </authorizer>
- -->
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement