From aaab5518a9e61ea59a1fd85cae1e92eb125d0ee3 Mon Sep 17 00:00:00 2001 From: exceptionfactory Date: Tue, 22 Jun 2021 10:53:23 -0500 Subject: [PATCH 1/2] NIFI-8725 Added Single User Environment Variables for Docker - Updated Docker README.md with example command and link to Administration Guide section - Updated Docker integration test to check HTTP response status --- nifi-docker/dockerhub/README.md | 18 ++++++++++++++---- nifi-docker/dockerhub/sh/start.sh | 13 +++++++++++++ nifi-docker/dockermaven/integration-test.sh | 7 ++----- nifi-docker/dockermaven/sh/start.sh | 13 +++++++++++++ 4 files changed, 42 insertions(+), 9 deletions(-) diff --git a/nifi-docker/dockerhub/README.md b/nifi-docker/dockerhub/README.md index b3884b7d901e..39bef8280306 100644 --- a/nifi-docker/dockerhub/README.md +++ b/nifi-docker/dockerhub/README.md @@ -39,8 +39,9 @@ docker run --rm --entrypoint /bin/bash apache/nifi:1.12.0 -c 'readlink /opt/nifi ## Capabilities This image currently supports running in standalone mode either unsecured or with user authentication provided through: - * [Two-Way SSL with Client Certificates](http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security-configuration) - * [Lightweight Directory Access Protocol (LDAP)](http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider) + * [Single User Authentication](https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#single_user_identity_provider) + * [Mutual TLS with Client Certificates](https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security-configuration) + * [Lightweight Directory Access Protocol (LDAP)](https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider) This image also contains the NiFi Toolkit (as of version 1.8.0) preconfigured to use either in secure and unsecure mode. @@ -77,7 +78,7 @@ The minimum to run a NiFi instance is as follows: This will provide a running instance, exposing the instance UI to the host system on at port 8443, viewable at `https://localhost:8443/nifi`. -You can also pass in environment variables to change the NiFi communication ports and hostname using the Docker '-e' switch as follows: +Environment variables can be used to set the NiFi communication ports and hostname using the Docker '-e' switch as follows: docker run --name nifi \ -p 9443:9443 \ @@ -85,7 +86,16 @@ You can also pass in environment variables to change the NiFi communication port -e NIFI_WEB_HTTPS_PORT='9443' \ apache/nifi:latest -For a list of the environment variables recognised in this build, look into the .sh/secure.sh and .sh/start.sh scripts +Single User Authentication credentials can be specified using environment variables as follows: + + docker run --name nifi \ + -p 8443:8443 \ + -d \ + -e SINGLE_USER_CREDENTIALS_USERNAME=admin \ + -e SINGLE_USER_CREDENTIALS_PASSWORD=ctsBtRBKHRAx69EqUghvvgEvjnaLjFEB \ + apache/nifi:latest + +See `secure.sh` and `start.sh` scripts for supported environment variables. ### Standalone Instance secured with HTTPS and Mutual TLS Authentication In this configuration, the user will need to provide certificates and associated configuration information. diff --git a/nifi-docker/dockerhub/sh/start.sh b/nifi-docker/dockerhub/sh/start.sh index 53cc43be776c..2730b624c407 100755 --- a/nifi-docker/dockerhub/sh/start.sh +++ b/nifi-docker/dockerhub/sh/start.sh @@ -44,6 +44,11 @@ prop_replace 'nifi.cluster.protocol.is.secure' 'true' "${scripts_dir}/toolkit.sh" prop_replace 'baseUrl' "https://${NIFI_WEB_HTTPS_HOST:-$HOSTNAME}:${NIFI_WEB_HTTPS_PORT:-8443}" ${nifi_toolkit_props_file} +prop_replace 'keystore' "${NIFI_HOME}/conf/keystore.p12" ${nifi_toolkit_props_file} +prop_replace 'keystoreType' "PKCS12" ${nifi_toolkit_props_file} +prop_replace 'truststore' "${NIFI_HOME}/conf/truststore.p12" ${nifi_toolkit_props_file} +prop_replace 'truststoreType' "PKCS12" ${nifi_toolkit_props_file} + if [ -n "${NIFI_WEB_HTTP_PORT}" ]; then prop_replace 'nifi.web.https.port' '' prop_replace 'nifi.web.https.host' '' @@ -56,6 +61,10 @@ if [ -n "${NIFI_WEB_HTTP_PORT}" ]; then prop_replace 'nifi.security.truststore' '' prop_replace 'nifi.security.truststoreType' '' prop_replace 'nifi.security.user.login.identity.provider' '' + prop_replace 'keystore' '' ${nifi_toolkit_props_file} + prop_replace 'keystoreType' '' ${nifi_toolkit_props_file} + prop_replace 'truststore' '' ${nifi_toolkit_props_file} + prop_replace 'truststoreType' '' ${nifi_toolkit_props_file} prop_replace 'baseUrl' "http://${NIFI_WEB_HTTP_HOST:-$HOSTNAME}:${NIFI_WEB_HTTP_PORT}" ${nifi_toolkit_props_file} fi @@ -81,6 +90,10 @@ prop_replace 'nifi.analytics.connection.model.score.threshold' "${NIFI_ANALYTIC prop_replace 'nifi.sensitive.props.key' "${NIFI_SENSITIVE_PROPS_KEY:-}" +if [ -n "${SINGLE_USER_CREDENTIALS_USERNAME}" ] && [ -n "${SINGLE_USER_CREDENTIALS_PASSWORD}" ]; then + ${NIFI_HOME}/bin/nifi.sh set-single-user-credentials "${SINGLE_USER_CREDENTIALS_USERNAME}" "${SINGLE_USER_CREDENTIALS_PASSWORD}" +fi + . "${scripts_dir}/update_cluster_state_management.sh" # Check if we are secured or unsecured diff --git a/nifi-docker/dockermaven/integration-test.sh b/nifi-docker/dockermaven/integration-test.sh index 346cb99fff57..e7d3dc49f7c9 100755 --- a/nifi-docker/dockermaven/integration-test.sh +++ b/nifi-docker/dockermaven/integration-test.sh @@ -46,11 +46,8 @@ for i in $(seq 1 10) :; do sleep 10 done -echo "Checking system diagnostics" -test ${VERSION} = $(docker exec nifi-${TAG}-integration-test bash -c "curl -s -k $IP:8443/nifi-api/system-diagnostics | jq .systemDiagnostics.aggregateSnapshot.versionInfo.niFiVersion -r") - -echo "Checking current user with nifi-toolkit cli" -test "anonymous" = $(docker exec nifi-${TAG}-integration-test bash -c '$NIFI_TOOLKIT_HOME/bin/cli.sh nifi current-user') +echo "Checking NiFi REST API Access" +test "200" = $(docker exec nifi-${TAG}-integration-test bash -c "curl -s -o /dev/null -w %{http_code} -k https://$IP:8443/nifi-api/access") echo "Stopping NiFi container" time docker stop nifi-${TAG}-integration-test \ No newline at end of file diff --git a/nifi-docker/dockermaven/sh/start.sh b/nifi-docker/dockermaven/sh/start.sh index d2f33ef0194d..b3207c5c3c79 100755 --- a/nifi-docker/dockermaven/sh/start.sh +++ b/nifi-docker/dockermaven/sh/start.sh @@ -44,6 +44,11 @@ prop_replace 'nifi.cluster.protocol.is.secure' 'true' "${scripts_dir}/toolkit.sh" prop_replace 'baseUrl' "https://${NIFI_WEB_HTTPS_HOST:-$HOSTNAME}:${NIFI_WEB_HTTPS_PORT:-8443}" ${nifi_toolkit_props_file} +prop_replace 'keystore' "${NIFI_HOME}/conf/keystore.p12" ${nifi_toolkit_props_file} +prop_replace 'keystoreType' "PKCS12" ${nifi_toolkit_props_file} +prop_replace 'truststore' "${NIFI_HOME}/conf/truststore.p12" ${nifi_toolkit_props_file} +prop_replace 'truststoreType' "PKCS12" ${nifi_toolkit_props_file} + if [ -n "${NIFI_WEB_HTTP_PORT}" ]; then prop_replace 'nifi.web.https.port' '' prop_replace 'nifi.web.https.host' '' @@ -56,6 +61,10 @@ if [ -n "${NIFI_WEB_HTTP_PORT}" ]; then prop_replace 'nifi.security.truststore' '' prop_replace 'nifi.security.truststoreType' '' prop_replace 'nifi.security.user.login.identity.provider' '' + prop_replace 'keystore' '' ${nifi_toolkit_props_file} + prop_replace 'keystoreType' '' ${nifi_toolkit_props_file} + prop_replace 'truststore' '' ${nifi_toolkit_props_file} + prop_replace 'truststoreType' '' ${nifi_toolkit_props_file} prop_replace 'baseUrl' "http://${NIFI_WEB_HTTP_HOST:-$HOSTNAME}:${NIFI_WEB_HTTP_PORT}" ${nifi_toolkit_props_file} fi @@ -81,6 +90,10 @@ prop_replace 'nifi.analytics.connection.model.score.threshold' "${NIFI_ANALYTIC prop_replace 'nifi.sensitive.props.key' "${NIFI_SENSITIVE_PROPS_KEY:-}" +if [ -n "${SINGLE_USER_CREDENTIALS_USERNAME}" ] && [ -n "${SINGLE_USER_CREDENTIALS_PASSWORD}" ]; then + ${NIFI_HOME}/bin/nifi.sh set-single-user-credentials "${SINGLE_USER_CREDENTIALS_USERNAME}" "${SINGLE_USER_CREDENTIALS_PASSWORD}" +fi + . "${scripts_dir}/update_cluster_state_management.sh" # Check if we are secured or unsecured From 84e06cf3a41b9c684288889f82574a2333f22b2f Mon Sep 17 00:00:00 2001 From: exceptionfactory Date: Tue, 22 Jun 2021 13:20:28 -0500 Subject: [PATCH 2/2] NIFI-8725 Disabled integration test plugin for dockerhub --- nifi-docker/dockerhub/pom.xml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nifi-docker/dockerhub/pom.xml b/nifi-docker/dockerhub/pom.xml index 3481e56ed962..642c32f9f01a 100644 --- a/nifi-docker/dockerhub/pom.xml +++ b/nifi-docker/dockerhub/pom.xml @@ -57,6 +57,7 @@ +