NIFI-8725 Added Single User Environment Variables for Docker

nifi-docker/dockerhub/README.md

@@ -39,8 +39,9 @@ docker run --rm --entrypoint /bin/bash apache/nifi:1.12.0 -c 'readlink /opt/nifi
 
 ## Capabilities
 This image currently supports running in standalone mode either unsecured or with user authentication provided through:
-   * [Two-Way SSL with Client Certificates](http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security-configuration)
-   * [Lightweight Directory Access Protocol (LDAP)](http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider)
+  * [Single User Authentication](https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#single_user_identity_provider)    
+  * [Mutual TLS with Client Certificates](https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security-configuration)
+  * [Lightweight Directory Access Protocol (LDAP)](https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider)
 
 This image also contains the NiFi Toolkit (as of version 1.8.0) preconfigured to use either in secure and unsecure mode.
 
@@ -77,15 +78,24 @@ The minimum to run a NiFi instance is as follows:
 This will provide a running instance, exposing the instance UI to the host system on at port 8443,
 viewable at `https://localhost:8443/nifi`.
 
-You can also pass in environment variables to change the NiFi communication ports and hostname using the Docker '-e' switch as follows:
+Environment variables can be used to set the NiFi communication ports and hostname using the Docker '-e' switch as follows:
 
     docker run --name nifi \
       -p 9443:9443 \
       -d \
       -e NIFI_WEB_HTTPS_PORT='9443' \
       apache/nifi:latest
 
-For a list of the environment variables recognised in this build, look into the .sh/secure.sh and .sh/start.sh scripts
+Single User Authentication credentials can be specified using environment variables as follows:
+
+    docker run --name nifi \
+      -p 8443:8443 \
+      -d \
+      -e SINGLE_USER_CREDENTIALS_USERNAME=admin \
+      -e SINGLE_USER_CREDENTIALS_PASSWORD=ctsBtRBKHRAx69EqUghvvgEvjnaLjFEB \
+      apache/nifi:latest
+
+See `secure.sh` and `start.sh` scripts for supported environment variables.
 
 ### Standalone Instance secured with HTTPS and Mutual TLS Authentication
 In this configuration, the user will need to provide certificates and associated configuration information.

nifi-docker/dockerhub/pom.xml

@@ -57,6 +57,7 @@
                             </execution>
                         </executions>
                     </plugin>
+                    <!-- Disabled integration test pending release of Single User Authentication
                     <plugin>
                         <artifactId>exec-maven-plugin</artifactId>
                         <groupId>org.codehaus.mojo</groupId>
@@ -70,13 +71,14 @@
                                 <configuration>
                                     <arguments>
                                         <argument>${project.version}-dockerhub</argument>
-                                        <argument>1.7.0</argument>
+                                        <argument>1.14.0</argument>
                                     </arguments>
                                     <executable>${project.basedir}/../dockermaven/integration-test.sh</executable>
                                 </configuration>
                             </execution>
                         </executions>
                     </plugin>
+                    -->
                 </plugins>
             </build>
         </profile>

nifi-docker/dockerhub/sh/start.sh

@@ -44,6 +44,11 @@ prop_replace 'nifi.cluster.protocol.is.secure'  'true'
 "${scripts_dir}/toolkit.sh"
 prop_replace 'baseUrl' "https://${NIFI_WEB_HTTPS_HOST:-$HOSTNAME}:${NIFI_WEB_HTTPS_PORT:-8443}" ${nifi_toolkit_props_file}
 
+prop_replace 'keystore'           "${NIFI_HOME}/conf/keystore.p12"      ${nifi_toolkit_props_file}
+prop_replace 'keystoreType'       "PKCS12"                              ${nifi_toolkit_props_file}
+prop_replace 'truststore'         "${NIFI_HOME}/conf/truststore.p12"    ${nifi_toolkit_props_file}
+prop_replace 'truststoreType'     "PKCS12"                              ${nifi_toolkit_props_file}
+
 if [ -n "${NIFI_WEB_HTTP_PORT}" ]; then
     prop_replace 'nifi.web.https.port'                        ''
     prop_replace 'nifi.web.https.host'                        ''
@@ -56,6 +61,10 @@ if [ -n "${NIFI_WEB_HTTP_PORT}" ]; then
     prop_replace 'nifi.security.truststore'                   ''
     prop_replace 'nifi.security.truststoreType'               ''
     prop_replace 'nifi.security.user.login.identity.provider' ''
+    prop_replace 'keystore'                                   '' ${nifi_toolkit_props_file}
+    prop_replace 'keystoreType'                               '' ${nifi_toolkit_props_file}
+    prop_replace 'truststore'                                 '' ${nifi_toolkit_props_file}
+    prop_replace 'truststoreType'                             '' ${nifi_toolkit_props_file}
     prop_replace 'baseUrl' "http://${NIFI_WEB_HTTP_HOST:-$HOSTNAME}:${NIFI_WEB_HTTP_PORT}" ${nifi_toolkit_props_file}
 fi
 
@@ -81,6 +90,10 @@ prop_replace 'nifi.analytics.connection.model.score.threshold'  "${NIFI_ANALYTIC
 
 prop_replace 'nifi.sensitive.props.key'   "${NIFI_SENSITIVE_PROPS_KEY:-}"
 
+if [ -n "${SINGLE_USER_CREDENTIALS_USERNAME}" ] && [ -n "${SINGLE_USER_CREDENTIALS_PASSWORD}" ]; then
+    ${NIFI_HOME}/bin/nifi.sh set-single-user-credentials "${SINGLE_USER_CREDENTIALS_USERNAME}" "${SINGLE_USER_CREDENTIALS_PASSWORD}"
+fi
+
 . "${scripts_dir}/update_cluster_state_management.sh"
 
 # Check if we are secured or unsecured

nifi-docker/dockermaven/integration-test.sh

@@ -46,11 +46,8 @@ for i in $(seq 1 10) :; do
     sleep 10
 done
 
-echo "Checking system diagnostics"
-test ${VERSION} = $(docker exec nifi-${TAG}-integration-test bash -c "curl -s -k $IP:8443/nifi-api/system-diagnostics | jq .systemDiagnostics.aggregateSnapshot.versionInfo.niFiVersion -r")
-
-echo "Checking current user with nifi-toolkit cli"
-test "anonymous" = $(docker exec nifi-${TAG}-integration-test bash -c '$NIFI_TOOLKIT_HOME/bin/cli.sh nifi current-user')
+echo "Checking NiFi REST API Access"
+test "200" = $(docker exec nifi-${TAG}-integration-test bash -c "curl -s -o /dev/null -w %{http_code} -k https://$IP:8443/nifi-api/access")
 
 echo "Stopping NiFi container"
 time docker stop nifi-${TAG}-integration-test

nifi-docker/dockermaven/sh/start.sh

@@ -44,6 +44,11 @@ prop_replace 'nifi.cluster.protocol.is.secure'  'true'
 "${scripts_dir}/toolkit.sh"
 prop_replace 'baseUrl' "https://${NIFI_WEB_HTTPS_HOST:-$HOSTNAME}:${NIFI_WEB_HTTPS_PORT:-8443}" ${nifi_toolkit_props_file}
 
+prop_replace 'keystore'           "${NIFI_HOME}/conf/keystore.p12"      ${nifi_toolkit_props_file}
+prop_replace 'keystoreType'       "PKCS12"                              ${nifi_toolkit_props_file}
+prop_replace 'truststore'         "${NIFI_HOME}/conf/truststore.p12"    ${nifi_toolkit_props_file}
+prop_replace 'truststoreType'     "PKCS12"                              ${nifi_toolkit_props_file}
+
 if [ -n "${NIFI_WEB_HTTP_PORT}" ]; then
     prop_replace 'nifi.web.https.port'                        ''
     prop_replace 'nifi.web.https.host'                        ''
@@ -56,6 +61,10 @@ if [ -n "${NIFI_WEB_HTTP_PORT}" ]; then
     prop_replace 'nifi.security.truststore'                   ''
     prop_replace 'nifi.security.truststoreType'               ''
     prop_replace 'nifi.security.user.login.identity.provider' ''
+    prop_replace 'keystore'                                   '' ${nifi_toolkit_props_file}
+    prop_replace 'keystoreType'                               '' ${nifi_toolkit_props_file}
+    prop_replace 'truststore'                                 '' ${nifi_toolkit_props_file}
+    prop_replace 'truststoreType'                             '' ${nifi_toolkit_props_file}
     prop_replace 'baseUrl' "http://${NIFI_WEB_HTTP_HOST:-$HOSTNAME}:${NIFI_WEB_HTTP_PORT}" ${nifi_toolkit_props_file}
 fi
 
@@ -81,6 +90,10 @@ prop_replace 'nifi.analytics.connection.model.score.threshold'  "${NIFI_ANALYTIC
 
 prop_replace 'nifi.sensitive.props.key'   "${NIFI_SENSITIVE_PROPS_KEY:-}"
 
+if [ -n "${SINGLE_USER_CREDENTIALS_USERNAME}" ] && [ -n "${SINGLE_USER_CREDENTIALS_PASSWORD}" ]; then
+    ${NIFI_HOME}/bin/nifi.sh set-single-user-credentials "${SINGLE_USER_CREDENTIALS_USERNAME}" "${SINGLE_USER_CREDENTIALS_PASSWORD}"
+fi
+
 . "${scripts_dir}/update_cluster_state_management.sh"
 
 # Check if we are secured or unsecured