alopresto/NIFI-5973_login-identity-providers.xml

## NIFI-5973_login-identity-providers.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at
      http://www.apache.org/licenses/LICENSE-2.0
  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!--
    This file lists the login identity providers to use when running securely. In order
    to use a specific provider it must be configured here and it's identifier
    must be specified in the nifi.properties file.
-->
<loginIdentityProviders>
    <!--
        Identity Provider for users logging in with username/password against an LDAP server.

        'Authentication Strategy' - How the connection to the LDAP server is authenticated. Possible
            values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.

        'Manager DN' - The DN of the manager that is used to bind to the LDAP server to search for users.
        'Manager Password' - The password of the manager that is used to bind to the LDAP server to
            search for users.

        'TLS - Keystore' - Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
        'TLS - Keystore Password' - Password for the Keystore that is used when connecting to LDAP
            using LDAPS or START_TLS.
        'TLS - Keystore Type' - Type of the Keystore that is used when connecting to LDAP using
            LDAPS or START_TLS (i.e. JKS or PKCS12).
        'TLS - Truststore' - Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
        'TLS - Truststore Password' - Password for the Truststore that is used when connecting to
            LDAP using LDAPS or START_TLS.
        'TLS - Truststore Type' - Type of the Truststore that is used when connecting to LDAP using
            LDAPS or START_TLS (i.e. JKS or PKCS12).
        'TLS - Client Auth' - Client authentication policy when connecting to LDAP using LDAPS or START_TLS.
            Possible values are REQUIRED, WANT, NONE.
        'TLS - Protocol' - Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS,
            TLSv1.1, TLSv1.2, etc).
        'TLS - Shutdown Gracefully' - Specifies whether the TLS should be shut down gracefully
            before the target context is closed. Defaults to false.

        'Referral Strategy' - Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.
        'Connect Timeout' - Duration of connect timeout. (i.e. 10 secs).
        'Read Timeout' - Duration of read timeout. (i.e. 10 secs).

        'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
        'User Search Base' - Base DN for searching for users (i.e. CN=Users,DC=example,DC=com).
        'User Search Filter' - Filter for searching for users against the 'User Search Base'.
            (i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'.

        'Identity Strategy' - Strategy to identify users. Possible values are USE_DN and USE_USERNAME.
            The default functionality if this property is missing is USE_DN in order to retain
            backward compatibility. USE_DN will use the full DN of the user entry if possible.
            USE_USERNAME will use the username the user logged in with.
        'Authentication Expiration' - The duration of how long the user authentication is valid
            for. If the user never logs out, they will be required to log back in following
            this duration.
    -->

    <provider>
        <identifier>ldap-provider</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">uid=admin,ou=system</property>
        <property name="Manager Password">secret</property>

        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>

        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldap://localhost:10389</property>
        <property name="User Search Base">ou=people,dc=nifi,dc=com</property>
        <property name="User Search Filter">uid={0}</property>

        <property name="Identity Strategy">USE_DN</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>


    <!--
        Identity Provider for users logging in with username/password against a Kerberos KDC server.

        'Default Realm' - Default realm to provide when user enters incomplete user principal (i.e. NIFI.APACHE.ORG).
        'Authentication Expiration' - The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration.
    -->
    <!-- To enable the kerberos-provider remove 2 lines. This is 1 of 2.
    <provider>
        <identifier>kerberos-provider</identifier>
        <class>org.apache.nifi.kerberos.KerberosProvider</class>
        <property name="Default Realm">NIFI.APACHE.ORG</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>
    To enable the kerberos-provider remove 2 lines. This is 2 of 2. -->
</loginIdentityProviders>
	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
	<!--
	Licensed to the Apache Software Foundation (ASF) under one or more
	contributor license agreements. See the NOTICE file distributed with
	this work for additional information regarding copyright ownership.
	The ASF licenses this file to You under the Apache License, Version 2.0
	(the "License"); you may not use this file except in compliance with
	the License. You may obtain a copy of the License at
	http://www.apache.org/licenses/LICENSE-2.0
	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->
	<!--
	This file lists the login identity providers to use when running securely. In order
	to use a specific provider it must be configured here and it's identifier
	must be specified in the nifi.properties file.
	-->
	<loginIdentityProviders>
	<!--
	Identity Provider for users logging in with username/password against an LDAP server.

	'Authentication Strategy' - How the connection to the LDAP server is authenticated. Possible
	values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.

	'Manager DN' - The DN of the manager that is used to bind to the LDAP server to search for users.
	'Manager Password' - The password of the manager that is used to bind to the LDAP server to
	search for users.

	'TLS - Keystore' - Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
	'TLS - Keystore Password' - Password for the Keystore that is used when connecting to LDAP
	using LDAPS or START_TLS.
	'TLS - Keystore Type' - Type of the Keystore that is used when connecting to LDAP using
	LDAPS or START_TLS (i.e. JKS or PKCS12).
	'TLS - Truststore' - Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
	'TLS - Truststore Password' - Password for the Truststore that is used when connecting to
	LDAP using LDAPS or START_TLS.
	'TLS - Truststore Type' - Type of the Truststore that is used when connecting to LDAP using
	LDAPS or START_TLS (i.e. JKS or PKCS12).
	'TLS - Client Auth' - Client authentication policy when connecting to LDAP using LDAPS or START_TLS.
	Possible values are REQUIRED, WANT, NONE.
	'TLS - Protocol' - Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS,
	TLSv1.1, TLSv1.2, etc).
	'TLS - Shutdown Gracefully' - Specifies whether the TLS should be shut down gracefully
	before the target context is closed. Defaults to false.

	'Referral Strategy' - Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.
	'Connect Timeout' - Duration of connect timeout. (i.e. 10 secs).
	'Read Timeout' - Duration of read timeout. (i.e. 10 secs).

	'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
	'User Search Base' - Base DN for searching for users (i.e. CN=Users,DC=example,DC=com).
	'User Search Filter' - Filter for searching for users against the 'User Search Base'.
	(i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'.

	'Identity Strategy' - Strategy to identify users. Possible values are USE_DN and USE_USERNAME.
	The default functionality if this property is missing is USE_DN in order to retain
	backward compatibility. USE_DN will use the full DN of the user entry if possible.
	USE_USERNAME will use the username the user logged in with.
	'Authentication Expiration' - The duration of how long the user authentication is valid
	for. If the user never logs out, they will be required to log back in following
	this duration.
	-->

	<provider>
	<identifier>ldap-provider</identifier>
	<class>org.apache.nifi.ldap.LdapProvider</class>
	<property name="Authentication Strategy">SIMPLE</property>

	<property name="Manager DN">uid=admin,ou=system</property>
	<property name="Manager Password">secret</property>

	<property name="TLS - Keystore"></property>
	<property name="TLS - Keystore Password"></property>
	<property name="TLS - Keystore Type"></property>
	<property name="TLS - Truststore"></property>
	<property name="TLS - Truststore Password"></property>
	<property name="TLS - Truststore Type"></property>
	<property name="TLS - Client Auth"></property>
	<property name="TLS - Protocol"></property>
	<property name="TLS - Shutdown Gracefully"></property>

	<property name="Referral Strategy">FOLLOW</property>
	<property name="Connect Timeout">10 secs</property>
	<property name="Read Timeout">10 secs</property>

	<property name="Url">ldap://localhost:10389</property>
	<property name="User Search Base">ou=people,dc=nifi,dc=com</property>
	<property name="User Search Filter">uid={0}</property>

	<property name="Identity Strategy">USE_DN</property>
	<property name="Authentication Expiration">12 hours</property>
	</provider>


	<!--
	Identity Provider for users logging in with username/password against a Kerberos KDC server.

	'Default Realm' - Default realm to provide when user enters incomplete user principal (i.e. NIFI.APACHE.ORG).
	'Authentication Expiration' - The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration.
	-->
	<!-- To enable the kerberos-provider remove 2 lines. This is 1 of 2.
	<provider>
	<identifier>kerberos-provider</identifier>
	<class>org.apache.nifi.kerberos.KerberosProvider</class>
	<property name="Default Realm">NIFI.APACHE.ORG</property>
	<property name="Authentication Expiration">12 hours</property>
	</provider>
	To enable the kerberos-provider remove 2 lines. This is 2 of 2. -->
	</loginIdentityProviders>