Identity Mapping Properties
These properties can be utilized to normalize user identities. When implemented, identities authenticated by different identity providers (certificates, LDAP, Kerberos) are treated the same internally in NiFi Registry. As a result, duplicate users are avoided and user-specific configurations such as authorizations only need to be setup once per user.
The following examples demonstrate normalizing DNs from certificates and principals from Kerberos:
nifi.registry.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$ nifi.registry.security.identity.mapping.value.dn=$1@$2 nifi.registry.security.identity.mapping.transform.dn=NONE nifi.registry.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$ nifi.registry.security.identity.mapping.value.kerb=$1@$2 nifi.registry.security.identity.mapping.transform.kerb=NONE
The last segment of each property is an identifier used to associate the pattern with the replacement value. When a user makes a request to NiFi Registry, their identity is checked to see if it matches each of those patterns in lexicographical order. For the first one that matches, the replacement specified in the
nifi.registry.security.identity.mapping.value.xxxx property is used. So a login with
CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US matches the DN mapping pattern above and the DN mapping value
$1@$2 is applied. The user is normalized to
In addition to mapping, a transform may be applied. The supported versions are
NONE (no transform applied),
LOWER (identity lowercased), and
UPPER (identity uppercased). If not specified, the default value is
These mappings are also applied to the "Initial Admin Identity" in the authorizers.xml file, as well as users imported from LDAP (See Authorizers.xml Setup).
Group names can also be mapped. The following example will accept the existing group name but will lowercase it. This may be helpful when used in conjunction with an external authorizer.
nifi.registry.security.group.mapping.pattern.anygroup=^(.*)$ nifi.registry.security.group.mapping.value.anygroup=$1 nifi.registry.security.group.mapping.transform.anygroup=LOWER
These mappings are applied to groups imported from LDAP.