From 4604bc98f3bb30c288fcf36027d88d3e2f3774d5 Mon Sep 17 00:00:00 2001 From: Happy Code Date: Mon, 12 Jun 2023 16:02:03 +0300 Subject: [PATCH 1/6] Update nifi.properties - Add values - nifi.security.user.oidc.preferred.jwsalgorithm={{.Values.auth.oidc.preferredJwsalgorithm}} --- configs/nifi.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configs/nifi.properties b/configs/nifi.properties index d4cfd899..1652b975 100644 --- a/configs/nifi.properties +++ b/configs/nifi.properties @@ -197,7 +197,7 @@ nifi.security.user.oidc.connect.timeout=5 secs nifi.security.user.oidc.read.timeout=5 secs nifi.security.user.oidc.client.id={{.Values.auth.oidc.clientId}} nifi.security.user.oidc.client.secret={{.Values.auth.oidc.clientSecret}} -nifi.security.user.oidc.preferred.jwsalgorithm= +nifi.security.user.oidc.preferred.jwsalgorithm={{.Values.auth.oidc.preferredJwsalgorithm}} nifi.security.user.oidc.claim.identifying.user={{.Values.auth.oidc.claimIdentifyingUser}} nifi.security.user.oidc.additional.scopes={{.Values.auth.oidc.additionalScopes}} {{end}} From edb3958809bd0ff74b868253fd85566b48e79566 Mon Sep 17 00:00:00 2001 From: Happy Code Date: Mon, 12 Jun 2023 16:03:40 +0300 Subject: [PATCH 2/6] Update values.yaml - Add auth.oidc.preferredJwsalgorithm value --- values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/values.yaml b/values.yaml index 158bdfed..f8c42582 100644 --- a/values.yaml +++ b/values.yaml @@ -149,6 +149,7 @@ auth: clientSecret: # claimIdentifyingUser: email admin: nifi@example.com + preferredJwsalgorithm: ## Request additional scopes, for example profile additionalScopes: From 911de224a063a90d049286418da6f61240c8cdb9 Mon Sep 17 00:00:00 2001 From: Happy Code Date: Mon, 12 Jun 2023 16:07:04 +0300 Subject: [PATCH 3/6] Update README.md - Add info about nifi.security.user.oidc.preferred.jwsalgorithm --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index d5c51035..b97df010 100644 --- a/README.md +++ b/README.md @@ -155,6 +155,7 @@ The following table lists the configurable parameters of the nifi chart and the | `auth.oidc.clientId` | oidc clientId | `nil` | | `auth.oidc.clientSecret` | oidc clientSecret | `nil` | | `auth.oidc.claimIdentifyingUser` | oidc claimIdentifyingUser | `email` | +| `auth.oidc.preferredJwsalgorithm` | The preferred algorithm for validating identity tokens. If this value is blank, it will default to RS256 which is required to be supported by the OpenID Connect Provider according to the specification. If this value is HS256, HS384, or HS512, NiFi will attempt to validate HMAC protected tokens using the specified client secret. If this value is none, NiFi will attempt to validate unsecured/plain tokens. | `nil` | | `auth.oidc.admin` | Default OIDC admin identity | `nifi@example.com` | | Note that OIDC authentication to a multi-NiFi-node cluster requires Ingress sticky sessions | See [background](https://community.cloudera.com/t5/Support-Questions/OIDC-With-Azure-AD/m-p/232324#M194163) | Also [how](https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/) | | **postStart** | From 343fe1efcc91522980df4c9642075dc190723760 Mon Sep 17 00:00:00 2001 From: Happy Code Date: Wed, 14 Jun 2023 04:15:54 +0300 Subject: [PATCH 4/6] Update nifi.properties - preferredJwsalgorithm -> preferredJwsAlgorithm --- configs/nifi.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configs/nifi.properties b/configs/nifi.properties index 1652b975..06d74aec 100644 --- a/configs/nifi.properties +++ b/configs/nifi.properties @@ -197,7 +197,7 @@ nifi.security.user.oidc.connect.timeout=5 secs nifi.security.user.oidc.read.timeout=5 secs nifi.security.user.oidc.client.id={{.Values.auth.oidc.clientId}} nifi.security.user.oidc.client.secret={{.Values.auth.oidc.clientSecret}} -nifi.security.user.oidc.preferred.jwsalgorithm={{.Values.auth.oidc.preferredJwsalgorithm}} +nifi.security.user.oidc.preferred.jwsalgorithm={{.Values.auth.oidc.preferredJwsAlgorithm}} nifi.security.user.oidc.claim.identifying.user={{.Values.auth.oidc.claimIdentifyingUser}} nifi.security.user.oidc.additional.scopes={{.Values.auth.oidc.additionalScopes}} {{end}} From 1aff4a89b0cf533921309a493c8274371e3c319a Mon Sep 17 00:00:00 2001 From: Happy Code Date: Wed, 14 Jun 2023 04:16:32 +0300 Subject: [PATCH 5/6] Update values.yaml - Changed preferredJwsalgorithm -> preferredJwsAlgorithm --- values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index f8c42582..9b1597ef 100644 --- a/values.yaml +++ b/values.yaml @@ -149,7 +149,7 @@ auth: clientSecret: # claimIdentifyingUser: email admin: nifi@example.com - preferredJwsalgorithm: + preferredJwsAlgorithm: ## Request additional scopes, for example profile additionalScopes: From 4a8fe67ed6603dcedd33f76bc341d941ad53110d Mon Sep 17 00:00:00 2001 From: Happy Code Date: Wed, 14 Jun 2023 04:16:59 +0300 Subject: [PATCH 6/6] Update README.md - preferredJwsalgorithm -> preferredJwsAlgorithm --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b97df010..7b76efaa 100644 --- a/README.md +++ b/README.md @@ -155,7 +155,7 @@ The following table lists the configurable parameters of the nifi chart and the | `auth.oidc.clientId` | oidc clientId | `nil` | | `auth.oidc.clientSecret` | oidc clientSecret | `nil` | | `auth.oidc.claimIdentifyingUser` | oidc claimIdentifyingUser | `email` | -| `auth.oidc.preferredJwsalgorithm` | The preferred algorithm for validating identity tokens. If this value is blank, it will default to RS256 which is required to be supported by the OpenID Connect Provider according to the specification. If this value is HS256, HS384, or HS512, NiFi will attempt to validate HMAC protected tokens using the specified client secret. If this value is none, NiFi will attempt to validate unsecured/plain tokens. | `nil` | +| `auth.oidc.preferredJwsAlgorithm` | The preferred algorithm for validating identity tokens. If this value is blank, it will default to RS256 which is required to be supported by the OpenID Connect Provider according to the specification. If this value is HS256, HS384, or HS512, NiFi will attempt to validate HMAC protected tokens using the specified client secret. If this value is none, NiFi will attempt to validate unsecured/plain tokens. | `nil` | | `auth.oidc.admin` | Default OIDC admin identity | `nifi@example.com` | | Note that OIDC authentication to a multi-NiFi-node cluster requires Ingress sticky sessions | See [background](https://community.cloudera.com/t5/Support-Questions/OIDC-With-Azure-AD/m-p/232324#M194163) | Also [how](https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/) | | **postStart** |