NIFI-13295 Removed Apache Knox SSO Authentication

This closes #8876

Signed-off-by: Joseph Witt <joewitt@apache.org>

nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java

@@ -39,7 +39,6 @@
 import java.util.Properties;
 import java.util.Set;
 import java.util.stream.Collectors;
-import java.util.stream.Stream;
 
 /**
  * The NiFiProperties class holds all properties which are needed for various
@@ -181,12 +180,6 @@ public class NiFiProperties extends ApplicationProperties {
     public static final String SECURITY_USER_OIDC_FALLBACK_CLAIMS_IDENTIFYING_USER = "nifi.security.user.oidc.fallback.claims.identifying.user";
     public static final String SECURITY_USER_OIDC_TOKEN_REFRESH_WINDOW = "nifi.security.user.oidc.token.refresh.window";
 
-    // apache knox
-    public static final String SECURITY_USER_KNOX_URL = "nifi.security.user.knox.url";
-    public static final String SECURITY_USER_KNOX_PUBLIC_KEY = "nifi.security.user.knox.publicKey";
-    public static final String SECURITY_USER_KNOX_COOKIE_NAME = "nifi.security.user.knox.cookieName";
-    public static final String SECURITY_USER_KNOX_AUDIENCES = "nifi.security.user.knox.audiences";
-
     // saml
     public static final String SECURITY_USER_SAML_IDP_METADATA_URL = "nifi.security.user.saml.idp.metadata.url";
     public static final String SECURITY_USER_SAML_SP_ENTITY_ID = "nifi.security.user.saml.sp.entity.id";
@@ -1149,57 +1142,6 @@ public String getDiagnosticsOnShutdownDirectoryMaxSize() {
         return getProperty(DIAGNOSTICS_ON_SHUTDOWN_MAX_DIRECTORY_SIZE, DEFAULT_DIAGNOSTICS_ON_SHUTDOWN_MAX_DIRECTORY_SIZE);
     }
 
-    /**
-     * Returns whether Knox SSO is enabled.
-     *
-     * @return whether Knox SSO is enabled
-     */
-    public boolean isKnoxSsoEnabled() {
-        return !StringUtils.isBlank(getKnoxUrl());
-    }
-
-    /**
-     * Returns the Knox URL.
-     *
-     * @return Knox URL
-     */
-    public String getKnoxUrl() {
-        return getProperty(SECURITY_USER_KNOX_URL);
-    }
-
-    /**
-     * Gets the configured Knox Audiences.
-     *
-     * @return Knox audiences
-     */
-    public Set<String> getKnoxAudiences() {
-        final String rawAudiences = getProperty(SECURITY_USER_KNOX_AUDIENCES);
-        if (StringUtils.isBlank(rawAudiences)) {
-            return null;
-        } else {
-            final String[] audienceTokens = rawAudiences.split(",");
-            return Stream.of(audienceTokens).map(String::trim).filter(aud -> !StringUtils.isEmpty(aud)).collect(Collectors.toSet());
-        }
-    }
-
-    /**
-     * Returns the path to the Knox public key.
-     *
-     * @return path to the Knox public key
-     */
-    public Path getKnoxPublicKeyPath() {
-        return Paths.get(getProperty(SECURITY_USER_KNOX_PUBLIC_KEY));
-    }
-
-    /**
-     * Returns the name of the Knox cookie.
-     *
-     * @return name of the Knox cookie
-     */
-    public String getKnoxCookieName() {
-        return getProperty(SECURITY_USER_KNOX_COOKIE_NAME);
-    }
-
     /**
      * Returns whether SAML is enabled.
      *
@@ -1354,7 +1296,6 @@ public String getSamlHttpClientReadTimeout() {
      * - login identity provider is not populated
      * - Kerberos service support is not enabled
      * - openid connect is not enabled
-     * - knox sso is not enabled
      * - anonymous authentication is not enabled
      * </p>
      *
@@ -1363,7 +1304,6 @@ public String getSamlHttpClientReadTimeout() {
     public boolean isClientAuthRequiredForRestApi() {
         return !isLoginIdentityProviderEnabled()
                 && !isOidcEnabled()
-                && !isKnoxSsoEnabled()
                 && !isSamlEnabled()
                 && !isAnonymousAuthenticationAllowed();
     }

nifi-docs/src/main/asciidoc/administration-guide.adoc

@@ -347,9 +347,6 @@ used. The default value of this property is `single-user-provider` supporting au
 For Single sign-on authentication, NiFi will redirect users to the Identity Provider before returning to NiFi. NiFi will then
 process responses and convert attributes to application token information.
 
-During Apache Knox authentication, NiFi will redirect users to login with Apache Knox before returning to NiFi. NiFi will verify the Apache Knox
-token during authentication.
-
 NOTE: NiFi cannot be configured for multiple authentication strategies simultaneously.
 NiFi will require client certificates for authenticating users over HTTPS if no other strategies have been configured.
 
@@ -638,21 +635,6 @@ SAML authentication enables the following REST API resources for integration wit
 | /nifi-api/access/saml/single-logout/request  | Complete SAML 2.0 Single Logout processing initiating a request to the Asserting Party. Requires Single Logout to be enabled.
 |======================================
 
-[[apache_knox]]
-=== Apache Knox
-
-To enable authentication via Apache Knox the following properties must be configured in _nifi.properties_.
-
-[options="header"]
-|==================================================================================================================================================
-| Property Name | Description
-|`nifi.security.user.knox.url` | The URL for the Apache Knox login page.
-|`nifi.security.user.knox.publicKey` | The path to the Apache Knox public key that will be used to verify the signatures of the authentication tokens in the HTTP Cookie.
-|`nifi.security.user.knox.cookieName` | The name of the HTTP Cookie that Apache Knox will generate after successful login. The default value is `hadoop-jwt`.
-|`nifi.security.user.knox.audiences` | Optional. A comma separate listed of allowed audiences. If set, the audience in the token must be present in
-this listing. The audience that is populated in the token can be configured in Knox.
-|==================================================================================================================================================
-
 [[json_web_token]]
 === JSON Web Tokens
 

nifi-framework-bundle/nifi-framework/nifi-framework-cluster/src/main/java/org/apache/nifi/cluster/coordination/http/replication/ThreadPoolRequestReplicator.java

@@ -250,11 +250,6 @@ void updateRequestHeaders(final Map<String, String> headers, final NiFiUser user
         // remove the access token if present, since the user is already authenticated... authorization
         // will happen when the request is replicated using the proxy chain above
         removeHeader(headers, SecurityHeader.AUTHORIZATION.getHeader());
-
-        // if knox sso cookie name is set, remove any authentication cookie since this user is already authenticated
-        // and will be included in the proxied entities chain above... authorization will happen when the
-        // request is replicated
-        removeCookie(headers, nifiProperties.getKnoxCookieName());
         removeCookie(headers, SecurityCookieName.AUTHORIZATION_BEARER.getName());
         removeCookie(headers, SecurityCookieName.REQUEST_TOKEN.getName());
 

nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml

@@ -174,12 +174,6 @@
         <nifi.security.user.oidc.truststore.strategy>JDK</nifi.security.user.oidc.truststore.strategy>
         <nifi.security.user.oidc.token.refresh.window>60 secs</nifi.security.user.oidc.token.refresh.window>
 
-        <!-- nifi.properties: apache knox -->
-        <nifi.security.user.knox.url />
-        <nifi.security.user.knox.publicKey />
-        <nifi.security.user.knox.cookieName>hadoop-jwt</nifi.security.user.knox.cookieName>
-        <nifi.security.user.knox.audiences />
-
         <!-- nifi.properties: saml -->
         <nifi.security.user.saml.idp.metadata.url />
         <nifi.security.user.saml.sp.entity.id />

nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties

@@ -219,12 +219,6 @@ nifi.security.user.oidc.claim.groups=${nifi.security.user.oidc.claim.groups}
 nifi.security.user.oidc.truststore.strategy=${nifi.security.user.oidc.truststore.strategy}
 nifi.security.user.oidc.token.refresh.window=${nifi.security.user.oidc.token.refresh.window}
 
-# Apache Knox SSO Properties #
-nifi.security.user.knox.url=${nifi.security.user.knox.url}
-nifi.security.user.knox.publicKey=${nifi.security.user.knox.publicKey}
-nifi.security.user.knox.cookieName=${nifi.security.user.knox.cookieName}
-nifi.security.user.knox.audiences=${nifi.security.user.knox.audiences}
-
 # SAML Properties #
 nifi.security.user.saml.idp.metadata.url=${nifi.security.user.saml.idp.metadata.url}
 nifi.security.user.saml.sp.entity.id=${nifi.security.user.saml.sp.entity.id}

nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java

@@ -284,7 +284,6 @@ private Handler loadInitialWars(final Set<Bundle> bundles) {
         // load the web ui app
         final WebAppContext webUiContext = loadWar(webUiWar, CONTEXT_PATH_NIFI, frameworkClassLoader);
         webUiContext.getInitParams().put("oidc-supported", String.valueOf(props.isOidcEnabled()));
-        webUiContext.getInitParams().put("knox-supported", String.valueOf(props.isKnoxSsoEnabled()));
         webUiContext.getInitParams().put("saml-supported", String.valueOf(props.isSamlEnabled()));
         webUiContext.getInitParams().put("saml-single-logout-supported", String.valueOf(props.isSamlSingleLogoutEnabled()));
         webAppContextHandlers.addHandler(webUiContext);
@@ -311,7 +310,6 @@ private Handler loadInitialWars(final Set<Bundle> bundles) {
         if (webNewUiWar != null) {
             final WebAppContext newUiContext = loadWar(webNewUiWar, CONTEXT_PATH_NF, frameworkClassLoader);
             newUiContext.getInitParams().put("oidc-supported", String.valueOf(props.isOidcEnabled()));
-            newUiContext.getInitParams().put("knox-supported", String.valueOf(props.isKnoxSsoEnabled()));
             newUiContext.getInitParams().put("saml-supported", String.valueOf(props.isSamlEnabled()));
             newUiContext.getInitParams().put("saml-single-logout-supported", String.valueOf(props.isSamlSingleLogoutEnabled()));
             webAppContextHandlers.addHandler(newUiContext);

nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java

@@ -16,7 +16,6 @@
  */
 package org.apache.nifi.web.api;
 
-import java.net.HttpURLConnection;
 import java.net.URI;
 import java.security.cert.X509Certificate;
 import java.time.Instant;
@@ -42,7 +41,6 @@
 import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
-import jakarta.ws.rs.core.UriBuilder;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.admin.service.AdministrationException;
 import org.apache.nifi.authentication.AuthenticationResponse;
@@ -69,7 +67,6 @@
 import org.apache.nifi.web.security.cookie.ApplicationCookieName;
 import org.apache.nifi.web.security.jwt.provider.BearerTokenProvider;
 import org.apache.nifi.web.security.jwt.revocation.JwtLogoutListener;
-import org.apache.nifi.web.security.knox.KnoxService;
 import org.apache.nifi.web.security.logout.LogoutRequest;
 import org.apache.nifi.web.security.logout.LogoutRequestManager;
 import org.apache.nifi.web.security.token.LoginAuthenticationToken;
@@ -108,7 +105,6 @@ public class AccessResource extends ApplicationResource {
     private JwtDecoder jwtDecoder;
     private BearerTokenProvider bearerTokenProvider;
     private BearerTokenResolver bearerTokenResolver;
-    private KnoxService knoxService;
     private LogoutRequestManager logoutRequestManager;
 
     /**
@@ -140,74 +136,6 @@ public Response getLoginConfig(@Context HttpServletRequest httpServletRequest) {
         return generateOkResponse(entity).build();
     }
 
-    @GET
-    @Consumes(MediaType.WILDCARD)
-    @Produces(MediaType.WILDCARD)
-    @Path("knox/request")
-    @Operation(
-            summary = "Initiates a request to authenticate through Apache Knox."
-    )
-    public void knoxRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
-        // only consider user specific access over https
-        if (!httpServletRequest.isSecure()) {
-            httpServletResponse.sendError(HttpURLConnection.HTTP_NOT_ACCEPTABLE, AUTHENTICATION_NOT_ENABLED_MSG);
-            return;
-        }
-
-        // ensure knox is enabled
-        if (!knoxService.isKnoxEnabled()) {
-            httpServletResponse.sendError(HttpURLConnection.HTTP_NOT_ACCEPTABLE, "Apache Knox SSO support is not configured.");
-            return;
-        }
-
-        // build the originalUri, and direct back to the ui
-        final String originalUri = generateResourceUri("access", "knox", "callback");
-
-        // build the authorization uri
-        final URI authorizationUri = UriBuilder.fromUri(knoxService.getKnoxUrl())
-                .queryParam("originalUrl", originalUri)
-                .build();
-
-        // generate the response
-        httpServletResponse.sendRedirect(authorizationUri.toString());
-    }
-
-    @GET
-    @Consumes(MediaType.WILDCARD)
-    @Produces(MediaType.WILDCARD)
-    @Path("knox/callback")
-    @Operation(
-            summary = "Redirect/callback URI for processing the result of the Apache Knox login sequence."
-    )
-    public void knoxCallback(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
-        // only consider user specific access over https
-        if (!httpServletRequest.isSecure()) {
-            httpServletResponse.sendError(HttpURLConnection.HTTP_NOT_ACCEPTABLE, AUTHENTICATION_NOT_ENABLED_MSG);
-            return;
-        }
-
-        // ensure knox is enabled
-        if (!knoxService.isKnoxEnabled()) {
-            httpServletResponse.sendError(HttpURLConnection.HTTP_NOT_ACCEPTABLE, "Apache Knox SSO support is not configured.");
-            return;
-        }
-
-        httpServletResponse.sendRedirect(getNiFiUri());
-    }
-
-    @GET
-    @Consumes(MediaType.WILDCARD)
-    @Produces(MediaType.WILDCARD)
-    @Path("knox/logout")
-    @Operation(
-            summary = "Performs a logout in the Apache Knox.",
-            description = NON_GUARANTEED_ENDPOINT
-    )
-    public void knoxLogout(@Context HttpServletResponse httpServletResponse) throws Exception {
-        String redirectPath = generateResourceUri("..", "nifi", "login");
-        httpServletResponse.sendRedirect(redirectPath);
-    }
-
     /**
      * Gets the status the client's access.
      *
@@ -542,10 +470,6 @@ public void setCertificateExtractor(X509CertificateExtractor certificateExtracto
         this.certificateExtractor = certificateExtractor;
     }
 
-    public void setKnoxService(KnoxService knoxService) {
-        this.knoxService = knoxService;
-    }
-
     public void setLogoutRequestManager(LogoutRequestManager logoutRequestManager) {
         this.logoutRequestManager = logoutRequestManager;
     }

nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/resources/nifi-web-api-context.xml

@@ -607,7 +607,6 @@
     <bean id="accessResource" class="org.apache.nifi.web.api.AccessResource" scope="singleton">
         <property name="logoutRequestManager" ref="logoutRequestManager" />
         <property name="loginIdentityProvider" ref="loginIdentityProvider"/>
-        <property name="knoxService" ref="knoxService"/>
         <property name="x509AuthenticationProvider" ref="x509AuthenticationProvider"/>
         <property name="certificateExtractor" ref="certificateExtractor"/>
         <property name="principalExtractor" ref="principalExtractor"/>

nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/AuthenticationSecurityConfiguration.java

@@ -37,7 +37,6 @@
         ClientRegistrationConfiguration.class,
         JwtAuthenticationSecurityConfiguration.class,
         JwtDecoderConfiguration.class,
-        KnoxAuthenticationSecurityConfiguration.class,
         OidcSecurityConfiguration.class,
         SamlAuthenticationSecurityConfiguration.class,
         X509AuthenticationSecurityConfiguration.class