Rework authorization config (#884)

* switch NifiAuthorization to enum

* extend NifiAuthorizationConfig with SingleUser and Standard cases

* regenerate charts

* use pvc for users.xml and authoriations.xml

* document nifi ui login for ldap user

* use standard authorization and initial admin for ldap test

* cleanup

* add docs

* adapted changelog

* Apply suggestions from code review

Co-authored-by: Lukas Krug <[email protected]>

* remove unused error

* use storage config for filebased authorization PVC

* fix repo name

* Update rust/operator-binary/src/crd/mod.rs

Co-authored-by: Lukas Krug <[email protected]>

* consolidate crd name of filebased repo

* document increasing filebased storage

* fix precommit

---------

Co-authored-by: Lukas Krug <[email protected]>

Author: maltesander

CHANGELOG.md

@@ -9,13 +9,19 @@ All notable changes to this project will be documented in this file.
 - Support objectOverrides using `.spec.objectOverrides`.
   See [objectOverrides concepts page](https://docs.stackable.tech/home/nightly/concepts/overrides/#object-overrides) for details ([#885]).
 
+### Changed
+
+- BREAKING: Reworked authorization config to closer match the Apache NiFi internal authorizer interfaces ([#884]).
+
 ### Fixed
 
 - Also listen on the loopback interface so that k8s port-forwards work ([#870]).
-- The operator now utilizes the `.spec.clusterConfig.authorization.opa.package` property instead of hard-coding the package name to `nifi`  ([#881]).
+- The operator now utilizes the `.spec.clusterConfig.authorization.opa.package` property instead of hard-coding the package name to `nifi` ([#881]).
+- An `initialAdminUser` can now be provided for file-based authorization (e.g. LDAP) ([#884]).
 
 [#870]: https://github.com/stackabletech/nifi-operator/pull/870
 [#881]: https://github.com/stackabletech/nifi-operator/pull/881
+[#884]: https://github.com/stackabletech/nifi-operator/pull/884
 [#885]: https://github.com/stackabletech/nifi-operator/pull/885
 
 ## [25.11.0] - 2025-11-07

deploy/helm/nifi-operator/crds/crds.yaml

@@ -4,6 +4,8 @@
 == Volume storage
 
 By default, a NiFi Stacklet creates five different persistent volume claims for flow files, provenance, database, content and state directories.
+Depending on the NiFi cluster definition, another PVC for file-based authorization is added.
+
 You can find the default sizes of the PVCs in the {crd-docs}/nifi.stackable.tech/NifiCluster/v1alpha1/#spec-nodes-config-resources-storage[NifiCluster reference docs {external-link-icon}^], it is recommended that you configure these volume requests according to your needs.
 
 Storage requests can be configured at role or group level, for one or more of the persistent volumes as follows:
@@ -16,6 +18,8 @@ nodes:
       config:
         resources:
           storage:
+            filebasedRepo:
+              capacity: 12Gi
             flowfileRepo:
               capacity: 12Gi
             provenanceRepo:

docs/modules/nifi/pages/usage_guide/resource-configuration.adoc

@@ -15,7 +15,7 @@
 NiFi sets up TLS encryption for the http endpoints that serve the UI.
 By default, this interface is secured using certificates generated to work with the default SecretClass `tls`.
 
-Nifi can be configured to use a different SecretClass as shown below:
+NiFi can be configured to use a different SecretClass as shown below:
 
 [source, yaml]
 ----
@@ -39,7 +39,7 @@ All authentication related parameters are configured under `spec.clusterConfig.a
 === Single user
 
 The `Single user` allows the creation of one admin user for NiFi.
-This is a rudimentary authentication method to quickly test and log in to the canvas.
+This is a rudimentary authentication method to quickly test and log into the canvas.
 However, due to it being a single user with all rights, this is not recommended in production.
 
 [source, yaml]
@@ -171,27 +171,64 @@ stringData:
 [#authorization]
 == Authorization
 
-The Stackable Operator for Apache NiFi supports {nifi-docs-authorization}[multiple authorization methods], the available authorization methods depend on the chosen authentication method. Using Open Policy Agent for authorization is independent of the authentication method.
+The Stackable Operator for Apache NiFi supports {nifi-docs-authorization}[multiple authorization methods].
 
 [#authorization-single-user]
 === Single user
 
 With this authorization method, a single user has administrator capabilities.
 
-[#authorization-ldap]
-=== LDAP
+[source,yaml]
+----
+apiVersion: nifi.stackable.tech/v1alpha1
+kind: NifiCluster
+metadata:
+  name: test-nifi
+spec:
+  clusterConfig:
+    authorization:
+      singleUser: {}
+----
 
-The operator uses the {nifi-docs-fileusergroupprovider}[`FileUserGroupProvider`] and {nifi-docs-fileaccesspolicyprovider}[FileAccessPolicyProvider] to bind the LDAP user to the NiFi administrator group.
-This user is then able to create and modify groups and policies in the web interface.
-These changes local to the Pod running NiFi and are *not* persistent.
+[#authorization-standard]
+=== Standard
 
-[#authorization-oidc]
-=== OIDC
+This refers to NiFis `StandardManagedAuthorizer`, using the `UserGroupProvider` and `AccessPolicyProvider` for authorization.
+The Stackable operator for Apache NiFi only supports the file-based `FileUserGroupProvider` and `FileAccessPolicyProvider` implementations.
 
-With this authorization method, all authenticated users have administrator capabilities.
+[source,yaml]
+----
+apiVersion: nifi.stackable.tech/v1alpha1
+kind: NifiCluster
+metadata:
+  name: test-nifi
+spec:
+  clusterConfig:
+    authorization:
+      standard:
+        accessPolicyProvider:
+          fileBased:
+            initialAdminUser: "cn=admin,ou=users,dc=example,dc=org"
+----
 
-An admin user with an auto-generated password is created that can access the NiFi API.
-The password for this user is stored in a Kubernetes Secret called `<nifi-name>-oidc-admin-password`.
+This configuration provides an additional PVC to NiFi pods in order to read and persist the `users.xml` and `authorizations.xml` files.
+The default size is 16Mi and can be increased via the storage configuration on role or rolegroup level:
+
+[source,yaml]
+----
+apiVersion: nifi.stackable.tech/v1alpha1
+kind: NifiCluster
+metadata:
+  name: test-nifi
+spec:
+  clusterConfig: { .. }
+  nodes:
+    config:
+      resources:
+        storage:
+          filebasedRepo:
+            capacity: 256Mi
+----
 
 [#authorization-opa]
 === Open Policy Agent (OPA)

docs/modules/nifi/pages/usage_guide/security.adoc

@@ -9,7 +9,7 @@ use crate::{
     crd::{NifiConfig, NifiConfigFragment, NifiNodeRoleConfig},
     security::{
         authentication::{STACKABLE_SERVER_TLS_DIR, STACKABLE_TLS_STORE_PASSWORD},
-        authorization::NifiAuthorizationConfig,
+        authorization::ResolvedNifiAuthorizationConfig,
     },
 };
 
@@ -35,7 +35,7 @@ pub fn build_merged_jvm_config(
     merged_config: &NifiConfig,
     role: &Role<NifiConfigFragment, NifiNodeRoleConfig, JavaCommonConfig>,
     role_group: &str,
-    authorization_config: Option<&NifiAuthorizationConfig>,
+    authorization_config: Option<&ResolvedNifiAuthorizationConfig>,
 ) -> Result<JvmArgumentOverrides, Error> {
     let heap_size = MemoryQuantity::try_from(
         merged_config

rust/operator-binary/src/config/jvm.rs

@@ -37,6 +37,7 @@ pub mod jvm;
 
 pub const NIFI_CONFIG_DIRECTORY: &str = "/stackable/nifi/conf";
 pub const NIFI_PYTHON_WORKING_DIRECTORY: &str = "/nifi-python-working-directory";
+pub const NIFI_PVC_STORAGE_DIRECTORY: &str = "/stackable/data";
 
 pub const NIFI_BOOTSTRAP_CONF: &str = "bootstrap.conf";
 pub const NIFI_PROPERTIES: &str = "nifi.properties";
@@ -51,6 +52,8 @@ const STORAGE_CONTENT_ARCHIVE_UTILIZATION_FACTOR: f32 = 0.5;
 
 #[derive(Debug, Display, EnumIter)]
 pub enum NifiRepository {
+    #[strum(serialize = "filebased")]
+    Filebased,
     #[strum(serialize = "flowfile")]
     Flowfile,
     #[strum(serialize = "database")]
@@ -69,7 +72,7 @@ impl NifiRepository {
     }
 
     pub fn mount_path(&self) -> String {
-        format!("/stackable/data/{}", self)
+        format!("{NIFI_PVC_STORAGE_DIRECTORY}/{}", self)
     }
 }
 
@@ -115,7 +118,7 @@ pub fn build_bootstrap_conf(
     overrides: BTreeMap<String, String>,
     role: &Role<NifiConfigFragment, NifiNodeRoleConfig, JavaCommonConfig>,
     role_group: &str,
-    authorization_config: Option<&crate::security::authorization::NifiAuthorizationConfig>,
+    authorization_config: Option<&crate::security::authorization::ResolvedNifiAuthorizationConfig>,
 ) -> Result<String, Error> {
     let mut bootstrap = BTreeMap::new();
     // Java command to use when running NiFi