Batch users/groups import - LDAP

Creating the sub task to answer:

Batch user import

• Whether the users are providing client certificates, LDAP credentials, or Kerberos tickets to authenticate, the canonical source of identity is still managed by NiFi. I propose a mechanism to quickly define multiple users in the system (without affording any policy assignments). Here I am looking for substantial community input on the most common/desired use cases, but my initial thoughts are:
  • LDAP-specific
    • A manager DN and password (similar to necessary for LDAP authentication) are used to authenticate the admin/user manager, and then a LDAP query string (i.e. ou=users,dc=nifi,dc=apache,dc=org) is provided and the dialog displays/API returns a list of users/groups matching the query. The admin can then select which to import to NiFi and confirm.

In particular the initial implementation would be to add a feature allowing to sync users and groups with LDAP based on additional parameters given in the login identity provider configuration file and custom filters provided by the user through the UI.

It is not foreseen to delete users/groups that exist in NiFi but are not retrieved in the LDAP. It'd be only creating/updating users/groups based on what is in LDAP server.

The feature would be exposed through a new REST API endpoint. In case another identity provider is configured (not LDAP), an unsupported operation exception would be returned at the moment.