You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2020/04/13 18:17:51 UTC
[GitHub] [nifi] jfrazee opened a new pull request #4207: NIFI-7203 Add
ZooKeeper client and server TLS
jfrazee opened a new pull request #4207: NIFI-7203 Add ZooKeeper client and server TLS
URL: https://github.com/apache/nifi/pull/4207
Thank you for submitting a contribution to Apache NiFi.
Please provide a short description of the PR here:
#### Description of PR
_Enables X functionality; fixes bug NIFI-YYYY._
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
### For all changes:
- [ ] Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
- [ ] Does your PR title start with **NIFI-XXXX** where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [ ] Has your PR been rebased against the latest commit within the target branch (typically `master`)?
- [ ] Is your initial contribution a single, squashed commit? _Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not `squash` or use `--force` when pushing to allow for clean monitoring of changes._
### For code changes:
- [ ] Have you ensured that the full suite of tests is executed via `mvn -Pcontrib-check clean install` at the root `nifi` folder?
- [ ] Have you written or updated unit tests to verify your changes?
- [ ] Have you verified that the full build is successful on both JDK 8 and JDK 11?
- [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the `LICENSE` file, including the main `LICENSE` file under `nifi-assembly`?
- [ ] If applicable, have you updated the `NOTICE` file, including the main `NOTICE` file found under `nifi-assembly`?
- [ ] If adding new Properties, have you added `.displayName` in addition to .name (programmatic access) for each of the new properties?
### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in which it is rendered?
### Note:
Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [nifi] natural commented on a change in pull request #4207:
NIFI-7203 Add ZooKeeper client and server TLS
Posted by GitBox <gi...@apache.org>.
natural commented on a change in pull request #4207: NIFI-7203 Add ZooKeeper client and server TLS
URL: https://github.com/apache/nifi/pull/4207#discussion_r407780342
##########
File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/state/server/ZooKeeperStateServer.java
##########
@@ -136,7 +167,15 @@ private void startDistributed() throws IOException {
quorumPeer.setInitLimit(quorumPeerConfig.getInitLimit());
quorumPeer.setSyncLimit(quorumPeerConfig.getSyncLimit());
quorumPeer.setQuorumVerifier(quorumPeerConfig.getQuorumVerifier(), false);
- quorumPeer.setCnxnFactory(connectionFactory);
+
+ if (connectionFactory != null) {
+ quorumPeer.setCnxnFactory(connectionFactory);
+ }
+
+ if (secureConnectionFactory != null) {
+ quorumPeer.setCnxnFactory(secureConnectionFactory);
Review comment:
Did you mean `quorumPeer.setSecureCnxnFactory(secureConnectionFactory)`?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [nifi] joewitt commented on issue #4207: NIFI-7203 Add ZooKeeper
client and server TLS
Posted by GitBox <gi...@apache.org>.
joewitt commented on issue #4207: NIFI-7203 Add ZooKeeper client and server TLS
URL: https://github.com/apache/nifi/pull/4207#issuecomment-613028522
@jfrazee Is this PR related to/duplicative/complimentary to https://github.com/apache/nifi/pull/4202?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [nifi] jfrazee commented on a change in pull request #4207:
NIFI-7203 Add ZooKeeper client and server TLS
Posted by GitBox <gi...@apache.org>.
jfrazee commented on a change in pull request #4207: NIFI-7203 Add ZooKeeper client and server TLS
URL: https://github.com/apache/nifi/pull/4207#discussion_r408182939
##########
File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/state/server/ZooKeeperStateServer.java
##########
@@ -136,7 +167,15 @@ private void startDistributed() throws IOException {
quorumPeer.setInitLimit(quorumPeerConfig.getInitLimit());
quorumPeer.setSyncLimit(quorumPeerConfig.getSyncLimit());
quorumPeer.setQuorumVerifier(quorumPeerConfig.getQuorumVerifier(), false);
- quorumPeer.setCnxnFactory(connectionFactory);
+
+ if (connectionFactory != null) {
+ quorumPeer.setCnxnFactory(connectionFactory);
+ }
+
+ if (secureConnectionFactory != null) {
+ quorumPeer.setCnxnFactory(secureConnectionFactory);
Review comment:
Yup. Funny, since the standalone state server calls `.startup()` / `.shutdown()` directly on the connection factories this never surfaced.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [nifi] jfrazee commented on issue #4207: NIFI-7203 Add ZooKeeper
client and server TLS
Posted by GitBox <gi...@apache.org>.
jfrazee commented on issue #4207: NIFI-7203 Add ZooKeeper client and server TLS
URL: https://github.com/apache/nifi/pull/4207#issuecomment-613688541
@alopresto If it's either-or I think the most important thing is to validate and throw an error so the behavior doesn't end up being confusing if both are set and the insecure clientPort is ignored. I wouldn't want it to be just a documented behavior.
There is one situation where having both set is useful -- the API for the status commands don't support TLS, but I think this is in the process of being addressed on the ZK side so it should eventually work itself out.
I'll make some notes over in the [NIFI-7203](https://issues.apache.org/jira/browse/NIFI-7203) JIRA.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [nifi] alopresto commented on issue #4207: NIFI-7203 Add ZooKeeper
client and server TLS
Posted by GitBox <gi...@apache.org>.
alopresto commented on issue #4207: NIFI-7203 Add ZooKeeper client and server TLS
URL: https://github.com/apache/nifi/pull/4207#issuecomment-613641562
@jfrazee as I mentioned on NIFI-7203, during an offline discussion some of us were discussing the approach to a configuration for an embedded ZK instance in NiFi which defines both an HTTP and HTTPS connection. Our position is that unlike an external ZK cluster which may have many different clients, the embedded ZK instance should only listen on the HTTPS port if the admin configures that, as NiFi will only attempt to connect on that port, and listening on HTTP has the potential to expose sensitive information. However, this is different from normal ZK behavior and therefore we listed some potential approaches to reduce confusion. More details are available in [this comment](https://issues.apache.org/jira/browse/NIFI-7203?focusedCommentId=17083557&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17083557), but I would like to hear your perspective on this. Have you encountered any scenarios where an admin intentionally meant for the embedded ZK to listen on both ports?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [nifi] jfrazee commented on issue #4207: NIFI-7203 Add ZooKeeper
client and server TLS
Posted by GitBox <gi...@apache.org>.
jfrazee commented on issue #4207: NIFI-7203 Add ZooKeeper client and server TLS
URL: https://github.com/apache/nifi/pull/4207#issuecomment-613031456
@joewitt Both? I had just finished up the work but with the addition of the client implementation and server tests which hadn't existed previously. Thought I'd throw it up because the tests and client piece would be additive.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services