You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/11/02 07:46:00 UTC

[jira] [Commented] (NIFI-5752) Load balancing fails with wildcard certs

    [ https://issues.apache.org/jira/browse/NIFI-5752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16672703#comment-16672703 ] 

ASF GitHub Bot commented on NIFI-5752:
--------------------------------------

Github user ijokarumawak commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/3110#discussion_r230287682
  
    --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/clustered/server/ClusterLoadBalanceAuthorizer.java ---
    @@ -33,14 +42,27 @@
     
         private final ClusterCoordinator clusterCoordinator;
         private final EventReporter eventReporter;
    +    private final HostnameVerifier hostnameVerifier;
     
         public ClusterLoadBalanceAuthorizer(final ClusterCoordinator clusterCoordinator, final EventReporter eventReporter) {
             this.clusterCoordinator = clusterCoordinator;
             this.eventReporter = eventReporter;
    +        this.hostnameVerifier = new DefaultHostnameVerifier();
         }
     
         @Override
    -    public String authorize(final Collection<String> clientIdentities) throws NotAuthorizedException {
    +    public String authorize(SSLSocket sslSocket) throws NotAuthorizedException, IOException {
    +        final SSLSession sslSession = sslSocket.getSession();
    +
    +        final Set<String> clientIdentities;
    +        try {
    +            clientIdentities = getCertificateIdentities(sslSession);
    +        } catch (final CertificateException e) {
    +            throw new IOException("Failed to extract Client Certificate", e);
    +        }
    +
    +        logger.debug("Will perform authorization against Client Identities '{}'", clientIdentities);
    +
             if (clientIdentities == null) {
    --- End diff --
    
    Now we only call this `authorize()` method if socket is a SSLSocket. We can remove this block.


> Load balancing fails with wildcard certs
> ----------------------------------------
>
>                 Key: NIFI-5752
>                 URL: https://issues.apache.org/jira/browse/NIFI-5752
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 1.8.0
>            Reporter: Kotaro Terada
>            Assignee: Kotaro Terada
>            Priority: Major
>
> Load balancing fails when we construct a secure cluster with wildcard certs.
> For example, assume that we have a valid wildcard cert for {{*.example.com}} and a cluster consists of {{nf1.example.com}}, {{nf2.example.com}}, and {{nf3.example.com}} . We cannot transfer a FlowFile between nodes for load balancing because of the following authorization error:
> {noformat}
> 2018-10-25 19:05:13,520 WARN [Load Balance Server Thread-2] o.a.n.c.q.c.s.ClusterLoadBalanceAuthorizer Authorization failed for Client ID's [*.example.com] to Load Balance data because none of the ID's are known Cluster Node Identifiers
> 2018-10-25 19:05:13,521 ERROR [Load Balance Server Thread-2] o.a.n.c.q.c.s.ConnectionLoadBalanceServer Failed to communicate with Peer /xxx.xxx.xxx.xxx:xxxxx
> org.apache.nifi.controller.queue.clustered.server.NotAuthorizedException: Client ID's [*.example.com] are not authorized to Load Balance data
> 	at org.apache.nifi.controller.queue.clustered.server.ClusterLoadBalanceAuthorizer.authorize(ClusterLoadBalanceAuthorizer.java:65)
> 	at org.apache.nifi.controller.queue.clustered.server.StandardLoadBalanceProtocol.receiveFlowFiles(StandardLoadBalanceProtocol.java:142)
> 	at org.apache.nifi.controller.queue.clustered.server.ConnectionLoadBalanceServer$CommunicateAction.run(ConnectionLoadBalanceServer.java:176)
> 	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> 	at java.lang.Thread.run(Thread.java:748)
> {noformat}
> This problem occurs because in {{authorize}} method in {{ClusterLoadBalanceAuthorizer}} class, authorization is tried by just matching strings.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)