You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by jo...@apache.org on 2018/01/04 15:43:35 UTC
nifi git commit: NIFI-4530: This closes #2329. Initial support for
two-way SSL user authentication in the Docker image.
Repository: nifi
Updated Branches:
refs/heads/master e439cfef1 -> c832a2ed7
NIFI-4530: This closes #2329. Initial support for two-way SSL user authentication in the Docker image.
Signed-off-by: joewitt <jo...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/nifi/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/c832a2ed
Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/c832a2ed
Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/c832a2ed
Branch: refs/heads/master
Commit: c832a2ed7c74a648c84853f3682505a271afdf6f
Parents: e439cfe
Author: Aldrin Piri <al...@apache.org>
Authored: Tue Nov 28 20:00:32 2017 -0500
Committer: joewitt <jo...@apache.org>
Committed: Thu Jan 4 10:37:37 2018 -0500
----------------------------------------------------------------------
nifi-docker/dockerhub/Dockerfile | 38 ++++----
nifi-docker/dockerhub/README.md | 91 ++++++++++++++++++++
nifi-docker/dockerhub/sh/common.sh | 29 +++++++
nifi-docker/dockerhub/sh/secure.sh | 55 ++++++++++++
nifi-docker/dockerhub/sh/start.sh | 43 +++++++++
nifi-docker/dockermaven/Dockerfile | 2 +-
.../nb-configuration.xml | 18 ----
7 files changed, 239 insertions(+), 37 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/nifi/blob/c832a2ed/nifi-docker/dockerhub/Dockerfile
----------------------------------------------------------------------
diff --git a/nifi-docker/dockerhub/Dockerfile b/nifi-docker/dockerhub/Dockerfile
index a4049e2..23418c0 100644
--- a/nifi-docker/dockerhub/Dockerfile
+++ b/nifi-docker/dockerhub/Dockerfile
@@ -17,7 +17,8 @@
#
FROM openjdk:8-jre
-LABEL maintainer "Apache NiFi <de...@nifi.apache.org>"
+LABEL maintainer="Apache NiFi <de...@nifi.apache.org>"
+LABEL site="https://nifi.apache.org"
ARG UID=1000
ARG GID=1000
@@ -25,29 +26,30 @@ ARG NIFI_VERSION=1.5.0
ARG MIRROR=https://archive.apache.org/dist
ENV NIFI_BASE_DIR /opt/nifi
-ENV NIFI_HOME=$NIFI_BASE_DIR/nifi-$NIFI_VERSION \
- NIFI_BINARY_URL=/nifi/$NIFI_VERSION/nifi-$NIFI_VERSION-bin.tar.gz
+ENV NIFI_HOME=${NIFI_BASE_DIR}/nifi-${NIFI_VERSION} \
+ NIFI_BINARY_URL=/nifi/${NIFI_VERSION}/nifi-${NIFI_VERSION}-bin.tar.gz
+
+ADD sh/ /opt/nifi/scripts/
# Setup NiFi user
-RUN groupadd -g $GID nifi || groupmod -n nifi `getent group $GID | cut -d: -f1` \
- && useradd --shell /bin/bash -u $UID -g $GID -m nifi \
- && mkdir -p $NIFI_HOME/conf/templates \
- && chown -R nifi:nifi $NIFI_BASE_DIR
+RUN groupadd -g ${GID} nifi || groupmod -n nifi `getent group ${GID} | cut -d: -f1` \
+ && useradd --shell /bin/bash -u ${UID} -g ${GID} -m nifi \
+ && mkdir -p ${NIFI_HOME}/conf/templates \
+ && chown -R nifi:nifi ${NIFI_BASE_DIR}
USER nifi
# Download, validate, and expand Apache NiFi binary.
-RUN curl -fSL $MIRROR/$NIFI_BINARY_URL -o $NIFI_BASE_DIR/nifi-$NIFI_VERSION-bin.tar.gz \
- && echo "$(curl https://archive.apache.org/dist/$NIFI_BINARY_URL.sha256) *$NIFI_BASE_DIR/nifi-$NIFI_VERSION-bin.tar.gz" | sha256sum -c - \
- && tar -xvzf $NIFI_BASE_DIR/nifi-$NIFI_VERSION-bin.tar.gz -C $NIFI_BASE_DIR \
- && rm $NIFI_BASE_DIR/nifi-$NIFI_VERSION-bin.tar.gz \
- && chown -R nifi:nifi $NIFI_HOME
+RUN curl -fSL ${MIRROR}/${NIFI_BINARY_URL} -o ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz \
+ && echo "$(curl https://archive.apache.org/dist/${NIFI_BINARY_URL}.sha256) *${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz" | sha256sum -c - \
+ && tar -xvzf ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz -C ${NIFI_BASE_DIR} \
+ && rm ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz \
+ && chown -R nifi:nifi ${NIFI_HOME}
-# Web HTTP Port & Remote Site-to-Site Ports
-EXPOSE 8080 8181
+# Web HTTP(s) & Socket Site-to-Site Ports
+EXPOSE 8080 8443 10000
-WORKDIR $NIFI_HOME
+WORKDIR ${NIFI_HOME}
-# Startup NiFi
-ENTRYPOINT ["bin/nifi.sh"]
-CMD ["run"]
+# Apply configuration and start NiFi
+CMD ${NIFI_BASE_DIR}/scripts/start.sh
http://git-wip-us.apache.org/repos/asf/nifi/blob/c832a2ed/nifi-docker/dockerhub/README.md
----------------------------------------------------------------------
diff --git a/nifi-docker/dockerhub/README.md b/nifi-docker/dockerhub/README.md
new file mode 100644
index 0000000..657bc6d
--- /dev/null
+++ b/nifi-docker/dockerhub/README.md
@@ -0,0 +1,91 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+# Docker Image Quickstart
+
+## Capabilities
+This image currently supports running in standalone mode either unsecured or with Two-Way SSL.
+
+More capabilities will continue to be added and made available from the
+
+## Building
+The Docker image can be built using the following command:
+
+ docker build -t apache/nifi:latest .
+
+This build will result in an image tagged apache/nifi:latest
+
+ # user @ puter in ~/Development/code/apache/nifi/nifi-docker/dockerhub
+ $ docker images
+ REPOSITORY TAG IMAGE ID CREATED SIZE
+ apache/nifi latest f0f564eed149 A long, long time ago 1.62GB
+
+**Note**: The default version of NiFi specified by the Dockerfile is typically that of one that is unreleased if working from source.
+To build an image for a prior released version, one can override the `NIFI_VERSION` build-arg with the following command:
+
+ docker build --build-arg=NIFI_VERSION={Desired NiFi Version} -t apache/nifi:latest .
+
+There is, however, no guarantee that older versions will work as properties have changed and evolved with subsequent releases.
+The configuration scripts are suitable for at least 1.4.0+.
+
+## Running a container
+
+### Standalone Instance, Unsecured
+The minimum to run a NiFi instance is as follows:
+
+ docker run --name nifi \
+ -p 18080:8080 \
+ -d \
+ apache/nifi:latest
+
+This will provide a running instance, exposing the instance UI to the host system on at port 18080,
+viewable at `http://localhost:18080/nifi`.
+
+### Standalone Instance, Two-Way SSL
+In this configuration, the user will need to provide certificates and the associated configuration information.
+Of particular note, is the `AUTH` environment variable which is set to `tls`. Additionally, the user must provide an
+the DN as provided by an accessing client certificate in the `INITIAL_ADMIN_IDENTITY` environment variable.
+This value will be used to seed the instance with an initial user with administrative privileges.
+Finally, this command makes use of a volume to provide certificates on the host system to the container instance.
+
+ docker run --name nifi \
+ -v /User/dreynolds/certs/localhost:/opt/certs \
+ -p 18443:8443 \
+ -e AUTH=tls \
+ -e KEYSTORE_PATH=/opt/certs/keystore.jks \
+ -e KEYSTORE_TYPE=JKS \
+ -e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \
+ -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
+ -e TRUSTSTORE_PASSWORD=rHkWR1gDNW3R9hgbeRsT3OM3Ue0zwGtQqcFKJD2EXWE \
+ -e TRUSTSTORE_TYPE=JKS \
+ -e INITIAL_ADMIN_IDENTITY='CN=Random User, O=Apache, OU=NiFi, C=US' \
+ -d \
+ apache/nifi:latest
+
+
+## Configuration Information
+The following ports are specified by the Docker container for NiFi operation within the container and
+can be published to the host.
+
+| Function | Property | Port |
+|--------------------------|-------------------------------|-------|
+| HTTP Port | nifi.web.http.port | 8080 |
+| HTTPS Port | nifi.web.https.port | 8443 |
+| Remote Input Socket Port | nifi.remote.input.socket.port | 10000 |
+
+
+
+
+
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/nifi/blob/c832a2ed/nifi-docker/dockerhub/sh/common.sh
----------------------------------------------------------------------
diff --git a/nifi-docker/dockerhub/sh/common.sh b/nifi-docker/dockerhub/sh/common.sh
new file mode 100755
index 0000000..5d252bc
--- /dev/null
+++ b/nifi-docker/dockerhub/sh/common.sh
@@ -0,0 +1,29 @@
+#!/bin/sh -e
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# 1 - value to search for
+# 2 - value to replace
+# 3 - file to perform replacement inline
+prop_replace () {
+ target_file=${3:-${nifi_props_file}}
+ echo 'replacing target file ' ${target_file}
+ sed -i -e "s|^$1=.*$|$1=$2|" ${target_file}
+}
+
+# NIFI_HOME is defined by an ENV command in the backing Dockerfile
+export nifi_props_file=${NIFI_HOME}/conf/nifi.properties
+export hostname=$(hostname)
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/nifi/blob/c832a2ed/nifi-docker/dockerhub/sh/secure.sh
----------------------------------------------------------------------
diff --git a/nifi-docker/dockerhub/sh/secure.sh b/nifi-docker/dockerhub/sh/secure.sh
new file mode 100644
index 0000000..93e8267
--- /dev/null
+++ b/nifi-docker/dockerhub/sh/secure.sh
@@ -0,0 +1,55 @@
+#!/bin/sh -e
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh
+
+# Perform idempotent changes of configuration to support secure environments
+echo 'Configuring environment with SSL settings'
+
+: ${KEYSTORE_PATH:?"Must specify an absolute path to the keystore being used."}
+if [ ! -f "${KEYSTORE_PATH}" ]; then
+ echo "Keystore file specified (${KEYSTORE_PATH}) does not exist."
+ exit 1
+fi
+: ${KEYSTORE_TYPE:?"Must specify the type of keystore (JKS, PKCS12, PEM) of the keystore being used."}
+: ${KEYSTORE_PASSWORD:?"Must specify the password of the keystore being used."}
+
+: ${TRUSTSTORE_PATH:?"Must specify an absolute path to the truststore being used."}
+if [ ! -f "${TRUSTSTORE_PATH}" ]; then
+ echo "Keystore file specified (${TRUSTSTORE_PATH}) does not exist."
+ exit 1
+fi
+: ${TRUSTSTORE_TYPE:?"Need to set DEST non-empty"}
+: ${TRUSTSTORE_PASSWORD:?"Need to set DEST non-empty"}
+
+prop_replace 'nifi.security.keystore' "${KEYSTORE_PATH}"
+prop_replace 'nifi.security.keystoreType' "${KEYSTORE_TYPE}"
+prop_replace 'nifi.security.keystorePasswd' "${KEYSTORE_PASSWORD}"
+prop_replace 'nifi.security.truststore' "${TRUSTSTORE_PATH}"
+prop_replace 'nifi.security.truststoreType' "${TRUSTSTORE_TYPE}"
+prop_replace 'nifi.security.truststorePasswd' "${TRUSTSTORE_PASSWORD}"
+
+# Disable HTTP and enable HTTPS
+prop_replace 'nifi.web.http.port' ''
+prop_replace 'nifi.web.http.host' ''
+prop_replace 'nifi.web.https.port' '8443'
+prop_replace 'nifi.web.https.host' "${hostname}"
+prop_replace 'nifi.remote.input.secure' 'true'
+
+# Establish initial user and an associated admin identity
+sed -i -e 's|<property name="Initial User Identity 1"></property>|<property name="Initial User Identity 1">'"${INITIAL_ADMIN_IDENTITY}"'</property>|' ${NIFI_HOME}/conf/authorizers.xml
+sed -i -e 's|<property name="Initial Admin Identity"></property>|<property name="Initial Admin Identity">'"${INITIAL_ADMIN_IDENTITY}"'</property>|' ${NIFI_HOME}/conf/authorizers.xml
http://git-wip-us.apache.org/repos/asf/nifi/blob/c832a2ed/nifi-docker/dockerhub/sh/start.sh
----------------------------------------------------------------------
diff --git a/nifi-docker/dockerhub/sh/start.sh b/nifi-docker/dockerhub/sh/start.sh
new file mode 100755
index 0000000..178f30e
--- /dev/null
+++ b/nifi-docker/dockerhub/sh/start.sh
@@ -0,0 +1,43 @@
+#!/bin/sh -e
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh
+
+# Establish baseline properties
+prop_replace 'nifi.web.http.port' '8080'
+prop_replace 'nifi.web.http.host' "${hostname}"
+prop_replace 'nifi.remote.input.host' "${hostname}"
+prop_replace 'nifi.remote.input.socket.port' '10000'
+prop_replace 'nifi.remote.input.secure' 'false'
+
+# Check if we are secured or unsecured
+case ${AUTH} in
+ tls)
+ echo 'Enabling Two-Way SSL user authentication'
+ . /opt/nifi/scripts/secure.sh
+ ;;
+esac
+
+# Continuously provide logs so that 'docker logs' can produce them
+tail -F ${NIFI_HOME}/logs/nifi-app.log &
+${NIFI_HOME}/bin/nifi.sh run &
+nifi_pid="$!"
+
+trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT;
+
+echo NiFi running with PID ${nifi_pid}.
+wait ${nifi_pid}
http://git-wip-us.apache.org/repos/asf/nifi/blob/c832a2ed/nifi-docker/dockermaven/Dockerfile
----------------------------------------------------------------------
diff --git a/nifi-docker/dockermaven/Dockerfile b/nifi-docker/dockermaven/Dockerfile
index daecdd9..62dd03c 100644
--- a/nifi-docker/dockermaven/Dockerfile
+++ b/nifi-docker/dockermaven/Dockerfile
@@ -17,7 +17,7 @@
#
FROM openjdk:8-jre
-LABEL maintainer "Apache NiFi <de...@nifi.apache.org>"
+LABEL maintainer="Apache NiFi <de...@nifi.apache.org>"
ARG UID=1000
ARG GID=1000
http://git-wip-us.apache.org/repos/asf/nifi/blob/c832a2ed/nifi-nar-bundles/nifi-update-attribute-bundle/nifi-update-attribute-ui/nb-configuration.xml
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-update-attribute-bundle/nifi-update-attribute-ui/nb-configuration.xml b/nifi-nar-bundles/nifi-update-attribute-bundle/nifi-update-attribute-ui/nb-configuration.xml
deleted file mode 100644
index 4da1f6c..0000000
--- a/nifi-nar-bundles/nifi-update-attribute-bundle/nifi-update-attribute-ui/nb-configuration.xml
+++ /dev/null
@@ -1,18 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project-shared-configuration>
- <!--
-This file contains additional configuration written by modules in the NetBeans IDE.
-The configuration is intended to be shared among all the users of project and
-therefore it is assumed to be part of version control checkout.
-Without this configuration present, some functionality in the IDE may be limited or fail altogether.
--->
- <properties xmlns="http://www.netbeans.org/ns/maven-properties-data/1">
- <!--
-Properties that influence various parts of the IDE, especially code formatting and the like.
-You can copy and paste the single properties, into the pom.xml file and the IDE will pick them up.
-That way multiple projects can share the same settings (useful for formatting rules for example).
-Any value defined here will override the pom.xml file value but is only applicable to the current project.
--->
- <org-netbeans-modules-maven-jaxws.rest_2e_config_2e_type>ide</org-netbeans-modules-maven-jaxws.rest_2e_config_2e_type>
- </properties>
-</project-shared-configuration>