You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2020/12/21 18:53:25 UTC
[GitHub] [nifi] exceptionfactory opened a new pull request #4737: NIFI-8096 Deprecated ClientAuth references in SSLContextService
exceptionfactory opened a new pull request #4737:
URL: https://github.com/apache/nifi/pull/4737
#### Description of PR
NIFI-8096 Deprecates `createSSLContext()` methods in `SSLContextService` and adds a `createContext()` method that does not use the `ClientAuth` enumeration. Updated extension components to use `SSLContextService.createContext()` in place of deprecated methods.
Removed references to `ClientAuth` from internal `SslContextFactory` class, and refactored framework classes to eliminate unnecessary usage of `ClientAuth`.
Updated `ListenHTTP` to call `SslContextBuilder.Server.setNeedClientAuth(true)` when the `Client Authentication` property is `REQUIRED` and call `setWantClientAuth(true)` when the `Client Authentication` property is `WANT`.
These changes remove attempts in `SslContextFactory` to modify the default `SSLParameters` object, which is a read-only representation for the Java Virtual Machine configuration. Deprecating methods on `SSLContextService` that use `ClientAuth` is necessary to clarify component behavior.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
### For all changes:
- [X] Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
- [X] Does your PR title start with **NIFI-XXXX** where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [X] Has your PR been rebased against the latest commit within the target branch (typically `main`)?
- [X] Is your initial contribution a single, squashed commit? _Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not `squash` or use `--force` when pushing to allow for clean monitoring of changes._
### For code changes:
- [X] Have you ensured that the full suite of tests is executed via `mvn -Pcontrib-check clean install` at the root `nifi` folder?
- [X] Have you written or updated unit tests to verify your changes?
- [ ] Have you verified that the full build is successful on JDK 8?
- [X] Have you verified that the full build is successful on JDK 11?
- [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the `LICENSE` file, including the main `LICENSE` file under `nifi-assembly`?
- [ ] If applicable, have you updated the `NOTICE` file, including the main `NOTICE` file found under `nifi-assembly`?
- [ ] If adding new Properties, have you added `.displayName` in addition to .name (programmatic access) for each of the new properties?
### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in which it is rendered?
### Note:
Please ensure that once the PR is submitted, you check GitHub Actions CI for build issues and submit an update to your PR as soon as possible.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on a change in pull request #4737: NIFI-8096 Deprecated ClientAuth references in SSLContextService
Posted by GitBox <gi...@apache.org>.
exceptionfactory commented on a change in pull request #4737:
URL: https://github.com/apache/nifi/pull/4737#discussion_r552897685
##########
File path: nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java
##########
@@ -238,41 +238,55 @@ public TlsConfiguration createTlsConfiguration() {
}
/**
- * Returns a configured {@link SSLContext} from the populated configuration values. This method is preferred
- * over the overloaded method which accepts the deprecated {@link ClientAuth} enum.
+ * Create and initialize {@link SSLContext} using configured properties. This method is preferred over deprecated
+ * methods due to not requiring a client authentication policy. Invokes createTlsConfiguration() to prepare
+ * properties for processing.
+ *
+ * @return {@link SSLContext} initialized using configured properties
+ */
+ @Override
+ public SSLContext createContext() {
+ final TlsConfiguration tlsConfiguration = createTlsConfiguration();
+ if (!tlsConfiguration.isTruststorePopulated()) {
+ getLogger().warn("Trust Store properties not found: using platform default Certificate Authorities");
+ }
+
+ try {
+ final TrustManager[] trustManagers = SslContextFactory.getTrustManagers(tlsConfiguration);
+ return SslContextFactory.createSslContext(tlsConfiguration, trustManagers);
+ } catch (final TlsException e) {
+ getLogger().error("Unable to create SSLContext: {}", new String[]{e.getLocalizedMessage()});
+ throw new ProcessException("Unable to create SSLContext", e);
+ }
+ }
+
+ /**
+ * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated
+ * due to the Client Authentication policy not being applicable when initializing the SSLContext
*
* @param clientAuth the desired level of client authentication
* @return the configured SSLContext
* @throws ProcessException if there is a problem configuring the context
*/
+ @Deprecated
@Override
public SSLContext createSSLContext(final org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException {
- try {
- final TlsConfiguration tlsConfiguration = createTlsConfiguration();
- if (!tlsConfiguration.isTruststorePopulated()) {
- getLogger().warn("Trust Store properties not found: using platform default Certificate Authorities");
- }
- final TrustManager[] trustManagers = SslContextFactory.getTrustManagers(tlsConfiguration);
- return SslContextFactory.createSslContext(tlsConfiguration, trustManagers, clientAuth);
- } catch (TlsException e) {
- getLogger().error("Encountered an error creating the SSL context from the SSL context service: {}", new String[]{e.getLocalizedMessage()});
- throw new ProcessException("Error creating SSL context", e);
- }
+ return createContext();
}
/**
* Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated
Review comment:
Added
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] markap14 closed pull request #4737: NIFI-8096 Deprecated ClientAuth references in SSLContextService
Posted by GitBox <gi...@apache.org>.
markap14 closed pull request #4737:
URL: https://github.com/apache/nifi/pull/4737
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on pull request #4737: NIFI-8096 Deprecated ClientAuth references in SSLContextService
Posted by GitBox <gi...@apache.org>.
exceptionfactory commented on pull request #4737:
URL: https://github.com/apache/nifi/pull/4737#issuecomment-755512582
Thanks for the review @markap14. I pushed an update to address your comments.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on a change in pull request #4737: NIFI-8096 Deprecated ClientAuth references in SSLContextService
Posted by GitBox <gi...@apache.org>.
exceptionfactory commented on a change in pull request #4737:
URL: https://github.com/apache/nifi/pull/4737#discussion_r552900595
##########
File path: nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenHTTP.java
##########
@@ -193,7 +193,7 @@
.description("Client Authentication policy for TLS connections. Required when SSL Context Service configured.")
.required(false)
.allowableValues(ClientAuth.values())
- .defaultValue(ClientAuth.REQUIRED.name())
Review comment:
Previous behavior inferred requiring a client certificate when the `SSLContextService` was configured with trust store properties, falling back to wanting a client certificate in the absence of trust store properties. Making `REQUIRED` the default value going forward sounds like the best approach. Perhaps putting a comment in future release notes indicating this change in behavior would be worthwhile for users of `ListenHTTP` who do not require clients to provide certificates.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on a change in pull request #4737: NIFI-8096 Deprecated ClientAuth references in SSLContextService
Posted by GitBox <gi...@apache.org>.
exceptionfactory commented on a change in pull request #4737:
URL: https://github.com/apache/nifi/pull/4737#discussion_r552897870
##########
File path: nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java
##########
@@ -56,26 +56,36 @@
}
/**
- * Returns a configured {@link SSLContext} from the populated configuration values. This method is preferred
- * over the overloaded method which accepts the deprecated {@link ClientAuth} enum.
+ * Create and initialize {@link SSLContext} using configured properties. This method is preferred over deprecated
+ * create methods due to not requiring a client authentication policy.
+ *
+ * @return {@link SSLContext} initialized using configured properties
+ */
+ SSLContext createContext();
+
+ /**
+ * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated
+ * due to {@link org.apache.nifi.security.util.ClientAuth} not being applicable or used when initializing the
+ * {@link SSLContext}
*
* @param clientAuth the desired level of client authentication
* @return the configured SSLContext
* @throws ProcessException if there is a problem configuring the context
*/
- SSLContext createSSLContext(final org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException;
+ @Deprecated
+ SSLContext createSSLContext(org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException;
/**
* Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated
Review comment:
Added
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on a change in pull request #4737: NIFI-8096 Deprecated ClientAuth references in SSLContextService
Posted by GitBox <gi...@apache.org>.
exceptionfactory commented on a change in pull request #4737:
URL: https://github.com/apache/nifi/pull/4737#discussion_r552897747
##########
File path: nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java
##########
@@ -56,26 +56,36 @@
}
/**
- * Returns a configured {@link SSLContext} from the populated configuration values. This method is preferred
- * over the overloaded method which accepts the deprecated {@link ClientAuth} enum.
+ * Create and initialize {@link SSLContext} using configured properties. This method is preferred over deprecated
+ * create methods due to not requiring a client authentication policy.
+ *
+ * @return {@link SSLContext} initialized using configured properties
+ */
+ SSLContext createContext();
+
+ /**
+ * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated
Review comment:
Added
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] markap14 commented on pull request #4737: NIFI-8096 Deprecated ClientAuth references in SSLContextService
Posted by GitBox <gi...@apache.org>.
markap14 commented on pull request #4737:
URL: https://github.com/apache/nifi/pull/4737#issuecomment-755721040
Thanks @exceptionfactory! All looks good. +1 merged to main
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] markap14 commented on a change in pull request #4737: NIFI-8096 Deprecated ClientAuth references in SSLContextService
Posted by GitBox <gi...@apache.org>.
markap14 commented on a change in pull request #4737:
URL: https://github.com/apache/nifi/pull/4737#discussion_r552828009
##########
File path: nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java
##########
@@ -238,41 +238,55 @@ public TlsConfiguration createTlsConfiguration() {
}
/**
- * Returns a configured {@link SSLContext} from the populated configuration values. This method is preferred
- * over the overloaded method which accepts the deprecated {@link ClientAuth} enum.
+ * Create and initialize {@link SSLContext} using configured properties. This method is preferred over deprecated
+ * methods due to not requiring a client authentication policy. Invokes createTlsConfiguration() to prepare
+ * properties for processing.
+ *
+ * @return {@link SSLContext} initialized using configured properties
+ */
+ @Override
+ public SSLContext createContext() {
+ final TlsConfiguration tlsConfiguration = createTlsConfiguration();
+ if (!tlsConfiguration.isTruststorePopulated()) {
+ getLogger().warn("Trust Store properties not found: using platform default Certificate Authorities");
+ }
+
+ try {
+ final TrustManager[] trustManagers = SslContextFactory.getTrustManagers(tlsConfiguration);
+ return SslContextFactory.createSslContext(tlsConfiguration, trustManagers);
+ } catch (final TlsException e) {
+ getLogger().error("Unable to create SSLContext: {}", new String[]{e.getLocalizedMessage()});
+ throw new ProcessException("Unable to create SSLContext", e);
+ }
+ }
+
+ /**
+ * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated
+ * due to the Client Authentication policy not being applicable when initializing the SSLContext
*
* @param clientAuth the desired level of client authentication
* @return the configured SSLContext
* @throws ProcessException if there is a problem configuring the context
*/
+ @Deprecated
@Override
public SSLContext createSSLContext(final org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException {
- try {
- final TlsConfiguration tlsConfiguration = createTlsConfiguration();
- if (!tlsConfiguration.isTruststorePopulated()) {
- getLogger().warn("Trust Store properties not found: using platform default Certificate Authorities");
- }
- final TrustManager[] trustManagers = SslContextFactory.getTrustManagers(tlsConfiguration);
- return SslContextFactory.createSslContext(tlsConfiguration, trustManagers, clientAuth);
- } catch (TlsException e) {
- getLogger().error("Encountered an error creating the SSL context from the SSL context service: {}", new String[]{e.getLocalizedMessage()});
- throw new ProcessException("Error creating SSL context", e);
- }
+ return createContext();
}
/**
* Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated
Review comment:
Should use @deprecated tag
##########
File path: nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java
##########
@@ -238,41 +238,55 @@ public TlsConfiguration createTlsConfiguration() {
}
/**
- * Returns a configured {@link SSLContext} from the populated configuration values. This method is preferred
- * over the overloaded method which accepts the deprecated {@link ClientAuth} enum.
+ * Create and initialize {@link SSLContext} using configured properties. This method is preferred over deprecated
+ * methods due to not requiring a client authentication policy. Invokes createTlsConfiguration() to prepare
+ * properties for processing.
+ *
+ * @return {@link SSLContext} initialized using configured properties
+ */
+ @Override
+ public SSLContext createContext() {
+ final TlsConfiguration tlsConfiguration = createTlsConfiguration();
+ if (!tlsConfiguration.isTruststorePopulated()) {
+ getLogger().warn("Trust Store properties not found: using platform default Certificate Authorities");
+ }
+
+ try {
+ final TrustManager[] trustManagers = SslContextFactory.getTrustManagers(tlsConfiguration);
+ return SslContextFactory.createSslContext(tlsConfiguration, trustManagers);
+ } catch (final TlsException e) {
+ getLogger().error("Unable to create SSLContext: {}", new String[]{e.getLocalizedMessage()});
+ throw new ProcessException("Unable to create SSLContext", e);
+ }
+ }
+
+ /**
+ * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated
Review comment:
Should use @deprecated tag in the javadocs so that they are rendered nicely.
##########
File path: nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java
##########
@@ -56,26 +56,36 @@
}
/**
- * Returns a configured {@link SSLContext} from the populated configuration values. This method is preferred
- * over the overloaded method which accepts the deprecated {@link ClientAuth} enum.
+ * Create and initialize {@link SSLContext} using configured properties. This method is preferred over deprecated
+ * create methods due to not requiring a client authentication policy.
+ *
+ * @return {@link SSLContext} initialized using configured properties
+ */
+ SSLContext createContext();
+
+ /**
+ * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated
Review comment:
Should use @deprecated tag
##########
File path: nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java
##########
@@ -56,26 +56,36 @@
}
/**
- * Returns a configured {@link SSLContext} from the populated configuration values. This method is preferred
- * over the overloaded method which accepts the deprecated {@link ClientAuth} enum.
+ * Create and initialize {@link SSLContext} using configured properties. This method is preferred over deprecated
+ * create methods due to not requiring a client authentication policy.
+ *
+ * @return {@link SSLContext} initialized using configured properties
+ */
+ SSLContext createContext();
+
+ /**
+ * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated
+ * due to {@link org.apache.nifi.security.util.ClientAuth} not being applicable or used when initializing the
+ * {@link SSLContext}
*
* @param clientAuth the desired level of client authentication
* @return the configured SSLContext
* @throws ProcessException if there is a problem configuring the context
*/
- SSLContext createSSLContext(final org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException;
+ @Deprecated
+ SSLContext createSSLContext(org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException;
/**
* Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated
Review comment:
Should use @deprecated tag
##########
File path: nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenHTTP.java
##########
@@ -193,7 +193,7 @@
.description("Client Authentication policy for TLS connections. Required when SSL Context Service configured.")
.required(false)
.allowableValues(ClientAuth.values())
- .defaultValue(ClientAuth.REQUIRED.name())
Review comment:
I don't think we want to make this change. The default value should always lean toward being more secure, not less secure. And if I set an SSL Context on the processor, I would assume mutual auth is going to happen unless i explicitly change it. This is especially true, since that's always been the behavior in the past.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org