You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2021/03/10 14:29:48 UTC
[GitHub] [nifi] exceptionfactory opened a new pull request #4881: NIFI-8298 Refactored Kerberos and SSLSocket classes from security-utils
exceptionfactory opened a new pull request #4881:
URL: https://github.com/apache/nifi/pull/4881
#### Description of PR
NIFI-8298 Refactors Kerberos and SSLSocket classes from `nifi-security-utils` to separate modules that do not depend on the Bouncy Castle Security Provider library. This refactoring reduces the size of the assembled NiFi binary by almost 300 MB due to the elimination of over 30 references to bcprov-jdk15on. This PR includes the following changes:
- Created `nifi-security-socket-ssl`
- Created `nifi-security-kerberos`
- Removed `nifi-security-utils` dependency from `nifi-processor-utils`
- Updated modules to reference new dependencies
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
### For all changes:
- [X] Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
- [X] Does your PR title start with **NIFI-XXXX** where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [X] Has your PR been rebased against the latest commit within the target branch (typically `main`)?
- [X] Is your initial contribution a single, squashed commit? _Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not `squash` or use `--force` when pushing to allow for clean monitoring of changes._
### For code changes:
- [X] Have you ensured that the full suite of tests is executed via `mvn -Pcontrib-check clean install` at the root `nifi` folder?
- [X] Have you written or updated unit tests to verify your changes?
- [X] Have you verified that the full build is successful on JDK 8?
- [ ] Have you verified that the full build is successful on JDK 11?
- [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the `LICENSE` file, including the main `LICENSE` file under `nifi-assembly`?
- [ ] If applicable, have you updated the `NOTICE` file, including the main `NOTICE` file found under `nifi-assembly`?
- [ ] If adding new Properties, have you added `.displayName` in addition to .name (programmatic access) for each of the new properties?
### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in which it is rendered?
### Note:
Please ensure that once the PR is submitted, you check GitHub Actions CI for build issues and submit an update to your PR as soon as possible.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] thenatog commented on pull request #4881: NIFI-8298 Refactored Kerberos and SSLSocket classes from security-utils
Posted by GitBox <gi...@apache.org>.
thenatog commented on pull request #4881:
URL: https://github.com/apache/nifi/pull/4881#issuecomment-802447155
Was able to get Kerberos set up with Bryan's blog: https://bryanbende.com/development/2016/08/31/apache-nifi-1.0.0-kerberos-authentication, and tested against this PR. Looks good.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on pull request #4881: NIFI-8298 Refactored Kerberos and SSLSocket classes from security-utils
Posted by GitBox <gi...@apache.org>.
exceptionfactory commented on pull request #4881:
URL: https://github.com/apache/nifi/pull/4881#issuecomment-796266204
> This looks good to me - relatively simple change involving mostly pom changes which mostly should be verified by the build. I've set up a 3 node secure cluster running internal ZooKeeper and security features (authenticating with client cert, sending/receiving data with site-to-site, InvokeHTTP and ListenHTTP with SSL contexts) appear to be working. One thing probably left to confirm is that kerberos works correctly at run time but I don't have a setup to test that.
Thanks for the feedback @thenatog!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] thenatog commented on a change in pull request #4881: NIFI-8298 Refactored Kerberos and SSLSocket classes from security-utils
Posted by GitBox <gi...@apache.org>.
thenatog commented on a change in pull request #4881:
URL: https://github.com/apache/nifi/pull/4881#discussion_r591648481
##########
File path: nifi-nar-bundles/nifi-websocket-bundle/nifi-websocket-services-jetty/src/main/java/org/apache/nifi/websocket/jetty/JettyWebSocketClient.java
##########
@@ -219,7 +219,7 @@ public void startClient(final ConfigurationContext context) throws Exception{
throw new IllegalArgumentException(AUTH_CHARSET.getDisplayName() + " was not specified.");
}
final Charset charset = Charset.forName(charsetName);
- final String base64String = Base64.encodeBase64String((userName + ":" + userPassword).getBytes(charset));
+ final String base64String = Base64.getEncoder().encodeToString((userName + ":" + userPassword).getBytes(charset));
Review comment:
Does this eliminate org.apache.commons as a dependency or is there another reason for this?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] thenatog commented on pull request #4881: NIFI-8298 Refactored Kerberos and SSLSocket classes from security-utils
Posted by GitBox <gi...@apache.org>.
thenatog commented on pull request #4881:
URL: https://github.com/apache/nifi/pull/4881#issuecomment-802467616
I should also mention that I verified that the build artifacts for this PR are 300MB smaller than the main branch.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] thenatog commented on pull request #4881: NIFI-8298 Refactored Kerberos and SSLSocket classes from security-utils
Posted by GitBox <gi...@apache.org>.
thenatog commented on pull request #4881:
URL: https://github.com/apache/nifi/pull/4881#issuecomment-795595699
Sounds like this will be a really beneficial change for the NiFi build artifacts. I will review, hopefully others can too.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] thenatog closed pull request #4881: NIFI-8298 Refactored Kerberos and SSLSocket classes from security-utils
Posted by GitBox <gi...@apache.org>.
thenatog closed pull request #4881:
URL: https://github.com/apache/nifi/pull/4881
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on pull request #4881: NIFI-8298 Refactored Kerberos and SSLSocket classes from security-utils
Posted by GitBox <gi...@apache.org>.
exceptionfactory commented on pull request #4881:
URL: https://github.com/apache/nifi/pull/4881#issuecomment-802860678
> I should also mention that I verified that the build artifacts for this PR are 300MB smaller than the main branch.
Thanks for the additional verification @thenatog!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] thenatog commented on pull request #4881: NIFI-8298 Refactored Kerberos and SSLSocket classes from security-utils
Posted by GitBox <gi...@apache.org>.
thenatog commented on pull request #4881:
URL: https://github.com/apache/nifi/pull/4881#issuecomment-795748916
This looks good to me - relatively simple change involving mostly pom changes which mostly should be verified by the build. I've set up a 3 node secure cluster running internal ZooKeeper and security features (authenticating with client cert, sending/receiving data with site-to-site, InvokeHTTP and ListenHTTP with SSL contexts) appear to be working. One thing probably left to confirm is that kerberos works correctly at run time but I don't have a setup to test that.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on a change in pull request #4881: NIFI-8298 Refactored Kerberos and SSLSocket classes from security-utils
Posted by GitBox <gi...@apache.org>.
exceptionfactory commented on a change in pull request #4881:
URL: https://github.com/apache/nifi/pull/4881#discussion_r591653570
##########
File path: nifi-nar-bundles/nifi-websocket-bundle/nifi-websocket-services-jetty/src/main/java/org/apache/nifi/websocket/jetty/JettyWebSocketClient.java
##########
@@ -219,7 +219,7 @@ public void startClient(final ConfigurationContext context) throws Exception{
throw new IllegalArgumentException(AUTH_CHARSET.getDisplayName() + " was not specified.");
}
final Charset charset = Charset.forName(charsetName);
- final String base64String = Base64.encodeBase64String((userName + ":" + userPassword).getBytes(charset));
+ final String base64String = Base64.getEncoder().encodeToString((userName + ":" + userPassword).getBytes(charset));
Review comment:
The `nifi-websocket-services-jetty` library had a dependency on `nifi-security-utils`, which transitively included Apache `commons-codec`. With the removal of `nifi-security-utils`, this change removes the need for `commons-codec` in this module by using the JDK Base64 Encoder.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org