You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2021/03/15 21:56:07 UTC
[GitHub] [nifi] exceptionfactory commented on a change in pull request #4893: NIFI-8312: Support PKCS12 and BCFKS truststores in Atlas reporting task
exceptionfactory commented on a change in pull request #4893:
URL: https://github.com/apache/nifi/pull/4893#discussion_r594705897
##########
File path: nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-reporting-task/src/main/java/org/apache/nifi/atlas/reporting/ReportLineageToAtlas.java
##########
@@ -704,33 +699,47 @@ private void setAtlasSSLConfig(Properties atlasProperties, ConfigurationContext
boolean isAtlasApiSecure = urls.stream().anyMatch(url -> url.toLowerCase().startsWith("https"));
atlasProperties.put(ATLAS_PROPERTY_ENABLE_TLS, String.valueOf(isAtlasApiSecure));
- // ssl-client.xml must be deleted, Atlas will not regenerate it otherwise
- Path credStorePath = new File(confDir, CRED_STORE_FILENAME).toPath();
- Files.deleteIfExists(credStorePath);
- Path sslClientXmlPath = new File(confDir, SSL_CLIENT_XML_FILENAME).toPath();
- Files.deleteIfExists(sslClientXmlPath);
+ deleteSslClientXml(confDir);
if (isAtlasApiSecure) {
SSLContextService sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
if (sslContextService == null) {
getLogger().warn("No SSLContextService configured, the system default truststore will be used.");
} else if (!sslContextService.isTrustStoreConfigured()) {
getLogger().warn("No truststore configured on SSLContextService, the system default truststore will be used.");
- } else if (!KeystoreType.JKS.getType().equalsIgnoreCase(sslContextService.getTrustStoreType())) {
- getLogger().warn("The configured truststore type is not supported by Atlas (not JKS), the system default truststore will be used.");
} else {
- atlasProperties.put(ATLAS_PROPERTY_TRUSTSTORE_FILE, sslContextService.getTrustStoreFile());
+ // create ssl-client.xml config file for Hadoop Security used by Atlas REST client,
+ // Atlas would generate this file with hardcoded JKS keystore type,
+ // in order to support other keystore types, we generate it ourselves
+ createSslClientXml(confDir, sslContextService);
+ }
+ }
+ }
+
+ private void deleteSslClientXml(File confDir) throws Exception {
+ Path path = new File(confDir, SSL_CLIENT_XML_FILENAME).toPath();
+ try {
+ Files.deleteIfExists(path);
+ } catch (Exception e) {
+ getLogger().error("Unable to delete " + path, e);
Review comment:
Recommend changing the message to use the placeholder syntax and indicating a little more detail about the file:
```suggestion
getLogger().error("Unable to delete SSL Client Configuration File {}", path, e);
```
##########
File path: nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-reporting-task/src/main/java/org/apache/nifi/atlas/reporting/ReportLineageToAtlas.java
##########
@@ -704,33 +699,47 @@ private void setAtlasSSLConfig(Properties atlasProperties, ConfigurationContext
boolean isAtlasApiSecure = urls.stream().anyMatch(url -> url.toLowerCase().startsWith("https"));
atlasProperties.put(ATLAS_PROPERTY_ENABLE_TLS, String.valueOf(isAtlasApiSecure));
- // ssl-client.xml must be deleted, Atlas will not regenerate it otherwise
- Path credStorePath = new File(confDir, CRED_STORE_FILENAME).toPath();
- Files.deleteIfExists(credStorePath);
Review comment:
Do you anticipate any problems if the Credentials Store file remains on the file system since it will no longer be deleted?
##########
File path: nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-reporting-task/src/main/java/org/apache/nifi/atlas/reporting/ReportLineageToAtlas.java
##########
@@ -704,33 +699,47 @@ private void setAtlasSSLConfig(Properties atlasProperties, ConfigurationContext
boolean isAtlasApiSecure = urls.stream().anyMatch(url -> url.toLowerCase().startsWith("https"));
atlasProperties.put(ATLAS_PROPERTY_ENABLE_TLS, String.valueOf(isAtlasApiSecure));
- // ssl-client.xml must be deleted, Atlas will not regenerate it otherwise
- Path credStorePath = new File(confDir, CRED_STORE_FILENAME).toPath();
- Files.deleteIfExists(credStorePath);
- Path sslClientXmlPath = new File(confDir, SSL_CLIENT_XML_FILENAME).toPath();
- Files.deleteIfExists(sslClientXmlPath);
+ deleteSslClientXml(confDir);
if (isAtlasApiSecure) {
SSLContextService sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
if (sslContextService == null) {
getLogger().warn("No SSLContextService configured, the system default truststore will be used.");
} else if (!sslContextService.isTrustStoreConfigured()) {
getLogger().warn("No truststore configured on SSLContextService, the system default truststore will be used.");
- } else if (!KeystoreType.JKS.getType().equalsIgnoreCase(sslContextService.getTrustStoreType())) {
- getLogger().warn("The configured truststore type is not supported by Atlas (not JKS), the system default truststore will be used.");
} else {
- atlasProperties.put(ATLAS_PROPERTY_TRUSTSTORE_FILE, sslContextService.getTrustStoreFile());
+ // create ssl-client.xml config file for Hadoop Security used by Atlas REST client,
+ // Atlas would generate this file with hardcoded JKS keystore type,
+ // in order to support other keystore types, we generate it ourselves
+ createSslClientXml(confDir, sslContextService);
+ }
+ }
+ }
+
+ private void deleteSslClientXml(File confDir) throws Exception {
+ Path path = new File(confDir, SSL_CLIENT_XML_FILENAME).toPath();
+ try {
+ Files.deleteIfExists(path);
+ } catch (Exception e) {
+ getLogger().error("Unable to delete " + path, e);
+ throw e;
+ }
+ }
- String password = sslContextService.getTrustStorePassword();
- // Hadoop Credential Provider JCEKS URI format: localjceks://file/PATH/TO/JCEKS
- String credStoreUri = credStorePath.toUri().toString().replaceFirst("^file://", "localjceks://file");
+ private void createSslClientXml(File confDir, SSLContextService sslContextService) throws Exception {
+ File sslClientXmlFile = new File(confDir, SSL_CLIENT_XML_FILENAME);
- CredentialProvider credentialProvider = new LocalJavaKeyStoreProvider.Factory().createProvider(new URI(credStoreUri), new Configuration());
- credentialProvider.createCredentialEntry(TRUSTSTORE_PASSWORD_ALIAS, password.toCharArray());
- credentialProvider.flush();
+ Configuration configuration = new Configuration(false);
- atlasProperties.put(ATLAS_PROPERTY_CRED_STORE_PATH, credStoreUri);
- }
+ configuration.set(SSL_CLIENT_XML_TRUSTSTORE_LOCATION, sslContextService.getTrustStoreFile());
+ configuration.set(SSL_CLIENT_XML_TRUSTSTORE_PASSWORD, sslContextService.getTrustStorePassword());
+ configuration.set(SSL_CLIENT_XML_TRUSTSTORE_TYPE, sslContextService.getTrustStoreType());
+
+ try (FileWriter fileWriter = new FileWriter(sslClientXmlFile)) {
+ configuration.writeXml(fileWriter);
+ } catch (Exception e) {
+ getLogger().error("Unable to create SSL config file: " + sslClientXmlFile, e);
Review comment:
As mention in other comment for parameterized logging:
```suggestion
getLogger().error("Unable to create SSL Client Configuration File {}", sslClientXmlFile, e);
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org