You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2020/02/26 05:42:11 UTC

[GitHub] [nifi] jfrazee opened a new pull request #4092: NIFI-7115 Add ZooKeeper TLS configuration to Administration Guide

jfrazee opened a new pull request #4092: NIFI-7115 Add ZooKeeper TLS configuration to Administration Guide
URL: https://github.com/apache/nifi/pull/4092
 
 
   Thank you for submitting a contribution to Apache NiFi.
   
   Please provide a short description of the PR here:
   
   #### Description of PR
   
   This adds instructions on how to configure NiFi to work with TLS-enabled ZooKeeper servers.
   
   In order to streamline the review of the contribution we ask you
   to ensure the following steps have been taken:
   
   ### For all changes:
   - [X] Is there a JIRA ticket associated with this PR? Is it referenced 
        in the commit message?
   
   - [X] Does your PR title start with **NIFI-XXXX** where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
   
   - [X] Has your PR been rebased against the latest commit within the target branch (typically `master`)?
   
   - [X] Is your initial contribution a single, squashed commit? _Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not `squash` or use `--force` when pushing to allow for clean monitoring of changes._
   
   ### For code changes:
   - [X] Have you ensured that the full suite of tests is executed via `mvn -Pcontrib-check clean install` at the root `nifi` folder?
   - [X] Have you written or updated unit tests to verify your changes?
   - [X] Have you verified that the full build is successful on both JDK 8 and JDK 11?
   - [X] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? 
   - [X] If applicable, have you updated the `LICENSE` file, including the main `LICENSE` file under `nifi-assembly`?
   - [X] If applicable, have you updated the `NOTICE` file, including the main `NOTICE` file found under `nifi-assembly`?
   - [X] If adding new Properties, have you added `.displayName` in addition to .name (programmatic access) for each of the new properties?
   
   ### For documentation related changes:
   - [X] Have you ensured that format looks appropriate for the output in which it is rendered?
   
   ### Note:
   Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [nifi] alopresto commented on issue #4092: NIFI-7115 Add ZooKeeper TLS configuration to Administration Guide

Posted by GitBox <gi...@apache.org>.
alopresto commented on issue #4092: NIFI-7115 Add ZooKeeper TLS configuration to Administration Guide
URL: https://github.com/apache/nifi/pull/4092#issuecomment-591763372
 
 
   Thanks for submitting this @jfrazee . I haven't run this scenario manually, but the documentation looks correct. Have you verified this process yourself?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [nifi] jfrazee commented on issue #4092: NIFI-7115 Add ZooKeeper TLS configuration to Administration Guide

Posted by GitBox <gi...@apache.org>.
jfrazee commented on issue #4092: NIFI-7115 Add ZooKeeper TLS configuration to Administration Guide
URL: https://github.com/apache/nifi/pull/4092#issuecomment-592188506
 
 
   @alopresto I've worked through it a few times on 3.5.5-3.5.7 ZK ensembles verified to only work with TLSv1.2, colocated with the NiFi nodes or external, but as mentioned the embedded server won't currently work (without a code change). I opened some new JIRA work for that. The only thing I haven't done is capture the traffic. It might be possible to put together a unit test...

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [nifi] alopresto commented on a change in pull request #4092: NIFI-7115 Add ZooKeeper TLS configuration to Administration Guide

Posted by GitBox <gi...@apache.org>.
alopresto commented on a change in pull request #4092: NIFI-7115 Add ZooKeeper TLS configuration to Administration Guide
URL: https://github.com/apache/nifi/pull/4092#discussion_r384896964
 
 

 ##########
 File path: nifi-docs/src/main/asciidoc/administration-guide.adoc
 ##########
 @@ -1904,25 +1904,26 @@ that indicates that any user is allowed to have full permissions to the data, or
 allowed to access the data. Which ACL is used depends on the value of the `Access Control` property for the `ZooKeeperStateProvider` (see the
 <<state_providers>> section for more information).
 
-In order to use an ACL that indicates that only the Creator is allowed to access the data, we need to tell ZooKeeper who the Creator is. There are two
+In order to use an ACL that indicates that only the Creator is allowed to access the data, we need to tell ZooKeeper who the Creator is. There are three
 mechanisms for accomplishing this. The first mechanism is to provide authentication using Kerberos. See <<zk_kerberos_client>> for more information.
 
-The second option is to use a user name and password. This is configured by specifying a value for the `Username` and a value for the `Password` properties
+The second option, which additionally ensures that network communication is encrypted, is to authenticate using an X.509 certificate on a TLS-enabled ZooKeeper server. See
+<<zk_tls_client>> for more information.
+
+The third option is to use a user name and password. This is configured by specifying a value for the `Username` and a value for the `Password` properties
 for the `ZooKeeperStateProvider` (see the <<state_providers>> section for more information). The important thing to keep in mind here, though, is that ZooKeeper
 will pass around the password in plain text. This means that using a user name and password should not be used unless ZooKeeper is running on localhost as a
-one-instance cluster, or if communications with ZooKeeper occur only over encrypted communications, such as a VPN or an SSL connection. ZooKeeper will be
-providing support for SSL connections in version 3.5.0.
 
 Review comment:
   `user name` -> `username`. 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services