You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Julien G. (Jira)" <ji...@apache.org> on 2022/09/01 13:51:00 UTC

[jira] [Updated] (NIFI-10425) nifi.security.autoreload.enabled feature doesn't work with symlink

     [ https://issues.apache.org/jira/browse/NIFI-10425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Julien G. updated NIFI-10425:
-----------------------------
    Description: 
 On a NiFi running on K8S. The certificates are provided by a secret to the pods, so to allow NiFi to reload them when they are updated, I set the {{nifi.security.autoreload.enabled}} flag to {{true}}. But the secret mounting mechanism makes that there is a set of symlink and the scanner that keeps track of the certificates considers that the certificates are deleted and not updated. Because instead of keeping track of the file through the symlink it keeps track of the file pointed by the symlink.  So when the secret is updated the certificates is deleted and created into another folder and the symlink is updated. But for the Scanner the file has been deleted. So it stops keeping track of it and does not reload the certificate.

To illustrate my point:

 * At the start, the pyramid is like that: {{truststore.jks}} [Symlink] -> {{..data/truststore.jks}}  [Symlink] -> {{..2022_08_31_19_45_44.079808492/truststore.jks}}
 * After the update, the pyramid is like that:  {{truststore.jks}} [Symlink] -> {{..data/truststore.jks}}  [Symlink] -> {{..<NEW_TIMESTAMP>/truststore.jks}}

The symlink still references a right file but as the "real" file changed of directory the scanner considers that the file has been deleted and therefore stop keeping track of it.

The Scanner from Jetty will by default have the parameter {{reportRealPaths}} set to {{true}}. If set to true, the listenesr used by the Scanner are called with the real path of scanned files. Sot the parameter should be set to {{false}}.

  was:
 On a NiFi running on K8S. The certificates are provided by a secret to the pods, so to allow NiFi to reload them when they are updated, I set the {{nifi.security.autoreload.enabled }}flag to {{{}true{}}}. But the secret mounting mechanism makes that there is a set of symlink and the scanner that keeps track of the certificates considers that the certificates are deleted and not updated. Because instead of keeping track of the file through the symlink it keeps track of the file pointed by the symlink.  So when the secret is updated the certificates is deleted and created into another folder and the symlink is updated. But for the Scanner the file has been deleted. So it stops keeping track of it and does not reload the certificate.

To illustrate my point: * At the start, the pyramid is like that: {{truststore.jks}} [Symlink] -> {{..data/truststore.jks}}  [Symlink] -> {{..2022_08_31_19_45_44.079808492/truststore.jks}}
 * After the update, the pyramid is like that:  {{truststore.jks}} [Symlink] -> {{..data/truststore.jks}}  [Symlink] -> {{..<NEW_TIMESTAMP>/truststore.jks}}

The symlink still references a right file but as the "real" file changed of directory the scanner considers that the file has been deleted and therefore stop keeping track of it.

The Scanner from Jetty will by default have the parameter {{reportRealPaths}} set to {{{}true{}}}. If set to true, the listenesr used by the Scanner are called with the real path of scanned files. Sot the parameter should be set to {{{}false{}}}.


> nifi.security.autoreload.enabled feature doesn't work with symlink
> ------------------------------------------------------------------
>
>                 Key: NIFI-10425
>                 URL: https://issues.apache.org/jira/browse/NIFI-10425
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: Julien G.
>            Priority: Major
>             Fix For: 1.18.0
>
>
>  On a NiFi running on K8S. The certificates are provided by a secret to the pods, so to allow NiFi to reload them when they are updated, I set the {{nifi.security.autoreload.enabled}} flag to {{true}}. But the secret mounting mechanism makes that there is a set of symlink and the scanner that keeps track of the certificates considers that the certificates are deleted and not updated. Because instead of keeping track of the file through the symlink it keeps track of the file pointed by the symlink.  So when the secret is updated the certificates is deleted and created into another folder and the symlink is updated. But for the Scanner the file has been deleted. So it stops keeping track of it and does not reload the certificate.
> To illustrate my point:
>  * At the start, the pyramid is like that: {{truststore.jks}} [Symlink] -> {{..data/truststore.jks}}  [Symlink] -> {{..2022_08_31_19_45_44.079808492/truststore.jks}}
>  * After the update, the pyramid is like that:  {{truststore.jks}} [Symlink] -> {{..data/truststore.jks}}  [Symlink] -> {{..<NEW_TIMESTAMP>/truststore.jks}}
> The symlink still references a right file but as the "real" file changed of directory the scanner considers that the file has been deleted and therefore stop keeping track of it.
> The Scanner from Jetty will by default have the parameter {{reportRealPaths}} set to {{true}}. If set to true, the listenesr used by the Scanner are called with the real path of scanned files. Sot the parameter should be set to {{false}}.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)