You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Andy LoPresto (Jira)" <ji...@apache.org> on 2020/02/11 21:48:00 UTC

[jira] [Commented] (NIFI-7134) Enable JettyServer to automatically detect keystore changes and update

    [ https://issues.apache.org/jira/browse/NIFI-7134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17034876#comment-17034876 ] 

Andy LoPresto commented on NIFI-7134:
-------------------------------------

Thanks for filing this, Patrick. I think there are a couple different pieces here that should be split out into multiple sub-tasks:

1. Allowing triggered reloading of certificate material without an application restart
2. A separate monitoring process (could be in `bootstrap`) which detects changes to the keystore contents (would need keystore password, etc.)

As the keystore & truststore and their relative passwords are specified in the {{nifi.properties}} file (often in encrypted form), we would need to be very careful about changing to a _new_ keystore or rotating a password without requiring a restart to ensure the canonical source of truth (the {{nifi.properties}} file) is always accurate. I think the specific scenario we could support easily is reloading the keystore when a new certificate is provided (likely in the same alias, perhaps in a new alias if NIFI-1995 is implemented) with the requirement that the file path and password have not changed. For enhanced behavior, we may need to make additional decisions about where those values come from and would be stored. 

> Enable JettyServer to automatically detect keystore changes and update
> ----------------------------------------------------------------------
>
>                 Key: NIFI-7134
>                 URL: https://issues.apache.org/jira/browse/NIFI-7134
>             Project: Apache NiFi
>          Issue Type: New Feature
>          Components: Core Framework, Security
>    Affects Versions: 1.11.1
>            Reporter: patrick white
>            Priority: Minor
>              Labels: jetty, keystore, restart, security, tls
>
> TLS/keystore credential change currently requires a service restart to update, [~alopresto] noted on 'users' that Jetty 9.3+ supports the ability to dynamically update credentials, and provided reference [1].
> Request enabling NiFi JettyServer to support detection and reload of its keystore when it changes, such as during credentials update or rotation, will link this request to epic [2].
> [1] https://github.com/eclipse/jetty.project/issues/918
> [2] https://issues.apache.org/jira/browse/NIFI-5458



--
This message was sent by Atlassian Jira
(v8.3.4#803005)