You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2021/07/30 20:33:51 UTC

[GitHub] [nifi] exceptionfactory opened a new pull request #5264: NIFI-8964 Add Cluster Firewall Configuration to Admin Guide

exceptionfactory opened a new pull request #5264:
URL: https://github.com/apache/nifi/pull/5264


   #### Description of PR
   
   NIFI-8964 Adds a `Cluster Firewall Configuration` section under the general `Clustering Configuration` heading in the NiFi System Adminstrator's Guide. The section includes an example configuration file showing supported file syntax.
   
   In order to streamline the review of the contribution we ask you
   to ensure the following steps have been taken:
   
   ### For all changes:
   - [X] Is there a JIRA ticket associated with this PR? Is it referenced 
        in the commit message?
   
   - [X] Does your PR title start with **NIFI-XXXX** where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
   
   - [X] Has your PR been rebased against the latest commit within the target branch (typically `main`)?
   
   - [X] Is your initial contribution a single, squashed commit? _Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not `squash` or use `--force` when pushing to allow for clean monitoring of changes._
   
   ### For code changes:
   - [X] Have you ensured that the full suite of tests is executed via `mvn -Pcontrib-check clean install` at the root `nifi` folder?
   - [ ] Have you written or updated unit tests to verify your changes?
   - [ ] Have you verified that the full build is successful on JDK 8?
   - [ ] Have you verified that the full build is successful on JDK 11?
   - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? 
   - [ ] If applicable, have you updated the `LICENSE` file, including the main `LICENSE` file under `nifi-assembly`?
   - [ ] If applicable, have you updated the `NOTICE` file, including the main `NOTICE` file found under `nifi-assembly`?
   - [ ] If adding new Properties, have you added `.displayName` in addition to .name (programmatic access) for each of the new properties?
   
   ### For documentation related changes:
   - [X] Have you ensured that format looks appropriate for the output in which it is rendered?
   
   ### Note:
   Please ensure that once the PR is submitted, you check GitHub Actions CI for build issues and submit an update to your PR as soon as possible.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] markobean commented on a change in pull request #5264: NIFI-8964 Add Cluster Firewall Configuration to Admin Guide

Posted by GitBox <gi...@apache.org>.

markobean commented on a change in pull request #5264:
URL: https://github.com/apache/nifi/pull/5264#discussion_r680520424



##########
File path: nifi-docs/src/main/asciidoc/administration-guide.adoc
##########
@@ -2003,6 +2003,31 @@ one of the nodes, and the User Interface should look similar to the following:
 
 image:ncm.png["Clustered User Interface"]
 
+[[cluster_firewall_configuration]]
+=== Cluster Firewall Configuration
+
+NiFi clustering supports network access restrictions using a custom firewall configuration.
+The `nifi.cluster.firewall.file` property can be configured with a path to a file containing hostnames, IP addresses, or
+subnets of permitted nodes. The Cluster Coordinator uses the configuration to determine whether to accept or reject
+heartbeats and connection requests from potential cluster members.
+
+The configuration file format expects one entry per line and ignores lines beginning with the `#` character. NiFi uses
+standard hostname resolution to convert names to IP addresses. The configuration file supports IPv4 addresses or subnet
+ranges using CIDR notation. The following example cluster firewall configuration includes a combination of supported entries:
+
+----
+# Cluster Node Hostnames
+nifi0.example.com
+nifi1.example.com
+nifi3.example.com
+# Cluster Node Addresses
+192.168.0.1
+192.168.0.2
+192.168.0.3
+# Cluster Subnet Address
+192.168.0.0/29 # Address Range from 192.168.0.1 to 192.168.0.6

Review comment:
       Good examples, particularly showing how comments can be used
   




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] exceptionfactory commented on a change in pull request #5264: NIFI-8964 Add Cluster Firewall Configuration to Admin Guide

Posted by GitBox <gi...@apache.org>.

exceptionfactory commented on a change in pull request #5264:
URL: https://github.com/apache/nifi/pull/5264#discussion_r680575116



##########
File path: nifi-docs/src/main/asciidoc/administration-guide.adoc
##########
@@ -2003,6 +2003,31 @@ one of the nodes, and the User Interface should look similar to the following:
 
 image:ncm.png["Clustered User Interface"]
 
+[[cluster_firewall_configuration]]
+=== Cluster Firewall Configuration
+
+NiFi clustering supports network access restrictions using a custom firewall configuration.
+The `nifi.cluster.firewall.file` property can be configured with a path to a file containing hostnames, IP addresses, or
+subnets of permitted nodes. The Cluster Coordinator uses the configuration to determine whether to accept or reject
+heartbeats and connection requests from potential cluster members.
+
+The configuration file format expects one entry per line and ignores lines beginning with the `#` character. NiFi uses
+standard hostname resolution to convert names to IP addresses. The configuration file supports IPv4 addresses or subnet

Review comment:
       What do you think about changing it to read as follows?
   
   NiFi uses standard Java host name resolution to convert names to IP addresses. Java host name resolution leverages a combination of local machine configuration and network services, such as DNS.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] markobean commented on a change in pull request #5264: NIFI-8964 Add Cluster Firewall Configuration to Admin Guide

Posted by GitBox <gi...@apache.org>.

markobean commented on a change in pull request #5264:
URL: https://github.com/apache/nifi/pull/5264#discussion_r680520217



##########
File path: nifi-docs/src/main/asciidoc/administration-guide.adoc
##########
@@ -2003,6 +2003,31 @@ one of the nodes, and the User Interface should look similar to the following:
 
 image:ncm.png["Clustered User Interface"]
 
+[[cluster_firewall_configuration]]
+=== Cluster Firewall Configuration
+
+NiFi clustering supports network access restrictions using a custom firewall configuration.
+The `nifi.cluster.firewall.file` property can be configured with a path to a file containing hostnames, IP addresses, or
+subnets of permitted nodes. The Cluster Coordinator uses the configuration to determine whether to accept or reject
+heartbeats and connection requests from potential cluster members.
+
+The configuration file format expects one entry per line and ignores lines beginning with the `#` character. NiFi uses
+standard hostname resolution to convert names to IP addresses. The configuration file supports IPv4 addresses or subnet

Review comment:
       Could you add more info on what "standard hostname resolution" means? For example, I believe NiFi has no inherent ability to resolve an IP address. This capability relies on that of the host.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] exceptionfactory commented on a change in pull request #5264: NIFI-8964 Add Cluster Firewall Configuration to Admin Guide

Posted by GitBox <gi...@apache.org>.

exceptionfactory commented on a change in pull request #5264:
URL: https://github.com/apache/nifi/pull/5264#discussion_r680575116



##########
File path: nifi-docs/src/main/asciidoc/administration-guide.adoc
##########
@@ -2003,6 +2003,31 @@ one of the nodes, and the User Interface should look similar to the following:
 
 image:ncm.png["Clustered User Interface"]
 
+[[cluster_firewall_configuration]]
+=== Cluster Firewall Configuration
+
+NiFi clustering supports network access restrictions using a custom firewall configuration.
+The `nifi.cluster.firewall.file` property can be configured with a path to a file containing hostnames, IP addresses, or
+subnets of permitted nodes. The Cluster Coordinator uses the configuration to determine whether to accept or reject
+heartbeats and connection requests from potential cluster members.
+
+The configuration file format expects one entry per line and ignores lines beginning with the `#` character. NiFi uses
+standard hostname resolution to convert names to IP addresses. The configuration file supports IPv4 addresses or subnet

Review comment:
       What do you think about changing it to read as follows?
   
   NiFi uses standard Java host name resolution to convert names to IP addresses. The Java host name resolution leverages a combination of local machine configuration and network services, such as DNS.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] markap14 merged pull request #5264: NIFI-8964 Add Cluster Firewall Configuration to Admin Guide

Posted by GitBox <gi...@apache.org>.

markap14 merged pull request #5264:
URL: https://github.com/apache/nifi/pull/5264


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] markobean commented on pull request #5264: NIFI-8964 Add Cluster Firewall Configuration to Admin Guide

Posted by GitBox <gi...@apache.org>.

markobean commented on pull request #5264:
URL: https://github.com/apache/nifi/pull/5264#issuecomment-890533193


   It may require a separate JIRA ticket for tracking purposes, but I happen to notice just now that the Admin Guide states nifi.provenance.repository.rollover.time is 30 secs, but in reality it appears to be 10 mins (in the default nifi.properties file.)
   Do you want to add it here while updating the guide? If not, let me know, and I'll create a separate JIRA ticket.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] exceptionfactory commented on pull request #5264: NIFI-8964 Add Cluster Firewall Configuration to Admin Guide

Posted by GitBox <gi...@apache.org>.

exceptionfactory commented on pull request #5264:
URL: https://github.com/apache/nifi/pull/5264#issuecomment-890597605


   > It may require a separate JIRA ticket for tracking purposes, but I happen to notice just now that the Admin Guide states nifi.provenance.repository.rollover.time is 30 secs, but in reality it appears to be 10 mins (in the default nifi.properties file.)
   > Do you want to add it here while updating the guide? If not, let me know, and I'll create a separate JIRA ticket.
   
   Thanks for catching that additional detail and for the feedback on this PR. Given the current scope, I think it would be better to address that in a separate Jira issue with additional context and focus.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] markap14 commented on pull request #5264: NIFI-8964 Add Cluster Firewall Configuration to Admin Guide

Posted by GitBox <gi...@apache.org>.

markap14 commented on pull request #5264:
URL: https://github.com/apache/nifi/pull/5264#issuecomment-891902823


   Thanks @exceptionfactory for the update to the admin guide! And thanks for reviewing @markobean. I'm a +1 as well. Merged to main.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] exceptionfactory commented on a change in pull request #5264: NIFI-8964 Add Cluster Firewall Configuration to Admin Guide

Posted by GitBox <gi...@apache.org>.

exceptionfactory commented on a change in pull request #5264:
URL: https://github.com/apache/nifi/pull/5264#discussion_r680979356



##########
File path: nifi-docs/src/main/asciidoc/administration-guide.adoc
##########
@@ -2003,6 +2003,31 @@ one of the nodes, and the User Interface should look similar to the following:
 
 image:ncm.png["Clustered User Interface"]
 
+[[cluster_firewall_configuration]]
+=== Cluster Firewall Configuration
+
+NiFi clustering supports network access restrictions using a custom firewall configuration.
+The `nifi.cluster.firewall.file` property can be configured with a path to a file containing hostnames, IP addresses, or
+subnets of permitted nodes. The Cluster Coordinator uses the configuration to determine whether to accept or reject
+heartbeats and connection requests from potential cluster members.
+
+The configuration file format expects one entry per line and ignores lines beginning with the `#` character. NiFi uses
+standard hostname resolution to convert names to IP addresses. The configuration file supports IPv4 addresses or subnet

Review comment:
       Thanks, I appreciate the feedback!




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] markobean commented on pull request #5264: NIFI-8964 Add Cluster Firewall Configuration to Admin Guide

Posted by GitBox <gi...@apache.org>.

markobean commented on pull request #5264:
URL: https://github.com/apache/nifi/pull/5264#issuecomment-891001449


   Built and installed this branch to confirm the Admin Guide renders as expected. Looks good.
   The only nit-pick is not mentioning that text after a # character (even if not the first character of the line) are considered a comment and ignored. It is only mentioned that lines beginning with # are ignored. However, the example illustrates this behavior, so I won't belabor the point.
   Other than that optional suggestion, +1


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] markobean commented on a change in pull request #5264: NIFI-8964 Add Cluster Firewall Configuration to Admin Guide

Posted by GitBox <gi...@apache.org>.

markobean commented on a change in pull request #5264:
URL: https://github.com/apache/nifi/pull/5264#discussion_r680958927



##########
File path: nifi-docs/src/main/asciidoc/administration-guide.adoc
##########
@@ -2003,6 +2003,31 @@ one of the nodes, and the User Interface should look similar to the following:
 
 image:ncm.png["Clustered User Interface"]
 
+[[cluster_firewall_configuration]]
+=== Cluster Firewall Configuration
+
+NiFi clustering supports network access restrictions using a custom firewall configuration.
+The `nifi.cluster.firewall.file` property can be configured with a path to a file containing hostnames, IP addresses, or
+subnets of permitted nodes. The Cluster Coordinator uses the configuration to determine whether to accept or reject
+heartbeats and connection requests from potential cluster members.
+
+The configuration file format expects one entry per line and ignores lines beginning with the `#` character. NiFi uses
+standard hostname resolution to convert names to IP addresses. The configuration file supports IPv4 addresses or subnet

Review comment:
       Yes, that looks good. Thanks.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org