[jira] [Commented] (NIFI-2119) Secure clustering returning bad request response

Mon, 04 Jul 2016 21:23:22 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-2119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15361980#comment-15361980
 ] 

Andy LoPresto commented on NIFI-2119:
-------------------------------------

Hi [~jskora],

I have identified the issue -- the {{SSLSocket}} was being treated identically 
regardless of whether it was in {{client}} or {{server}} mode. I have 
refactored the logic and added a check for {{SSLSocket.getUseClientMode()}} to 
determine if it should check the incoming request's client certificates (in 
which case it respects the {{nifi.security.needClientAuth}} setting), or if it 
is trying to connect to a server socket (i.e. getting the NCM DN), in which 
case it now correctly ignores that setting. 

I have unit test coverage for all the changes as well as some regression tests. 
I will deploy it to a test cluster tomorrow morning and verify it works live, 
and then if all goes well, open a PR. Sorry I haven't been good about keeping 
the Jira updated. My code is here if you want to take a look (rebased against 
latest {{upstream/0.x}} but not yet squashed): 
[https://github.com/alopresto/nifi/tree/NIFI-2119]

> Secure clustering returning bad request response
> ------------------------------------------------
>
>                 Key: NIFI-2119
>                 URL: https://issues.apache.org/jira/browse/NIFI-2119
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>            Reporter: Joseph Witt
>             Fix For: 0.7.0
>
>
> Cannot get a secured cluster working that worked well on 0.6.0.  After 
> upgrading now seeing the following line.  It either means I upgraded 
> incorrectly, or we're missing critical migration guidance, or we have 
> introduced a new bug.
>   2016-06-25 14:19:12,017 INFO [NiFi Web Server-23] 
> o.a.n.w.a.c.IllegalArgumentExceptionMapper 
> java.lang.IllegalArgumentException: User account already created 
> CN=box1.testing.org, OU=NIFI, O=Apache-NiFi, L=Here, ST=There, C=EVERYWHERE. 
> Returning Bad Request response.
> Speaking with [~mcgilman] about this he looked into it and says
> "the socket used for cluster communications is configured with an sslContext 
> that has client auth set to none... which seems to be why the we're not 
> getting the NCM DN during connection
> i think the issue is this part of this commit.... 
> https://github.com/apache/nifi/commit/7b5583f3a8c8e3f62e2985059a3466a5bb36f4e8#diff-a14f46a45c394fbd82a2b99730e04bcbR68";



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to