[
https://issues.apache.org/jira/browse/NIFI-2119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15364838#comment-15364838
]
ASF GitHub Bot commented on NIFI-2119:
--------------------------------------
GitHub user alopresto opened a pull request:
https://github.com/apache/nifi/pull/611
NIFI-2119 Fixed 0.7.0 release blocker for cluster secure communications
The client and server sockets were being treated the same when attempting
to extract the peer certificate DN (server sockets should not be subject to the
influence of `nifi.security.needClientAuth` in `nifi.properties`).
This has been tested on 2- and 3-node clusters with `needClientAuth` set to
both *true* and *false*.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/alopresto/nifi NIFI-2119
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/611.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #611
----
commit 361e07a78cd0abd52b5ab144b7cdeba60af17ede
Author: Andy LoPresto <[email protected]>
Date: 2016-07-05T04:05:58Z
NIFI-2119 Refactored CertificateUtils to separate logic for DN extraction
from server/client sockets. Added logic to detect server/client mode
encapsulated in exposed method.
Added unit tests for DN extraction.
Corrected typo in Javadoc.
commit bed4bb3046e97aa719624df846a2c2b86015fe6d
Author: Andy LoPresto <[email protected]>
Date: 2016-07-06T17:05:44Z
NIFI-2119 Switched server/client socket logic for certificate extraction --
when the local socket is in client/server mode, the peer is necessarily the
inverse.
Fixed unit tests.
Moved lazy-loading authentication access out of isDebugEnabled() control
branch.
----
> Secure clustering returning bad request response
> ------------------------------------------------
>
> Key: NIFI-2119
> URL: https://issues.apache.org/jira/browse/NIFI-2119
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Reporter: Joseph Witt
> Fix For: 0.7.0
>
>
> Cannot get a secured cluster working that worked well on 0.6.0. After
> upgrading now seeing the following line. It either means I upgraded
> incorrectly, or we're missing critical migration guidance, or we have
> introduced a new bug.
> 2016-06-25 14:19:12,017 INFO [NiFi Web Server-23]
> o.a.n.w.a.c.IllegalArgumentExceptionMapper
> java.lang.IllegalArgumentException: User account already created
> CN=box1.testing.org, OU=NIFI, O=Apache-NiFi, L=Here, ST=There, C=EVERYWHERE.
> Returning Bad Request response.
> Speaking with [~mcgilman] about this he looked into it and says
> "the socket used for cluster communications is configured with an sslContext
> that has client auth set to none... which seems to be why the we're not
> getting the NCM DN during connection
> i think the issue is this part of this commit....
> https://github.com/apache/nifi/commit/7b5583f3a8c8e3f62e2985059a3466a5bb36f4e8#diff-a14f46a45c394fbd82a2b99730e04bcbR68";
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
