Repository: nifi Updated Branches: refs/heads/master e439cfef1 -> c832a2ed7
NIFI-4530: This closes #2329. Initial support for two-way SSL user authentication in the Docker image. Signed-off-by: joewitt <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/nifi/repo Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/c832a2ed Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/c832a2ed Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/c832a2ed Branch: refs/heads/master Commit: c832a2ed7c74a648c84853f3682505a271afdf6f Parents: e439cfe Author: Aldrin Piri <[email protected]> Authored: Tue Nov 28 20:00:32 2017 -0500 Committer: joewitt <[email protected]> Committed: Thu Jan 4 10:37:37 2018 -0500 ---------------------------------------------------------------------- nifi-docker/dockerhub/Dockerfile | 38 ++++---- nifi-docker/dockerhub/README.md | 91 ++++++++++++++++++++ nifi-docker/dockerhub/sh/common.sh | 29 +++++++ nifi-docker/dockerhub/sh/secure.sh | 55 ++++++++++++ nifi-docker/dockerhub/sh/start.sh | 43 +++++++++ nifi-docker/dockermaven/Dockerfile | 2 +- .../nb-configuration.xml | 18 ---- 7 files changed, 239 insertions(+), 37 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/nifi/blob/c832a2ed/nifi-docker/dockerhub/Dockerfile ---------------------------------------------------------------------- diff --git a/nifi-docker/dockerhub/Dockerfile b/nifi-docker/dockerhub/Dockerfile index a4049e2..23418c0 100644 --- a/nifi-docker/dockerhub/Dockerfile +++ b/nifi-docker/dockerhub/Dockerfile @@ -17,7 +17,8 @@ # FROM openjdk:8-jre -LABEL maintainer "Apache NiFi <[email protected]>" +LABEL maintainer="Apache NiFi <[email protected]>" +LABEL site="https://nifi.apache.org"; ARG UID=1000 ARG GID=1000 @@ -25,29 +26,30 @@ ARG NIFI_VERSION=1.5.0 ARG MIRROR=https://archive.apache.org/dist ENV NIFI_BASE_DIR /opt/nifi -ENV NIFI_HOME=$NIFI_BASE_DIR/nifi-$NIFI_VERSION \ - NIFI_BINARY_URL=/nifi/$NIFI_VERSION/nifi-$NIFI_VERSION-bin.tar.gz +ENV NIFI_HOME=${NIFI_BASE_DIR}/nifi-${NIFI_VERSION} \ + NIFI_BINARY_URL=/nifi/${NIFI_VERSION}/nifi-${NIFI_VERSION}-bin.tar.gz + +ADD sh/ /opt/nifi/scripts/ # Setup NiFi user -RUN groupadd -g $GID nifi || groupmod -n nifi `getent group $GID | cut -d: -f1` \ - && useradd --shell /bin/bash -u $UID -g $GID -m nifi \ - && mkdir -p $NIFI_HOME/conf/templates \ - && chown -R nifi:nifi $NIFI_BASE_DIR +RUN groupadd -g ${GID} nifi || groupmod -n nifi `getent group ${GID} | cut -d: -f1` \ + && useradd --shell /bin/bash -u ${UID} -g ${GID} -m nifi \ + && mkdir -p ${NIFI_HOME}/conf/templates \ + && chown -R nifi:nifi ${NIFI_BASE_DIR} USER nifi # Download, validate, and expand Apache NiFi binary. -RUN curl -fSL $MIRROR/$NIFI_BINARY_URL -o $NIFI_BASE_DIR/nifi-$NIFI_VERSION-bin.tar.gz \ - && echo "$(curl https://archive.apache.org/dist/$NIFI_BINARY_URL.sha256) *$NIFI_BASE_DIR/nifi-$NIFI_VERSION-bin.tar.gz" | sha256sum -c - \ - && tar -xvzf $NIFI_BASE_DIR/nifi-$NIFI_VERSION-bin.tar.gz -C $NIFI_BASE_DIR \ - && rm $NIFI_BASE_DIR/nifi-$NIFI_VERSION-bin.tar.gz \ - && chown -R nifi:nifi $NIFI_HOME +RUN curl -fSL ${MIRROR}/${NIFI_BINARY_URL} -o ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz \ + && echo "$(curl https://archive.apache.org/dist/${NIFI_BINARY_URL}.sha256) *${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz" | sha256sum -c - \ + && tar -xvzf ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz -C ${NIFI_BASE_DIR} \ + && rm ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz \ + && chown -R nifi:nifi ${NIFI_HOME} -# Web HTTP Port & Remote Site-to-Site Ports -EXPOSE 8080 8181 +# Web HTTP(s) & Socket Site-to-Site Ports +EXPOSE 8080 8443 10000 -WORKDIR $NIFI_HOME +WORKDIR ${NIFI_HOME} -# Startup NiFi -ENTRYPOINT ["bin/nifi.sh"] -CMD ["run"] +# Apply configuration and start NiFi +CMD ${NIFI_BASE_DIR}/scripts/start.sh http://git-wip-us.apache.org/repos/asf/nifi/blob/c832a2ed/nifi-docker/dockerhub/README.md ---------------------------------------------------------------------- diff --git a/nifi-docker/dockerhub/README.md b/nifi-docker/dockerhub/README.md new file mode 100644 index 0000000..657bc6d --- /dev/null +++ b/nifi-docker/dockerhub/README.md @@ -0,0 +1,91 @@ +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +# Docker Image Quickstart + +## Capabilities +This image currently supports running in standalone mode either unsecured or with Two-Way SSL. + +More capabilities will continue to be added and made available from the + +## Building +The Docker image can be built using the following command: + + docker build -t apache/nifi:latest . + +This build will result in an image tagged apache/nifi:latest + + # user @ puter in ~/Development/code/apache/nifi/nifi-docker/dockerhub + $ docker images + REPOSITORY TAG IMAGE ID CREATED SIZE + apache/nifi latest f0f564eed149 A long, long time ago 1.62GB + +**Note**: The default version of NiFi specified by the Dockerfile is typically that of one that is unreleased if working from source. +To build an image for a prior released version, one can override the `NIFI_VERSION` build-arg with the following command: + + docker build --build-arg=NIFI_VERSION={Desired NiFi Version} -t apache/nifi:latest . + +There is, however, no guarantee that older versions will work as properties have changed and evolved with subsequent releases. +The configuration scripts are suitable for at least 1.4.0+. + +## Running a container + +### Standalone Instance, Unsecured +The minimum to run a NiFi instance is as follows: + + docker run --name nifi \ + -p 18080:8080 \ + -d \ + apache/nifi:latest + +This will provide a running instance, exposing the instance UI to the host system on at port 18080, +viewable at `http://localhost:18080/nifi`. + +### Standalone Instance, Two-Way SSL +In this configuration, the user will need to provide certificates and the associated configuration information. +Of particular note, is the `AUTH` environment variable which is set to `tls`. Additionally, the user must provide an +the DN as provided by an accessing client certificate in the `INITIAL_ADMIN_IDENTITY` environment variable. +This value will be used to seed the instance with an initial user with administrative privileges. +Finally, this command makes use of a volume to provide certificates on the host system to the container instance. + + docker run --name nifi \ + -v /User/dreynolds/certs/localhost:/opt/certs \ + -p 18443:8443 \ + -e AUTH=tls \ + -e KEYSTORE_PATH=/opt/certs/keystore.jks \ + -e KEYSTORE_TYPE=JKS \ + -e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \ + -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \ + -e TRUSTSTORE_PASSWORD=rHkWR1gDNW3R9hgbeRsT3OM3Ue0zwGtQqcFKJD2EXWE \ + -e TRUSTSTORE_TYPE=JKS \ + -e INITIAL_ADMIN_IDENTITY='CN=Random User, O=Apache, OU=NiFi, C=US' \ + -d \ + apache/nifi:latest + + +## Configuration Information +The following ports are specified by the Docker container for NiFi operation within the container and +can be published to the host. + +| Function | Property | Port | +|--------------------------|-------------------------------|-------| +| HTTP Port | nifi.web.http.port | 8080 | +| HTTPS Port | nifi.web.https.port | 8443 | +| Remote Input Socket Port | nifi.remote.input.socket.port | 10000 | + + + + + \ No newline at end of file http://git-wip-us.apache.org/repos/asf/nifi/blob/c832a2ed/nifi-docker/dockerhub/sh/common.sh ---------------------------------------------------------------------- diff --git a/nifi-docker/dockerhub/sh/common.sh b/nifi-docker/dockerhub/sh/common.sh new file mode 100755 index 0000000..5d252bc --- /dev/null +++ b/nifi-docker/dockerhub/sh/common.sh @@ -0,0 +1,29 @@ +#!/bin/sh -e + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# 1 - value to search for +# 2 - value to replace +# 3 - file to perform replacement inline +prop_replace () { + target_file=${3:-${nifi_props_file}} + echo 'replacing target file ' ${target_file} + sed -i -e "s|^$1=.*$|$1=$2|" ${target_file} +} + +# NIFI_HOME is defined by an ENV command in the backing Dockerfile +export nifi_props_file=${NIFI_HOME}/conf/nifi.properties +export hostname=$(hostname) \ No newline at end of file http://git-wip-us.apache.org/repos/asf/nifi/blob/c832a2ed/nifi-docker/dockerhub/sh/secure.sh ---------------------------------------------------------------------- diff --git a/nifi-docker/dockerhub/sh/secure.sh b/nifi-docker/dockerhub/sh/secure.sh new file mode 100644 index 0000000..93e8267 --- /dev/null +++ b/nifi-docker/dockerhub/sh/secure.sh @@ -0,0 +1,55 @@ +#!/bin/sh -e + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh + +# Perform idempotent changes of configuration to support secure environments +echo 'Configuring environment with SSL settings' + +: ${KEYSTORE_PATH:?"Must specify an absolute path to the keystore being used."} +if [ ! -f "${KEYSTORE_PATH}" ]; then + echo "Keystore file specified (${KEYSTORE_PATH}) does not exist." + exit 1 +fi +: ${KEYSTORE_TYPE:?"Must specify the type of keystore (JKS, PKCS12, PEM) of the keystore being used."} +: ${KEYSTORE_PASSWORD:?"Must specify the password of the keystore being used."} + +: ${TRUSTSTORE_PATH:?"Must specify an absolute path to the truststore being used."} +if [ ! -f "${TRUSTSTORE_PATH}" ]; then + echo "Keystore file specified (${TRUSTSTORE_PATH}) does not exist." + exit 1 +fi +: ${TRUSTSTORE_TYPE:?"Need to set DEST non-empty"} +: ${TRUSTSTORE_PASSWORD:?"Need to set DEST non-empty"} + +prop_replace 'nifi.security.keystore' "${KEYSTORE_PATH}" +prop_replace 'nifi.security.keystoreType' "${KEYSTORE_TYPE}" +prop_replace 'nifi.security.keystorePasswd' "${KEYSTORE_PASSWORD}" +prop_replace 'nifi.security.truststore' "${TRUSTSTORE_PATH}" +prop_replace 'nifi.security.truststoreType' "${TRUSTSTORE_TYPE}" +prop_replace 'nifi.security.truststorePasswd' "${TRUSTSTORE_PASSWORD}" + +# Disable HTTP and enable HTTPS +prop_replace 'nifi.web.http.port' '' +prop_replace 'nifi.web.http.host' '' +prop_replace 'nifi.web.https.port' '8443' +prop_replace 'nifi.web.https.host' "${hostname}" +prop_replace 'nifi.remote.input.secure' 'true' + +# Establish initial user and an associated admin identity +sed -i -e 's|<property name="Initial User Identity 1"></property>|<property name="Initial User Identity 1">'"${INITIAL_ADMIN_IDENTITY}"'</property>|' ${NIFI_HOME}/conf/authorizers.xml +sed -i -e 's|<property name="Initial Admin Identity"></property>|<property name="Initial Admin Identity">'"${INITIAL_ADMIN_IDENTITY}"'</property>|' ${NIFI_HOME}/conf/authorizers.xml http://git-wip-us.apache.org/repos/asf/nifi/blob/c832a2ed/nifi-docker/dockerhub/sh/start.sh ---------------------------------------------------------------------- diff --git a/nifi-docker/dockerhub/sh/start.sh b/nifi-docker/dockerhub/sh/start.sh new file mode 100755 index 0000000..178f30e --- /dev/null +++ b/nifi-docker/dockerhub/sh/start.sh @@ -0,0 +1,43 @@ +#!/bin/sh -e + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh + +# Establish baseline properties +prop_replace 'nifi.web.http.port' '8080' +prop_replace 'nifi.web.http.host' "${hostname}" +prop_replace 'nifi.remote.input.host' "${hostname}" +prop_replace 'nifi.remote.input.socket.port' '10000' +prop_replace 'nifi.remote.input.secure' 'false' + +# Check if we are secured or unsecured +case ${AUTH} in + tls) + echo 'Enabling Two-Way SSL user authentication' + . /opt/nifi/scripts/secure.sh + ;; +esac + +# Continuously provide logs so that 'docker logs' can produce them +tail -F ${NIFI_HOME}/logs/nifi-app.log & +${NIFI_HOME}/bin/nifi.sh run & +nifi_pid="$!" + +trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT; + +echo NiFi running with PID ${nifi_pid}. +wait ${nifi_pid} http://git-wip-us.apache.org/repos/asf/nifi/blob/c832a2ed/nifi-docker/dockermaven/Dockerfile ---------------------------------------------------------------------- diff --git a/nifi-docker/dockermaven/Dockerfile b/nifi-docker/dockermaven/Dockerfile index daecdd9..62dd03c 100644 --- a/nifi-docker/dockermaven/Dockerfile +++ b/nifi-docker/dockermaven/Dockerfile @@ -17,7 +17,7 @@ # FROM openjdk:8-jre -LABEL maintainer "Apache NiFi <[email protected]>" +LABEL maintainer="Apache NiFi <[email protected]>" ARG UID=1000 ARG GID=1000 http://git-wip-us.apache.org/repos/asf/nifi/blob/c832a2ed/nifi-nar-bundles/nifi-update-attribute-bundle/nifi-update-attribute-ui/nb-configuration.xml ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-update-attribute-bundle/nifi-update-attribute-ui/nb-configuration.xml b/nifi-nar-bundles/nifi-update-attribute-bundle/nifi-update-attribute-ui/nb-configuration.xml deleted file mode 100644 index 4da1f6c..0000000 --- a/nifi-nar-bundles/nifi-update-attribute-bundle/nifi-update-attribute-ui/nb-configuration.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project-shared-configuration> - <!-- -This file contains additional configuration written by modules in the NetBeans IDE. -The configuration is intended to be shared among all the users of project and -therefore it is assumed to be part of version control checkout. -Without this configuration present, some functionality in the IDE may be limited or fail altogether. ---> - <properties xmlns="http://www.netbeans.org/ns/maven-properties-data/1";> - <!-- -Properties that influence various parts of the IDE, especially code formatting and the like. -You can copy and paste the single properties, into the pom.xml file and the IDE will pick them up. -That way multiple projects can share the same settings (useful for formatting rules for example). -Any value defined here will override the pom.xml file value but is only applicable to the current project. ---> - <org-netbeans-modules-maven-jaxws.rest_2e_config_2e_type>ide</org-netbeans-modules-maven-jaxws.rest_2e_config_2e_type> - </properties> -</project-shared-configuration>
