This is an automated email from the ASF dual-hosted git repository.
mattyb149 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new 4815df2 NIFI-6740: Add configuration options to specify
NiFi/Bootstrap communication ports
4815df2 is described below
commit 4815df29db8b32b6992622b77ff1c7f7e9001989
Author: Steve Lawrence <[email protected]>
AuthorDate: Fri Feb 4 08:24:58 2022 -0500
NIFI-6740: Add configuration options to specify NiFi/Bootstrap
communication ports
The NiFi and NiFi Bootstrap processes both bind to random ephemeral
ports to allow for inter-process communication (e.g. shutdown, port,
ping, etc.). However, the randomness of these ephemeral ports can pose
challenges for some security policies and firewall rules.
This adds two configuration options, nifi.bootstrap.listen.port and
nifi.listener.bootstrap.port, that allow an administrator to define
which ports the two processes should bind to for this communication,
making it easier to define security policies. The options default to
zero to maintain the current ephemeral port behavior.
NIFI-6740: Add configuration options to specify NiFi/Bootstrap
communication ports
Signed-off-by: Matthew Burgess <[email protected]>
This closes #5746
---
.../main/java/org/apache/nifi/bootstrap/NiFiListener.java | 4 ++--
.../src/main/java/org/apache/nifi/bootstrap/RunNiFi.java | 14 +++++++++++++-
.../src/main/java/org/apache/nifi/util/NiFiProperties.java | 6 ++++++
nifi-docs/src/main/asciidoc/administration-guide.adoc | 11 +++++++++++
.../nifi-framework/nifi-resources/pom.xml | 3 +++
.../nifi-resources/src/main/resources/conf/bootstrap.conf | 3 +++
.../nifi-resources/src/main/resources/conf/nifi.properties | 5 +++++
.../src/main/java/org/apache/nifi/BootstrapListener.java | 4 ++--
.../nifi-runtime/src/main/java/org/apache/nifi/NiFi.java | 2 +-
9 files changed, 46 insertions(+), 6 deletions(-)
diff --git
a/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/NiFiListener.java
b/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/NiFiListener.java
index 8d74f16..16fe195 100644
--- a/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/NiFiListener.java
+++ b/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/NiFiListener.java
@@ -33,9 +33,9 @@ public class NiFiListener {
private ServerSocket serverSocket;
private volatile Listener listener;
- int start(final RunNiFi runner) throws IOException {
+ int start(final RunNiFi runner, final int listenPort) throws IOException {
serverSocket = new ServerSocket();
- serverSocket.bind(new InetSocketAddress("localhost", 0));
+ serverSocket.bind(new InetSocketAddress("localhost", listenPort));
final int localPort = serverSocket.getLocalPort();
listener = new Listener(serverSocket, runner);
diff --git
a/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/RunNiFi.java
b/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/RunNiFi.java
index 8abc83c..57b2901 100644
--- a/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/RunNiFi.java
+++ b/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/RunNiFi.java
@@ -111,6 +111,8 @@ public class RunNiFi {
public static final String NIFI_LOCK_FILE_NAME = "nifi.lock";
public static final String NIFI_BOOTSTRAP_SENSITIVE_KEY =
"nifi.bootstrap.sensitive.key";
+ public static final String NIFI_BOOTSTRAP_LISTEN_PORT_PROP =
"nifi.bootstrap.listen.port";
+
public static final String PID_KEY = "pid";
public static final int STARTUP_WAIT_SECONDS = 60;
@@ -1249,8 +1251,18 @@ public class RunNiFi {
cmdLogger.error("Self-Signed Certificate Generation Failed", e);
}
+ final String listenPortPropString =
props.get(NIFI_BOOTSTRAP_LISTEN_PORT_PROP);
+ int listenPortPropInt = 0; // default to zero (random ephemeral port)
+ if (listenPortPropString != null) {
+ try {
+ listenPortPropInt =
Integer.parseInt(listenPortPropString.trim());
+ } catch (final Exception e) {
+ // no-op, use the default
+ }
+ }
+
final NiFiListener listener = new NiFiListener();
- final int listenPort = listener.start(this);
+ final int listenPort = listener.start(this, listenPortPropInt);
final List<String> cmd = new ArrayList<>();
diff --git
a/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
b/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
index b1524f6..3ed2801 100644
---
a/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
+++
b/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
@@ -88,6 +88,7 @@ public class NiFiProperties extends ApplicationProperties {
public static final String PROCESSOR_SCHEDULING_TIMEOUT =
"nifi.processor.scheduling.timeout";
public static final String BACKPRESSURE_COUNT =
"nifi.queue.backpressure.count";
public static final String BACKPRESSURE_SIZE =
"nifi.queue.backpressure.size";
+ public static final String LISTENER_BOOTSTRAP_PORT =
"nifi.listener.bootstrap.port";
// Encryption Properties for all Repositories
public static final String REPOSITORY_ENCRYPTION_PROTOCOL_VERSION =
"nifi.repository.encryption.protocol.version";
@@ -381,6 +382,7 @@ public class NiFiProperties extends ApplicationProperties {
public static final String
DEFAULT_SECURITY_USER_SAML_HTTP_CLIENT_READ_TIMEOUT = "30 secs";
private static final String DEFAULT_SECURITY_USER_JWS_KEY_ROTATION_PERIOD
= "PT1H";
public static final String DEFAULT_WEB_SHOULD_SEND_SERVER_VERSION = "true";
+ public static final int DEFAULT_LISTENER_BOOTSTRAP_PORT = 0;
// cluster common defaults
public static final String DEFAULT_CLUSTER_PROTOCOL_HEARTBEAT_INTERVAL =
"5 sec";
@@ -1964,6 +1966,10 @@ public class NiFiProperties extends
ApplicationProperties {
return getProperty(BACKPRESSURE_SIZE, DEFAULT_BACKPRESSURE_SIZE);
}
+ public int getDefaultListenerBootstrapPort() {
+ return getIntegerProperty(LISTENER_BOOTSTRAP_PORT,
DEFAULT_LISTENER_BOOTSTRAP_PORT);
+ }
+
/**
* Returns the directory where the QuestDB based status repository is
expected to work within.
*
diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc
b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index 44a8e34..c60cde5 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -89,6 +89,7 @@ The following table lists the default ports used by NiFi and
the corresponding p
|Cluster Node Protocol Port* | `nifi.cluster.node.protocol.port` |
`11443`
|Cluster Node Load Balancing Port | `nifi.cluster.node.load.balance.port` |
`6342`
|Web HTTP Forwarding Port | `nifi.web.http.port.forwarding` |
_none_
+|Listener Bootstrap Port | `nifi.listener.bootstrap.port` |
_random ephemeral_
|==================================================================================================================================================
NOTE: The ports marked with an asterisk (*) have property values that are
blank by default in _nifi.properties_. The values shown in the table are the
default values for these ports when <<toolkit-guide.adoc#tls_toolkit,TLS
Toolkit>> is used to generate _nifi.properties_ for a secured NiFi instance.
The default Certificate Authority Port used by
<<toolkit-guide.adoc#tls_toolkit,TLS Toolkit>> is `9443`.
@@ -2748,6 +2749,7 @@ configured recipients whenever NiFi is stopped.
|`nifi.diagnostics.on.shutdown.directory`|This property specifies the location
of the NiFi diagnostics directory. The default value is `./diagnostics`.
|`nifi.diagnostics.on.shutdown.max.filecount`|This property specifies the
maximum permitted number of diagnostic files. If the limit is exceeded, the
oldest files are deleted. The default value is `10`.
|`nifi.diagnostics.on.shutdown.max.directory.size`|This property specifies the
maximum permitted size of the diagnostics directory. If the limit is exceeded,
the oldest files are deleted. The default value is `10 MB`.
+|`nifi.bootstrap.listen.port`|This property defines the port used to listen
for communications from NiFi. If this property is missing, empty, or `0`, a
random ephemeral port is used.
|====
[[notification_services]]
@@ -3926,6 +3928,15 @@ These properties pertain to various security features in
NiFi. Many of these pro
|`nifi.security.ocsp.responder.certificate`|This is the location of the OCSP
responder certificate if one is being used. It is blank by default.
|====
+=== Bootstrap Properties
+
+These properties pertain to the connection NiFi uses to receive communications
from NiFi Bootstrap.
+
+|====
+|*Property*|*Description*
+|`nifi.listener.bootstrap.port`|This property defines the port used to listen
for communications from NiFi Bootstrap. If this property is missing, empty, or
`0`, a random ephemeral port is used.
+|====
+
=== Identity Mapping Properties
These properties can be utilized to normalize user identities. When
implemented, identities authenticated by different identity providers
(certificates, LDAP, Kerberos) are treated the same internally in NiFi. As a
result, duplicate users are avoided and user-specific configurations such as
authorizations only need to be setup once per user.
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
index 6e8b371..7e9747c 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
@@ -156,6 +156,9 @@
<nifi.security.ocsp.responder.url />
<nifi.security.ocsp.responder.certificate />
+ <!-- nifi.properties: listener bootstrap -->
+ <nifi.listener.bootstrap.port>0</nifi.listener.bootstrap.port>
+
<!-- nifi.properties: openid connect -->
<nifi.security.user.oidc.discovery.url />
<nifi.security.user.oidc.connect.timeout>5
secs</nifi.security.user.oidc.connect.timeout>
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/bootstrap.conf
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/bootstrap.conf
index 5664cfa..881ad08 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/bootstrap.conf
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/bootstrap.conf
@@ -114,3 +114,6 @@ notification.max.attempts=5
# The first curator connection issue is logged as ERROR, for example when NiFi
cannot connect to one of the Zookeeper nodes.
# Additional connection issues are logged as DEBUG until the connection is
restored.
java.arg.curator.supress.excessive.logs=-Dcurator-log-only-first-connection-issue-as-error-level=true
+
+# Port used to listen for communications from NiFi. If this property is
missing, empty, or 0, a random ephemeral port is used.
+nifi.bootstrap.listen.port=0
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties
index 6faae17..0b90803 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties
@@ -244,6 +244,11 @@
nifi.security.user.saml.http.client.read.timeout=${nifi.security.user.saml.http.
# nifi.security.group.mapping.value.anygroup=$1
# nifi.security.group.mapping.transform.anygroup=LOWER
+# Listener Bootstrap properties #
+# This property defines the port used to listen for communications from NiFi
Bootstrap. If this property
+# is missing, empty, or 0, a random ephemeral port is used.
+nifi.listener.bootstrap.port=${nifi.listener.bootstrap.port}
+
# cluster common properties (all nodes must have same values) #
nifi.cluster.protocol.heartbeat.interval=${nifi.cluster.protocol.heartbeat.interval}
nifi.cluster.protocol.heartbeat.missable.max=${nifi.cluster.protocol.heartbeat.missable.max}
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-runtime/src/main/java/org/apache/nifi/BootstrapListener.java
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-runtime/src/main/java/org/apache/nifi/BootstrapListener.java
index 574ea29..5bf091a 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-runtime/src/main/java/org/apache/nifi/BootstrapListener.java
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-runtime/src/main/java/org/apache/nifi/BootstrapListener.java
@@ -56,11 +56,11 @@ public class BootstrapListener {
secretKey = UUID.randomUUID().toString();
}
- public void start() throws IOException {
+ public void start(final int listenPort) throws IOException {
logger.debug("Starting Bootstrap Listener to communicate with
Bootstrap Port {}", bootstrapPort);
serverSocket = new ServerSocket();
- serverSocket.bind(new InetSocketAddress("localhost", 0));
+ serverSocket.bind(new InetSocketAddress("localhost", listenPort));
serverSocket.setSoTimeout(2000);
final int localPort = serverSocket.getLocalPort();
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-runtime/src/main/java/org/apache/nifi/NiFi.java
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-runtime/src/main/java/org/apache/nifi/NiFi.java
index 541d4cf..ad92500 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-runtime/src/main/java/org/apache/nifi/NiFi.java
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-runtime/src/main/java/org/apache/nifi/NiFi.java
@@ -111,7 +111,7 @@ public class NiFi implements NiFiEntryPoint {
}
bootstrapListener = new BootstrapListener(this, port);
- bootstrapListener.start();
+
bootstrapListener.start(properties.getDefaultListenerBootstrapPort());
} catch (final NumberFormatException nfe) {
throw new RuntimeException("Failed to start NiFi because
system property '" + BOOTSTRAP_PORT_PROPERTY + "' is not a valid integer in the
range 1 - 65535");
}
