[
https://issues.apache.org/jira/browse/AMBARI-25113?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Axton Grams updated AMBARI-25113:
---------------------------------
Description:
When Nifi Registry is configured with TLS, health checks fail:
{code:java}
2019-01-18 15:55:07,125 -
File['/var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35/bin/tls-toolkit.sh']
{'mode': 0755}
2019-01-18 15:55:07,126 -
File['/var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35/bin/encrypt-config.sh']
{'mode': 0755}
2019-01-18 15:55:08,832 - Executing: ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.8
/var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35/bin/tls-toolkit.sh
status -u https://server.example.com:12345 -ks /etc/pki/tls/private/abcd.jks
-kst JKS -ksp *** -kp -ts /etc/pki/java/cacerts -tst JKS -tsp changeit
2019-01-18 15:55:09,158 - Will retry 28 time(s), caught exception: Call to
tls-toolkit encountered error: No keystore or truststore was provided
usage: org.apache.nifi.toolkit.tls.TlsToolkitMain [-h] [-kp <arg>] [-ks <arg>]
[-ksp <arg>] [-kst <arg>] [-p <arg>] [-ts <arg>] [-tsp <arg>] [-tst <arg>] [-u
<arg>]
Checks the status of an HTTPS endpoint by making a GET request using a supplied
keystore and truststore.
-h,--help Print help and exit.
-kp,--keyPassword <arg> The key password of the key store being used
-ks,--keyStore <arg> The key store to use
-ksp,--keyStorePassword <arg> The password of the key store being used
-kst,--keyStoreType <arg> The type of key store being used (PKCS12 or JKS)
(default: JKS)
-p,--protocol <arg> The protocol to use (default: TLS)
-ts,--trustStore <arg> The trust store being used
-tsp,--trustStorePassword <arg> The password of the trust store being used
-tst,--trustStoreType <arg> The type of trust store being used (PKCS12 or JKS)
(default: JKS)
-u,--url <arg> The full url to connect to, for example:
https://localhost:8443/v1/api
Java home: /usr/jdk64/jdk1.8
NiFi Toolkit home:
/var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35
2019/01/18 15:55:09 ERROR [main]
org.apache.nifi.toolkit.tls.status.TlsToolkitGetStatusCommandLine: No keystore
or truststore was provided
org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException: No keystore
or truststore was provided
at
org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine.printUsageAndThrow(BaseCommandLine.java:72)
at
org.apache.nifi.toolkit.tls.status.TlsToolkitGetStatusCommandLine.postParse(TlsToolkitGetStatusCommandLine.java:142)
at
org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine.doParse(BaseCommandLine.java:91)
at
org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine.parse(BaseCommandLine.java:109)
at
org.apache.nifi.toolkit.tls.status.TlsToolkitGetStatusCommandLine.main(TlsToolkitGetStatusCommandLine.java:72)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.nifi.toolkit.tls.TlsToolkitMain.doMain(TlsToolkitMain.java:109)
at org.apache.nifi.toolkit.tls.TlsToolkitMain.main(TlsToolkitMain.java:55)
{code}
When checking the health of a tls enabled Nifi Registry, only the trust store
parameters are required. The following Keystore related parameters are not
required:
* -kp,--keyPassword <arg> The key password of the key store being used
* -ks,--keyStore <arg> The key store to use
* -ksp,--keyStorePassword <arg> The password of the key store being used
* -kst,--keyStoreType <arg> The type of key store being used (PKCS12 or JKS)
(default: JKS)
The following patch allows the health check to operated as expected:
{code:java}
---
/var/lib/ambari-server/resources/common-services/NIFI_REGISTRY/0.1.0/package/scripts/service_check.py.original
2019-01-18 15:46:41.867390249 -0500
+++
/var/lib/ambari-server/resources/common-services/NIFI_REGISTRY/0.1.0/package/scripts/service_check.py
2019-01-18 16:03:43.750582415 -0500
@@ -105,7 +105,7 @@
truststoreType = nifi_registry_props['nifi.registry.security.truststoreType']
truststorePasswd =
nifi_registry_props['nifi.registry.security.truststorePasswd']
- command = 'ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' '+ tls_toolkit_script
+ ' status -u ' + url + ' -ks ' + keystore + ' -kst ' + keystoreType + ' -ksp '
+ keystorePasswd + ' -kp ' + keyPasswd + ' -ts ' + truststore + ' -tst ' +
truststoreType + ' -tsp ' + truststorePasswd
+ command = 'ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' '+ tls_toolkit_script
+ ' status -u ' + url + ' -ts ' + truststore + ' -tst ' + truststoreType + '
-tsp ' + truststorePasswd
# Only uncomment for debugging, otherwise the passwords will get logged
#Logger.info("Executing: " + command)
{code}
It may be worth noting that the JKS used by Nifi, Nifi Registry, etc. contains
a JKS password, but not a key password.
In any case, a keystore isn't required by this utility to do an http get/check
https endpoint in any case I can see.
This issue only manifest in cases where Nifi Registry has tls/ssl enabled. If
tls/ssl is not enabled on the Nifi Registry, a different branch is used to
check Nifi Registry's http endpoint availability in:
{code:java}
/var/lib/ambari-server/resources/common-services/NIFI_REGISTRY/0.1.0/package/scripts/service_check.py{code}
was:
When Nifi Registry is configured with TLS, health checks fail:
{code:java}
2019-01-18 15:55:07,125 -
File['/var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35/bin/tls-toolkit.sh']
{'mode': 0755}
2019-01-18 15:55:07,126 -
File['/var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35/bin/encrypt-config.sh']
{'mode': 0755}
2019-01-18 15:55:08,832 - Executing: ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.8
/var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35/bin/tls-toolkit.sh
status -u https://server.example.com:12345 -ks /etc/pki/tls/private/abcd.jks
-kst JKS -ksp *** -kp -ts /etc/pki/java/cacerts -tst JKS -tsp changeit
2019-01-18 15:55:09,158 - Will retry 28 time(s), caught exception: Call to
tls-toolkit encountered error: No keystore or truststore was provided
usage: org.apache.nifi.toolkit.tls.TlsToolkitMain [-h] [-kp <arg>] [-ks <arg>]
[-ksp <arg>] [-kst <arg>] [-p <arg>] [-ts <arg>] [-tsp <arg>] [-tst <arg>] [-u
<arg>]
Checks the status of an HTTPS endpoint by making a GET request using a supplied
keystore and truststore.
-h,--help Print help and exit.
-kp,--keyPassword <arg> The key password of the key store being used
-ks,--keyStore <arg> The key store to use
-ksp,--keyStorePassword <arg> The password of the key store being used
-kst,--keyStoreType <arg> The type of key store being used (PKCS12 or JKS)
(default: JKS)
-p,--protocol <arg> The protocol to use (default: TLS)
-ts,--trustStore <arg> The trust store being used
-tsp,--trustStorePassword <arg> The password of the trust store being used
-tst,--trustStoreType <arg> The type of trust store being used (PKCS12 or JKS)
(default: JKS)
-u,--url <arg> The full url to connect to, for example:
https://localhost:8443/v1/api
Java home: /usr/jdk64/jdk1.8
NiFi Toolkit home:
/var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35
2019/01/18 15:55:09 ERROR [main]
org.apache.nifi.toolkit.tls.status.TlsToolkitGetStatusCommandLine: No keystore
or truststore was provided
org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException: No keystore
or truststore was provided
at
org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine.printUsageAndThrow(BaseCommandLine.java:72)
at
org.apache.nifi.toolkit.tls.status.TlsToolkitGetStatusCommandLine.postParse(TlsToolkitGetStatusCommandLine.java:142)
at
org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine.doParse(BaseCommandLine.java:91)
at
org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine.parse(BaseCommandLine.java:109)
at
org.apache.nifi.toolkit.tls.status.TlsToolkitGetStatusCommandLine.main(TlsToolkitGetStatusCommandLine.java:72)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.nifi.toolkit.tls.TlsToolkitMain.doMain(TlsToolkitMain.java:109)
at org.apache.nifi.toolkit.tls.TlsToolkitMain.main(TlsToolkitMain.java:55)
{code}
When checking the health of a tls enabled Nifi Registry, only the trust store
parameters are required. The following Keystore related parameters are not
required:
* -kp,--keyPassword <arg> The key password of the key store being used
* -ks,--keyStore <arg> The key store to use
* -ksp,--keyStorePassword <arg> The password of the key store being used
* -kst,--keyStoreType <arg> The type of key store being used (PKCS12 or JKS)
(default: JKS)
The following patch allows the health check to operated as expected:
{code:java}
---
/var/lib/ambari-server/resources/common-services/NIFI_REGISTRY/0.1.0/package/scripts/service_check.py.original
2019-01-18 15:46:41.867390249 -0500
+++
/var/lib/ambari-server/resources/common-services/NIFI_REGISTRY/0.1.0/package/scripts/service_check.py
2019-01-18 16:03:43.750582415 -0500
@@ -105,7 +105,7 @@
truststoreType = nifi_registry_props['nifi.registry.security.truststoreType']
truststorePasswd =
nifi_registry_props['nifi.registry.security.truststorePasswd']
- command = 'ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' '+ tls_toolkit_script
+ ' status -u ' + url + ' -ks ' + keystore + ' -kst ' + keystoreType + ' -ksp '
+ keystorePasswd + ' -kp ' + keyPasswd + ' -ts ' + truststore + ' -tst ' +
truststoreType + ' -tsp ' + truststorePasswd
+ command = 'ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' '+ tls_toolkit_script
+ ' status -u ' + url + ' -ts ' + truststore + ' -tst ' + truststoreType + '
-tsp ' + truststorePasswd
# Only uncomment for debugging, otherwise the passwords will get logged
#Logger.info("Executing: " + command)
{code}
> Nifi Registry Service Check - TLS Error
> ---------------------------------------
>
> Key: AMBARI-25113
> URL: https://issues.apache.org/jira/browse/AMBARI-25113
> Project: Ambari
> Issue Type: Bug
> Components: stacks
> Affects Versions: 2.6.1
> Environment: Oracle JDK 1.8.0_192
> RHEL 7.4
> Ambari 2.6.1.0
> HDF 3.1.1.0
> TLS Enabled Nifi and Nifi Registry
> Certificate Authority is an external CA; we are not using the Nifi CA.
> The Keystore maintained for our certificate does not include a key password.
> Reporter: Axton Grams
> Priority: Major
>
> When Nifi Registry is configured with TLS, health checks fail:
>
> {code:java}
> 2019-01-18 15:55:07,125 -
> File['/var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35/bin/tls-toolkit.sh']
> {'mode': 0755}
> 2019-01-18 15:55:07,126 -
> File['/var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35/bin/encrypt-config.sh']
> {'mode': 0755}
> 2019-01-18 15:55:08,832 - Executing: ambari-sudo.sh
> JAVA_HOME=/usr/jdk64/jdk1.8
> /var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35/bin/tls-toolkit.sh
> status -u https://server.example.com:12345 -ks /etc/pki/tls/private/abcd.jks
> -kst JKS -ksp *** -kp -ts /etc/pki/java/cacerts -tst JKS -tsp changeit
> 2019-01-18 15:55:09,158 - Will retry 28 time(s), caught exception: Call to
> tls-toolkit encountered error: No keystore or truststore was provided
> usage: org.apache.nifi.toolkit.tls.TlsToolkitMain [-h] [-kp <arg>] [-ks
> <arg>] [-ksp <arg>] [-kst <arg>] [-p <arg>] [-ts <arg>] [-tsp <arg>] [-tst
> <arg>] [-u
> <arg>]
> Checks the status of an HTTPS endpoint by making a GET request using a
> supplied keystore and truststore.
> -h,--help Print help and exit.
> -kp,--keyPassword <arg> The key password of the key store being used
> -ks,--keyStore <arg> The key store to use
> -ksp,--keyStorePassword <arg> The password of the key store being used
> -kst,--keyStoreType <arg> The type of key store being used (PKCS12 or JKS)
> (default: JKS)
> -p,--protocol <arg> The protocol to use (default: TLS)
> -ts,--trustStore <arg> The trust store being used
> -tsp,--trustStorePassword <arg> The password of the trust store being used
> -tst,--trustStoreType <arg> The type of trust store being used (PKCS12 or
> JKS) (default: JKS)
> -u,--url <arg> The full url to connect to, for example:
> https://localhost:8443/v1/api
> Java home: /usr/jdk64/jdk1.8
> NiFi Toolkit home:
> /var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35
> 2019/01/18 15:55:09 ERROR [main]
> org.apache.nifi.toolkit.tls.status.TlsToolkitGetStatusCommandLine: No
> keystore or truststore was provided
> org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException: No
> keystore or truststore was provided
> at
> org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine.printUsageAndThrow(BaseCommandLine.java:72)
> at
> org.apache.nifi.toolkit.tls.status.TlsToolkitGetStatusCommandLine.postParse(TlsToolkitGetStatusCommandLine.java:142)
> at
> org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine.doParse(BaseCommandLine.java:91)
> at
> org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine.parse(BaseCommandLine.java:109)
> at
> org.apache.nifi.toolkit.tls.status.TlsToolkitGetStatusCommandLine.main(TlsToolkitGetStatusCommandLine.java:72)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.nifi.toolkit.tls.TlsToolkitMain.doMain(TlsToolkitMain.java:109)
> at org.apache.nifi.toolkit.tls.TlsToolkitMain.main(TlsToolkitMain.java:55)
> {code}
>
> When checking the health of a tls enabled Nifi Registry, only the trust
> store parameters are required. The following Keystore related parameters are
> not required:
> * -kp,--keyPassword <arg> The key password of the key store being used
> * -ks,--keyStore <arg> The key store to use
> * -ksp,--keyStorePassword <arg> The password of the key store being used
> * -kst,--keyStoreType <arg> The type of key store being used (PKCS12 or JKS)
> (default: JKS)
> The following patch allows the health check to operated as expected:
>
> {code:java}
> ---
> /var/lib/ambari-server/resources/common-services/NIFI_REGISTRY/0.1.0/package/scripts/service_check.py.original
> 2019-01-18 15:46:41.867390249 -0500
> +++
> /var/lib/ambari-server/resources/common-services/NIFI_REGISTRY/0.1.0/package/scripts/service_check.py
> 2019-01-18 16:03:43.750582415 -0500
> @@ -105,7 +105,7 @@
> truststoreType = nifi_registry_props['nifi.registry.security.truststoreType']
> truststorePasswd =
> nifi_registry_props['nifi.registry.security.truststorePasswd']
> - command = 'ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' '+
> tls_toolkit_script + ' status -u ' + url + ' -ks ' + keystore + ' -kst ' +
> keystoreType + ' -ksp ' + keystorePasswd + ' -kp ' + keyPasswd + ' -ts ' +
> truststore + ' -tst ' + truststoreType + ' -tsp ' + truststorePasswd
> + command = 'ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' '+
> tls_toolkit_script + ' status -u ' + url + ' -ts ' + truststore + ' -tst ' +
> truststoreType + ' -tsp ' + truststorePasswd
> # Only uncomment for debugging, otherwise the passwords will get logged
> #Logger.info("Executing: " + command)
> {code}
>
> It may be worth noting that the JKS used by Nifi, Nifi Registry, etc.
> contains a JKS password, but not a key password.
> In any case, a keystore isn't required by this utility to do an http
> get/check https endpoint in any case I can see.
> This issue only manifest in cases where Nifi Registry has tls/ssl enabled.
> If tls/ssl is not enabled on the Nifi Registry, a different branch is used to
> check Nifi Registry's http endpoint availability in:
> {code:java}
> /var/lib/ambari-server/resources/common-services/NIFI_REGISTRY/0.1.0/package/scripts/service_check.py{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
