[GitHub] [nifi] jfrazee commented on a change in pull request #4753: NIFI-7356 - Enable TLS for embedded Zookeeper when NiFi has TLS enabled

Wed, 13 Jan 2021 11:09:33 -0800 


jfrazee commented on a change in pull request #4753:
URL: https://github.com/apache/nifi/pull/4753#discussion_r556764426



##########
File path: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/state/server/ZooKeeperStateServer.java
##########
@@ -198,6 +233,110 @@ public static ZooKeeperStateServer create(final 
NiFiProperties properties) throw
             zkProperties.load(bis);
         }
 
-        return new ZooKeeperStateServer(zkProperties);
+        return new ZooKeeperStateServer(reconcileProperties(properties, 
zkProperties));
+    }
+
+    /**
+     * Reconcile properties between the nifi.properties and 
zookeeper.properties (zoo.cfg) files. Most of the ZooKeeper server properties 
are derived from
+     * the zookeeper.properties file, while the TLS key/truststore properties 
are taken from nifi.properties.
+     * @param niFiProperties NiFiProperties file containing ZooKeeper client 
and TLS configuration
+     * @param zkProperties The zookeeper.properties file containing Zookeeper 
server configuration
+     * @return A reconciled QuorumPeerConfig which will include TLS properties 
set if they are available.
+     * @throws IOException If configuration files fail to parse.
+     * @throws ConfigException If secure configuration is not as expected. 
Check administration documentation.
+     */
+    private static QuorumPeerConfig reconcileProperties(NiFiProperties 
niFiProperties, Properties zkProperties) throws IOException, ConfigException {
+        QuorumPeerConfig peerConfig = new QuorumPeerConfig();
+        peerConfig.parseProperties(zkProperties);
+
+        // If secureClientPortAddress is set but no TLS config is set, fail to 
start.
+        final boolean isTLSConfigPresent = 
niFiProperties.isTlsConfigurationPresent() || 
niFiProperties.isZooKeeperTlsConfigurationPresent();
+        if (peerConfig.getSecureClientPortAddress() != null && 
!isTLSConfigPresent) {
+            throw new ConfigException(
+                    String.format("Property secureClientPort was set in %s but 
there was no TLS config present in nifi.properties",
+                    
niFiProperties.getProperty(NiFiProperties.STATE_MANAGEMENT_ZOOKEEPER_PROPERTIES)));
+        }
+
+        // If this is an insecure NiFi no changes are needed:
+        if (!isTLSConfigPresent) {
+            logger.info("ZooKeeper is not secure because appropriate TLS 
configuration was not provided. Please refer to administration guide.");
+            return peerConfig;
+        }
+
+        // Otherwise the following sets secure TLS settings for embedded 
Zookeeper
+
+        // Remove plaintext client ports and addresses and warn if set, see 
NIFI-7203:
+        InetSocketAddress clientPort = peerConfig.getClientPortAddress();
+        if (clientPort != null) {
+            zkProperties.remove("clientPort");
+            zkProperties.remove("clientPortAddress");
+            logger.warn("Invalid configuration detected: secure NiFi with 
embedded ZooKeeper configured for insecure connections. " +
+                    "Removed insecure port from embedded ZooKeeper 
configuration to deactivate insecure connections.");
+        }
+
+        // Set the TLS properties, preferring ZK TLS from nifi.properties over 
the default TLS properties.
+        for (Map.Entry<String, String> propertyMapping : 
ZOOKEEPER_TLS_TO_NIFI_PROPERTIES.entrySet()) {
+            String preferredValue = getPreferredTLSProperty(niFiProperties, 
propertyMapping.getValue());
+            zkProperties.setProperty(String.join(".", ZOOKEEPER_TLS_PREFIX, 
propertyMapping.getKey()), preferredValue);
+            zkProperties.setProperty(String.join(".", 
ZOOKEEPER_QUORUM_TLS_PREFIX, propertyMapping.getKey()), preferredValue);
+        }
+
+        // Set TLS client port:
+        zkProperties.setProperty("secureClientPort", 
getSecurePort(peerConfig));
+
+        // Set the required connection factory for TLS
+        final String cnxnPropKey = "serverCnxnFactory";
+        zkProperties.setProperty(cnxnPropKey, SERVER_CNXN_FACTORY);

Review comment:
       ```suggestion
            zkProperties.setProperty(ZOOKEEPER_SERVER_CNXN_FACTORY, 
SERVER_CNXN_FACTORY);
   ```




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to