[
https://issues.apache.org/jira/browse/NIFI-6740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17492727#comment-17492727
]
ASF subversion and git services commented on NIFI-6740:
-------------------------------------------------------
Commit 4815df29db8b32b6992622b77ff1c7f7e9001989 in nifi's branch
refs/heads/main from Steve Lawrence
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=4815df2 ]
NIFI-6740: Add configuration options to specify NiFi/Bootstrap communication
ports
The NiFi and NiFi Bootstrap processes both bind to random ephemeral
ports to allow for inter-process communication (e.g. shutdown, port,
ping, etc.). However, the randomness of these ephemeral ports can pose
challenges for some security policies and firewall rules.
This adds two configuration options, nifi.bootstrap.listen.port and
nifi.listener.bootstrap.port, that allow an administrator to define
which ports the two processes should bind to for this communication,
making it easier to define security policies. The options default to
zero to maintain the current ephemeral port behavior.
NIFI-6740: Add configuration options to specify NiFi/Bootstrap communication
ports
Signed-off-by: Matthew Burgess <[email protected]>
This closes #5746
> No way to configure bootstrap or nifi command/control ports
> -----------------------------------------------------------
>
> Key: NIFI-6740
> URL: https://issues.apache.org/jira/browse/NIFI-6740
> Project: Apache NiFi
> Issue Type: Bug
> Reporter: Steve Lawrence
> Priority: Major
> Time Spent: 2h 10m
> Remaining Estimate: 0h
>
> Currently, when Bootstrap starts it binds to a random ephemeral port on
> localhost in {{NifiListener.java}}:
> {code:java}
> serverSocket = new ServerSocket();
> serverSocket.bind(new InetSocketAddress("localhost", 0));
> {code}
> And then it passes this port to NiFi via the
> {{-Dnifi.bootstrap.listener.port}} argument.
> Subsequently, NiFi will also bind to a random ephemeral port in
> {{BootstrapListener.java}}, and then pass that port to Boostrap via the port
> that was passed in.
> These two ports provide a method of communication for command/control between
> the Bootstrap and Nifi processes.
> Unfortunately, because these ports are ephemeral and change on every start
> up, it makes it difficult to have predfined security policies (e.g.
> iptables/firewall) in place for these ports.
> To resolve this, one solution is to add new configuration options to
> bootstrap.conf/nifi.properties, which would allow administrators to define
> values for these ports. This ensures that everytime NiFi starts, the
> command/control ports will remain constant allowing for pre-defined security
> policies to be created. For backwards compatbility, the options can default
> to zero to maintain the ephemeral port behavior.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
