Julien G. created NIFI-10425:
--------------------------------
Summary: nifi.security.autoreload.enabled feature doesn't work
with symlink
Key: NIFI-10425
URL: https://issues.apache.org/jira/browse/NIFI-10425
Project: Apache NiFi
Issue Type: Improvement
Reporter: Julien G.
Fix For: 1.18.0
On a NiFi running on K8S. The certificates are provided by a secret to the
pods, so to allow NiFi to reload them when they are updated, I set the
{{nifi.security.autoreload.enabled }}flag to {{{}true{}}}. But the secret
mounting mechanism makes that there is a set of symlink and the scanner that
keeps track of the certificates considers that the certificates are deleted and
not updated. Because instead of keeping track of the file through the symlink
it keeps track of the file pointed by the symlink. So when the secret is
updated the certificates is deleted and created into another folder and the
symlink is updated. But for the Scanner the file has been deleted. So it stops
keeping track of it and does not reload the certificate.
To illustrate my point: * At the start, the pyramid is like that:
{{truststore.jks}} [Symlink] -> {{..data/truststore.jks}} [Symlink] ->
{{..2022_08_31_19_45_44.079808492/truststore.jks}}
* After the update, the pyramid is like that: {{truststore.jks}} [Symlink] ->
{{..data/truststore.jks}} [Symlink] -> {{..<NEW_TIMESTAMP>/truststore.jks}}
The symlink still references a right file but as the "real" file changed of
directory the scanner considers that the file has been deleted and therefore
stop keeping track of it.
The Scanner from Jetty will by default have the parameter {{reportRealPaths}}
set to {{{}true{}}}. If set to true, the listenesr used by the Scanner are
called with the real path of scanned files. Sot the parameter should be set to
{{{}false{}}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
