[
https://issues.apache.org/jira/browse/NIFI-10425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Julien G. updated NIFI-10425:
-----------------------------
Description:
On a NiFi running on K8S. The certificates are provided by a secret to the
pods, so to allow NiFi to reload them when they are updated, I set the
{{nifi.security.autoreload.enabled}} flag to {{true}}. But the secret mounting
mechanism makes that there is a set of symlink and the scanner that keeps track
of the certificates considers that the certificates are deleted and not
updated. Because instead of keeping track of the file through the symlink it
keeps track of the file pointed by the symlink. So when the secret is updated
the certificates is deleted and created into another folder and the symlink is
updated. But for the Scanner the file has been deleted. So it stops keeping
track of it and does not reload the certificate.
To illustrate my point:
* At the start, the pyramid is like that: {{truststore.jks}} [Symlink] ->
{{..data/truststore.jks}} [Symlink] ->
{{..2022_08_31_19_45_44.079808492/truststore.jks}}
* After the update, the pyramid is like that: {{truststore.jks}} [Symlink] ->
{{..data/truststore.jks}} [Symlink] -> {{..<NEW_TIMESTAMP>/truststore.jks}}
The symlink still references a right file but as the "real" file changed of
directory the scanner considers that the file has been deleted and therefore
stop keeping track of it.
The Scanner from Jetty will by default have the parameter {{reportRealPaths}}
set to {{true}}. If set to true, the listenesr used by the Scanner are called
with the real path of scanned files. Sot the parameter should be set to
{{false}}.
was:
On a NiFi running on K8S. The certificates are provided by a secret to the
pods, so to allow NiFi to reload them when they are updated, I set the
{{nifi.security.autoreload.enabled }}flag to {{{}true{}}}. But the secret
mounting mechanism makes that there is a set of symlink and the scanner that
keeps track of the certificates considers that the certificates are deleted and
not updated. Because instead of keeping track of the file through the symlink
it keeps track of the file pointed by the symlink. So when the secret is
updated the certificates is deleted and created into another folder and the
symlink is updated. But for the Scanner the file has been deleted. So it stops
keeping track of it and does not reload the certificate.
To illustrate my point: * At the start, the pyramid is like that:
{{truststore.jks}} [Symlink] -> {{..data/truststore.jks}} [Symlink] ->
{{..2022_08_31_19_45_44.079808492/truststore.jks}}
* After the update, the pyramid is like that: {{truststore.jks}} [Symlink] ->
{{..data/truststore.jks}} [Symlink] -> {{..<NEW_TIMESTAMP>/truststore.jks}}
The symlink still references a right file but as the "real" file changed of
directory the scanner considers that the file has been deleted and therefore
stop keeping track of it.
The Scanner from Jetty will by default have the parameter {{reportRealPaths}}
set to {{{}true{}}}. If set to true, the listenesr used by the Scanner are
called with the real path of scanned files. Sot the parameter should be set to
{{{}false{}}}.
> nifi.security.autoreload.enabled feature doesn't work with symlink
> ------------------------------------------------------------------
>
> Key: NIFI-10425
> URL: https://issues.apache.org/jira/browse/NIFI-10425
> Project: Apache NiFi
> Issue Type: Improvement
> Reporter: Julien G.
> Priority: Major
> Fix For: 1.18.0
>
>
> On a NiFi running on K8S. The certificates are provided by a secret to the
> pods, so to allow NiFi to reload them when they are updated, I set the
> {{nifi.security.autoreload.enabled}} flag to {{true}}. But the secret
> mounting mechanism makes that there is a set of symlink and the scanner that
> keeps track of the certificates considers that the certificates are deleted
> and not updated. Because instead of keeping track of the file through the
> symlink it keeps track of the file pointed by the symlink. So when the
> secret is updated the certificates is deleted and created into another folder
> and the symlink is updated. But for the Scanner the file has been deleted. So
> it stops keeping track of it and does not reload the certificate.
> To illustrate my point:
> * At the start, the pyramid is like that: {{truststore.jks}} [Symlink] ->
> {{..data/truststore.jks}} [Symlink] ->
> {{..2022_08_31_19_45_44.079808492/truststore.jks}}
> * After the update, the pyramid is like that: {{truststore.jks}} [Symlink]
> -> {{..data/truststore.jks}} [Symlink] ->
> {{..<NEW_TIMESTAMP>/truststore.jks}}
> The symlink still references a right file but as the "real" file changed of
> directory the scanner considers that the file has been deleted and therefore
> stop keeping track of it.
> The Scanner from Jetty will by default have the parameter {{reportRealPaths}}
> set to {{true}}. If set to true, the listenesr used by the Scanner are called
> with the real path of scanned files. Sot the parameter should be set to
> {{false}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
