[GitHub] nifi pull request #3110: NIFI-5752: Load balancing fails with wildcard certs

Thu, 25 Oct 2018 19:15:52 -0700 

Github user ijokarumawak commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/3110#discussion_r228387841
  
    --- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/clustered/server/ClusterLoadBalanceAuthorizer.java
 ---
    @@ -40,28 +42,23 @@ public ClusterLoadBalanceAuthorizer(final 
ClusterCoordinator clusterCoordinator,
         }
     
         @Override
    -    public void authorize(final Collection<String> clientIdentities) 
throws NotAuthorizedException {
    -        if (clientIdentities == null) {
    -            logger.debug("Client Identities is null, so assuming that Load 
Balancing communications are not secure. Authorizing client to participate in 
Load Balancing");
    -            return;
    -        }
    -
    -        final Set<String> nodeIds = 
clusterCoordinator.getNodeIdentifiers().stream()
    +    public void authorize(final SSLSession sslSession) throws 
NotAuthorizedException {
    +        final List<String> nodeIds = 
clusterCoordinator.getNodeIdentifiers().stream()
                     .map(NodeIdentifier::getApiAddress)
    -                .collect(Collectors.toSet());
    +                .collect(Collectors.toList());
     
    -        for (final String clientId : clientIdentities) {
    -            if (nodeIds.contains(clientId)) {
    -                logger.debug("Client ID '{}' is in the list of Nodes in 
the Cluster. Authorizing Client to Load Balance data", clientId);
    +        for (final String nodeId : nodeIds) {
    +            final HostnameVerifier verifier = new 
DefaultHostnameVerifier();
    +            if (verifier.verify(nodeId, sslSession)) {
    +                logger.debug("Authorizing Client to Load Balance data");
                     return;
    --- End diff --
    
    By #3109, we need to return the client peer description when authorization 
passes. For the best informative result for data provenance, we need to do:
    - If any SAN exists in the known nodeIds, then return the matched SAN (this 
can be done by the existing code), this way, we can identify which node sent 
the request at best. (If the cert contains multiple nodeIds as SAN, this logic 
can be broken, but I believe that is a corner-case that we don't need to 
support)
    - If none of SAN matches with any nodeId, then use hostname verifier to 
support wildcard cert. In this case, return hostname derived from the socket 
address
    
    Alternatively, we just need to use the hostname verifier and use the 
hostname derived from the socket address in any case for provenance data. How 
do you think @markap14 ?


---

Reply via email to