[GitHub] nifi pull request #3110: NIFI-5752: Load balancing fails with wildcard certs

Fri, 26 Oct 2018 06:51:39 -0700 

Github user markap14 commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/3110#discussion_r228534325
  
    --- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/clustered/server/ClusterLoadBalanceAuthorizer.java
 ---
    @@ -40,28 +42,23 @@ public ClusterLoadBalanceAuthorizer(final 
ClusterCoordinator clusterCoordinator,
         }
     
         @Override
    -    public void authorize(final Collection<String> clientIdentities) 
throws NotAuthorizedException {
    -        if (clientIdentities == null) {
    -            logger.debug("Client Identities is null, so assuming that Load 
Balancing communications are not secure. Authorizing client to participate in 
Load Balancing");
    -            return;
    -        }
    -
    -        final Set<String> nodeIds = 
clusterCoordinator.getNodeIdentifiers().stream()
    +    public void authorize(final SSLSession sslSession) throws 
NotAuthorizedException {
    +        final List<String> nodeIds = 
clusterCoordinator.getNodeIdentifiers().stream()
                     .map(NodeIdentifier::getApiAddress)
    -                .collect(Collectors.toSet());
    +                .collect(Collectors.toList());
     
    -        for (final String clientId : clientIdentities) {
    -            if (nodeIds.contains(clientId)) {
    -                logger.debug("Client ID '{}' is in the list of Nodes in 
the Cluster. Authorizing Client to Load Balance data", clientId);
    +        for (final String nodeId : nodeIds) {
    +            final HostnameVerifier verifier = new 
DefaultHostnameVerifier();
    +            if (verifier.verify(nodeId, sslSession)) {
    +                logger.debug("Authorizing Client to Load Balance data");
                     return;
    --- End diff --
    
    I think falling back to the hostname from the socket whenever there is not 
an exact match (i.e., the wildcard matches but not an exact string comparison) 
is fair. Originally, we used the hostname directly from the socket, but as Koji 
mentioned in #3109 we changed that behavior. This was done because when you 
look at Provenance data (and in logs), what you may see is something like a 
RECEIVE event with a transit URI of nifi://s7302.r720.y8302.mydomain.com 
because that's the FQDN but the user typically references this node as say 
nifi-01.mydomain.com. If the UI shows the node as nifi-01.mydomain.com in the 
cluster table, then it is best to show that in the Provenance and logs as well. 
This is especially true in virtual environments, running in Docker or in a 
publish Cloud/VM where often the hostname reported by socket.getInetAddress() 
is very different than what we typically like to see.
    
    Does that make sense?
    
    Also @kotarot thank you for noticing this and submitting this contribution!


---

Reply via email to