[ https://issues.apache.org/jira/browse/NIFI-5752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16677766#comment-16677766 ]
ASF GitHub Bot commented on NIFI-5752: -------------------------------------- Github user kotarot commented on a diff in the pull request: https://github.com/apache/nifi/pull/3110#discussion_r231397141 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/clustered/server/ClusterLoadBalanceAuthorizer.java --- @@ -33,14 +42,27 @@ private final ClusterCoordinator clusterCoordinator; private final EventReporter eventReporter; + private final HostnameVerifier hostnameVerifier; public ClusterLoadBalanceAuthorizer(final ClusterCoordinator clusterCoordinator, final EventReporter eventReporter) { this.clusterCoordinator = clusterCoordinator; this.eventReporter = eventReporter; + this.hostnameVerifier = new DefaultHostnameVerifier(); } @Override - public String authorize(final Collection<String> clientIdentities) throws NotAuthorizedException { + public String authorize(SSLSocket sslSocket) throws NotAuthorizedException, IOException { + final SSLSession sslSession = sslSocket.getSession(); + + final Set<String> clientIdentities; + try { + clientIdentities = getCertificateIdentities(sslSession); + } catch (final CertificateException e) { + throw new IOException("Failed to extract Client Certificate", e); + } + + logger.debug("Will perform authorization against Client Identities '{}'", clientIdentities); + if (clientIdentities == null) { --- End diff -- @ijokarumawak OK, I get it now. Thanks for kindly telling me that. I pushed a new commit. Please check it. Thanks! > Load balancing fails with wildcard certs > ---------------------------------------- > > Key: NIFI-5752 > URL: https://issues.apache.org/jira/browse/NIFI-5752 > Project: Apache NiFi > Issue Type: Bug > Affects Versions: 1.8.0 > Reporter: Kotaro Terada > Assignee: Kotaro Terada > Priority: Major > > Load balancing fails when we construct a secure cluster with wildcard certs. > For example, assume that we have a valid wildcard cert for {{*.example.com}} > and a cluster consists of {{nf1.example.com}}, {{nf2.example.com}}, and > {{nf3.example.com}} . We cannot transfer a FlowFile between nodes for load > balancing because of the following authorization error: > {noformat} > 2018-10-25 19:05:13,520 WARN [Load Balance Server Thread-2] > o.a.n.c.q.c.s.ClusterLoadBalanceAuthorizer Authorization failed for Client > ID's [*.example.com] to Load Balance data because none of the ID's are known > Cluster Node Identifiers > 2018-10-25 19:05:13,521 ERROR [Load Balance Server Thread-2] > o.a.n.c.q.c.s.ConnectionLoadBalanceServer Failed to communicate with Peer > /xxx.xxx.xxx.xxx:xxxxx > org.apache.nifi.controller.queue.clustered.server.NotAuthorizedException: > Client ID's [*.example.com] are not authorized to Load Balance data > at > org.apache.nifi.controller.queue.clustered.server.ClusterLoadBalanceAuthorizer.authorize(ClusterLoadBalanceAuthorizer.java:65) > at > org.apache.nifi.controller.queue.clustered.server.StandardLoadBalanceProtocol.receiveFlowFiles(StandardLoadBalanceProtocol.java:142) > at > org.apache.nifi.controller.queue.clustered.server.ConnectionLoadBalanceServer$CommunicateAction.run(ConnectionLoadBalanceServer.java:176) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > {noformat} > This problem occurs because in {{authorize}} method in > {{ClusterLoadBalanceAuthorizer}} class, authorization is tried by just > matching strings. -- This message was sent by Atlassian JIRA (v7.6.3#76005)