[jira] [Commented] (NIFI-7134) Enable JettyServer to automatically detect keystore changes and update

Tue, 11 Feb 2020 13:48:26 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-7134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17034876#comment-17034876
 ] 

Andy LoPresto commented on NIFI-7134:
-------------------------------------

Thanks for filing this, Patrick. I think there are a couple different pieces 
here that should be split out into multiple sub-tasks:

1. Allowing triggered reloading of certificate material without an application 
restart
2. A separate monitoring process (could be in `bootstrap`) which detects 
changes to the keystore contents (would need keystore password, etc.)

As the keystore & truststore and their relative passwords are specified in the 
{{nifi.properties}} file (often in encrypted form), we would need to be very 
careful about changing to a _new_ keystore or rotating a password without 
requiring a restart to ensure the canonical source of truth (the 
{{nifi.properties}} file) is always accurate. I think the specific scenario we 
could support easily is reloading the keystore when a new certificate is 
provided (likely in the same alias, perhaps in a new alias if NIFI-1995 is 
implemented) with the requirement that the file path and password have not 
changed. For enhanced behavior, we may need to make additional decisions about 
where those values come from and would be stored. 

> Enable JettyServer to automatically detect keystore changes and update
> ----------------------------------------------------------------------
>
>                 Key: NIFI-7134
>                 URL: https://issues.apache.org/jira/browse/NIFI-7134
>             Project: Apache NiFi
>          Issue Type: New Feature
>          Components: Core Framework, Security
>    Affects Versions: 1.11.1
>            Reporter: patrick white
>            Priority: Minor
>              Labels: jetty, keystore, restart, security, tls
>
> TLS/keystore credential change currently requires a service restart to 
> update, [~alopresto] noted on 'users' that Jetty 9.3+ supports the ability to 
> dynamically update credentials, and provided reference [1].
> Request enabling NiFi JettyServer to support detection and reload of its 
> keystore when it changes, such as during credentials update or rotation, will 
> link this request to epic [2].
> [1] https://github.com/eclipse/jetty.project/issues/918
> [2] https://issues.apache.org/jira/browse/NIFI-5458



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to