[GitHub] [nifi] tpalfy commented on a change in pull request #4348: NIFI-7523: Use SSL Context Service for Atlas HTTPS connection in Atla…
tpalfy commented on a change in pull request #4348:
URL: https://github.com/apache/nifi/pull/4348#discussion_r444222618
##
File path:
nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/credstore/HadoopCredentialStore.java
##
@@ -0,0 +1,85 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.security.credstore;
+
+import org.apache.nifi.processor.exception.ProcessException;
+
+import javax.crypto.spec.SecretKeySpec;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.security.KeyStore;
+import java.util.Map;
+
+public class HadoopCredentialStore {
Review comment:
Taking a closer look, I think we would be better off using the hadoop
library for this.
This module already depends on `hadoop-commons` and the API between NiFi and
Atlas solidifies this dependency - although not explicitly through code, but
through the constraints of how to create the keystore.
I don't think it's worth having our own version but @bbende, I'd give you
the final word on this one.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [nifi] tpalfy commented on a change in pull request #4348: NIFI-7523: Use SSL Context Service for Atlas HTTPS connection in Atla…
tpalfy commented on a change in pull request #4348:
URL: https://github.com/apache/nifi/pull/4348#discussion_r443719863
##
File path:
nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/credstore/HadoopCredentialStore.java
##
@@ -0,0 +1,85 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.security.credstore;
+
+import org.apache.nifi.processor.exception.ProcessException;
+
+import javax.crypto.spec.SecretKeySpec;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.security.KeyStore;
+import java.util.Map;
+
+public class HadoopCredentialStore {
+
+private static final String CRED_STORE_PASSWORD_ENVVAR =
"HADOOP_CREDSTORE_PASSWORD";
Review comment:
Could use the Hadoop constants.
##
File path:
nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-reporting-task/src/main/java/org/apache/nifi/atlas/reporting/ReportLineageToAtlas.java
##
@@ -385,31 +401,50 @@ protected PropertyDescriptor
getSupportedDynamicPropertyDescriptor(String proper
protected Collection customValidate(ValidationContext
context) {
final Collection results = new ArrayList<>();
-final boolean isSSLContextServiceSet =
context.getProperty(KAFKA_SSL_CONTEXT_SERVICE).isSet();
+final SSLContextService sslContextService =
context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
final ValidationResult.Builder invalidSSLService = new
ValidationResult.Builder()
-
.subject(KAFKA_SSL_CONTEXT_SERVICE.getDisplayName()).valid(false);
+.subject(SSL_CONTEXT_SERVICE.getDisplayName()).valid(false);
+AtomicBoolean isAtlasApiSecure = new AtomicBoolean(false);
String atlasUrls =
context.getProperty(ATLAS_URLS).evaluateAttributeExpressions().getValue();
if (!StringUtils.isEmpty(atlasUrls)) {
Arrays.stream(atlasUrls.split(ATLAS_URL_DELIMITER))
.map(String::trim)
.forEach(input -> {
-final ValidationResult.Builder builder = new
ValidationResult.Builder().subject(ATLAS_URLS.getDisplayName()).input(input);
try {
-new URL(input);
-results.add(builder.explanation("Valid
URI").valid(true).build());
+final URL url = new URL(input);
+if ("https".equalsIgnoreCase(url.getProtocol())) {
+isAtlasApiSecure.set(true);
+}
} catch (Exception e) {
-results.add(builder.explanation("Contains invalid URI:
" + e).valid(false).build());
+results.add(new
ValidationResult.Builder().subject(ATLAS_URLS.getDisplayName()).input(input)
+.explanation("contains invalid URI: " +
e).valid(false).build());
}
});
}
+if (isAtlasApiSecure.get()) {
+if (sslContextService == null) {
+results.add(invalidSSLService.explanation("required for
connecting to Atlas via HTTPS.").build());
+} else if
(context.getControllerServiceLookup().isControllerServiceEnabled(sslContextService))
{
+if (!sslContextService.isTrustStoreConfigured()) {
+results.add(invalidSSLService.explanation("no truststore
configured which is required for connecting to Atlas via HTTPS.").build());
+} else if
(!KEYSTORE_TYPE_JKS.equalsIgnoreCase(sslContextService.getTrustStoreType())) {
+results.add(invalidSSLService.explanation("truststore type
is not JKS. Atlas client supports JKS truststores only.").build());
+}
+}
+}
+
final String atlasAuthNMethod =
context.getProperty(ATLAS_AUTHN_METHOD).getValue();
final AtlasAuthN atlasAuthN = getAtlasAuthN(atlasAuthNMethod);
results.addAll(atlasAuthN.validate(context));
-
-namespaceResolverLoader.forEach(resolver ->
[GitHub] [nifi] tpalfy commented on a change in pull request #4348: NIFI-7523: Use SSL Context Service for Atlas HTTPS connection in Atla…
tpalfy commented on a change in pull request #4348: URL: https://github.com/apache/nifi/pull/4348#discussion_r443637366 ## File path: nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-reporting-task/src/main/java/org/apache/nifi/atlas/reporting/ReportLineageToAtlas.java ## @@ -322,9 +328,19 @@ private static final String ATLAS_PROPERTY_CLUSTER_NAME = "atlas.cluster.name"; private static final String ATLAS_PROPERTY_REST_ADDRESS = "atlas.rest.address"; private static final String ATLAS_PROPERTY_ENABLE_TLS = "atlas.enableTLS"; +private static final String ATLAS_PROPERTY_TRUSTSTORE_FILE = "truststore.file"; Review comment: Could we use the Atlas constants instead? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
