[GitHub] [nifi] tpalfy commented on a change in pull request #4348: NIFI-7523: Use SSL Context Service for Atlas HTTPS connection in Atla…
tpalfy commented on a change in pull request #4348: URL: https://github.com/apache/nifi/pull/4348#discussion_r444222618 ## File path: nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/credstore/HadoopCredentialStore.java ## @@ -0,0 +1,85 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.security.credstore; + +import org.apache.nifi.processor.exception.ProcessException; + +import javax.crypto.spec.SecretKeySpec; +import java.io.FileNotFoundException; +import java.io.FileOutputStream; +import java.net.URI; +import java.net.URISyntaxException; +import java.security.KeyStore; +import java.util.Map; + +public class HadoopCredentialStore { Review comment: Taking a closer look, I think we would be better off using the hadoop library for this. This module already depends on `hadoop-commons` and the API between NiFi and Atlas solidifies this dependency - although not explicitly through code, but through the constraints of how to create the keystore. I don't think it's worth having our own version but @bbende, I'd give you the final word on this one. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [nifi] tpalfy commented on a change in pull request #4348: NIFI-7523: Use SSL Context Service for Atlas HTTPS connection in Atla…
tpalfy commented on a change in pull request #4348: URL: https://github.com/apache/nifi/pull/4348#discussion_r443719863 ## File path: nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/credstore/HadoopCredentialStore.java ## @@ -0,0 +1,85 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.security.credstore; + +import org.apache.nifi.processor.exception.ProcessException; + +import javax.crypto.spec.SecretKeySpec; +import java.io.FileNotFoundException; +import java.io.FileOutputStream; +import java.net.URI; +import java.net.URISyntaxException; +import java.security.KeyStore; +import java.util.Map; + +public class HadoopCredentialStore { + +private static final String CRED_STORE_PASSWORD_ENVVAR = "HADOOP_CREDSTORE_PASSWORD"; Review comment: Could use the Hadoop constants. ## File path: nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-reporting-task/src/main/java/org/apache/nifi/atlas/reporting/ReportLineageToAtlas.java ## @@ -385,31 +401,50 @@ protected PropertyDescriptor getSupportedDynamicPropertyDescriptor(String proper protected Collection customValidate(ValidationContext context) { final Collection results = new ArrayList<>(); -final boolean isSSLContextServiceSet = context.getProperty(KAFKA_SSL_CONTEXT_SERVICE).isSet(); +final SSLContextService sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class); final ValidationResult.Builder invalidSSLService = new ValidationResult.Builder() - .subject(KAFKA_SSL_CONTEXT_SERVICE.getDisplayName()).valid(false); +.subject(SSL_CONTEXT_SERVICE.getDisplayName()).valid(false); +AtomicBoolean isAtlasApiSecure = new AtomicBoolean(false); String atlasUrls = context.getProperty(ATLAS_URLS).evaluateAttributeExpressions().getValue(); if (!StringUtils.isEmpty(atlasUrls)) { Arrays.stream(atlasUrls.split(ATLAS_URL_DELIMITER)) .map(String::trim) .forEach(input -> { -final ValidationResult.Builder builder = new ValidationResult.Builder().subject(ATLAS_URLS.getDisplayName()).input(input); try { -new URL(input); -results.add(builder.explanation("Valid URI").valid(true).build()); +final URL url = new URL(input); +if ("https".equalsIgnoreCase(url.getProtocol())) { +isAtlasApiSecure.set(true); +} } catch (Exception e) { -results.add(builder.explanation("Contains invalid URI: " + e).valid(false).build()); +results.add(new ValidationResult.Builder().subject(ATLAS_URLS.getDisplayName()).input(input) +.explanation("contains invalid URI: " + e).valid(false).build()); } }); } +if (isAtlasApiSecure.get()) { +if (sslContextService == null) { +results.add(invalidSSLService.explanation("required for connecting to Atlas via HTTPS.").build()); +} else if (context.getControllerServiceLookup().isControllerServiceEnabled(sslContextService)) { +if (!sslContextService.isTrustStoreConfigured()) { +results.add(invalidSSLService.explanation("no truststore configured which is required for connecting to Atlas via HTTPS.").build()); +} else if (!KEYSTORE_TYPE_JKS.equalsIgnoreCase(sslContextService.getTrustStoreType())) { +results.add(invalidSSLService.explanation("truststore type is not JKS. Atlas client supports JKS truststores only.").build()); +} +} +} + final String atlasAuthNMethod = context.getProperty(ATLAS_AUTHN_METHOD).getValue(); final AtlasAuthN atlasAuthN = getAtlasAuthN(atlasAuthNMethod); results.addAll(atlasAuthN.validate(context)); - -namespaceResolverLoader.forEach(resolver ->
[GitHub] [nifi] tpalfy commented on a change in pull request #4348: NIFI-7523: Use SSL Context Service for Atlas HTTPS connection in Atla…
tpalfy commented on a change in pull request #4348: URL: https://github.com/apache/nifi/pull/4348#discussion_r443637366 ## File path: nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-reporting-task/src/main/java/org/apache/nifi/atlas/reporting/ReportLineageToAtlas.java ## @@ -322,9 +328,19 @@ private static final String ATLAS_PROPERTY_CLUSTER_NAME = "atlas.cluster.name"; private static final String ATLAS_PROPERTY_REST_ADDRESS = "atlas.rest.address"; private static final String ATLAS_PROPERTY_ENABLE_TLS = "atlas.enableTLS"; +private static final String ATLAS_PROPERTY_TRUSTSTORE_FILE = "truststore.file"; Review comment: Could we use the Atlas constants instead? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org