[GitHub] nifi-minifi-cpp pull request #41: MINIFI-184: Add Security Support

[asfgit]

Github user asfgit closed the pull request at:

https://github.com/apache/nifi-minifi-cpp/pull/41


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp pull request #41: MINIFI-184: Add Security Support

[benqiu2016]

Github user benqiu2016 commented on a diff in the pull request:

https://github.com/apache/nifi-minifi-cpp/pull/41#discussion_r99884121
  
--- Diff: libminifi/include/FlowController.h ---
@@ -90,6 +93,25 @@ class FlowController
}
return _flowController;
}
+   //! passphase for the private file callback
--- End diff --

All the central service like provenance and others are tied with 
flowController like current NiFi.
It make code more clear.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp pull request #41: MINIFI-184: Add Security Support

[phrocker]

Github user phrocker commented on a diff in the pull request:

https://github.com/apache/nifi-minifi-cpp/pull/41#discussion_r99357721
  
--- Diff: libminifi/src/FlowController.cpp ---
@@ -75,22 +78,123 @@ FlowController::FlowController(std::string name)
 }
 }
 
-path = realpath(adjustedFilename.c_str(), full_path);
+   path = realpath(adjustedFilename.c_str(), full_path);
if (!path)
{
 _logger->log_error("Could not locate path from provided 
configuration file name (%s).  Exiting.", full_path);
 exit(1);
 }
 
-std::string pathString(path);
-_configurationFileName = pathString;
-_logger->log_info("FlowController NiFi Configuration file %s", 
pathString.c_str());
+   std::string pathString(path);
--- End diff --

Would it make sense to break this out into a separate class to reduce 
coupling with the security library within the FlowController?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp pull request #41: MINIFI-184: Add Security Support

[phrocker]

Github user phrocker commented on a diff in the pull request:

https://github.com/apache/nifi-minifi-cpp/pull/41#discussion_r99357571
  
--- Diff: libminifi/include/FlowController.h ---
@@ -90,6 +93,25 @@ class FlowController
}
return _flowController;
}
+   //! passphase for the private file callback
--- End diff --

Could we extract SSL Functionality into separate classes so do we don't 
couple the controller with security?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp pull request #41: MINIFI-184: Add Security Support

[phrocker]

Github user phrocker commented on a diff in the pull request:

https://github.com/apache/nifi-minifi-cpp/pull/41#discussion_r99357485
  
--- Diff: cmake/FindOpenSSL.cmake ---
@@ -0,0 +1,28 @@
+#  OPENSSL_ROOT_DIR - Set this variable to the root installation of OpenSSL
+#
+# Read-Only variables:
+#  OPENSSL_FOUND - system has the OpenSSL library
+#  OPENSSL_INCLUDE_DIR - the OpenSSL include directory
+#  OPENSSL_LIBRARIES - The libraries needed to use OpenSSL
+#  OPENSSL_VERSION - This is set to $major.$minor.$revision$path (eg. 
0.9.8s)
+
+find_path(OPENSSL_INCLUDE_DIR
+NAMES openssl/ssl.h
--- End diff --

Did you consider BOTAN? That's a purely C++/Crypto library ( one of many ). 
Any particular reason we are introducing a C library when C++ libraries exist? 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp pull request #41: MINIFI-184: Add Security Support

[benqiu2016]

Github user benqiu2016 commented on a diff in the pull request:

https://github.com/apache/nifi-minifi-cpp/pull/41#discussion_r99379332
  
--- Diff: cmake/FindOpenSSL.cmake ---
@@ -0,0 +1,28 @@
+#  OPENSSL_ROOT_DIR - Set this variable to the root installation of OpenSSL
--- End diff --

if i do not provide that, build failed.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp pull request #41: MINIFI-184: Add Security Support

[apiri]

Github user apiri commented on a diff in the pull request:

https://github.com/apache/nifi-minifi-cpp/pull/41#discussion_r98259383
  
--- Diff: libminifi/src/Configure.cpp ---
@@ -29,6 +29,12 @@ const char *Configure::nifi_server_report_interval= 
"nifi.server.report.interval
 const char *Configure::nifi_provenance_repository_max_storage_size = 
"nifi.provenance.repository.max.storage.size";
 const char *Configure::nifi_provenance_repository_max_storage_time = 
"nifi.provenance.repository.max.storage.time";
 const char *Configure::nifi_provenance_repository_directory_default = 
"nifi.provenance.repository.directory.default";
+const char *Configure::nifi_remote_input_secure = 
"nifi.remote.input.secure";
+const char *Configure::nifi_security_need_ClientAuth = 
"nifi.security.need.ClientAuth";
--- End diff --

if we are matching nifi's, this should be nifi.security.needClientAuth


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp pull request #41: MINIFI-184: Add Security Support

[apiri]

Github user apiri commented on a diff in the pull request:

https://github.com/apache/nifi-minifi-cpp/pull/41#discussion_r98260259
  
--- Diff: README.md ---
@@ -243,6 +245,26 @@ Additionally, users can utilize the MiNiFi Toolkit 
Converter (version 0.0.1 - sc
 Port: 10001
 Host Name: localhost
 
+### Site2Site Security Configuration
+
+in minifi.properties 
+
+enable tls ssl
+nifi.remote.input.secure=true
+
+if you want to enable client certificate base authorization 
+nifi.security.need.ClientAuth=true
+setup the client certificate and private key PEM files
+nifi.security.client.certificate=./conf/client.pem
+nifi.security.client.private.key=./conf/client.pem
+setup the client private key passphase file
+nifi.security.client.pass.phase=./conf/password
--- End diff --

likely should just be passphrase


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp pull request #41: MINIFI-184: Add Security Support

[apiri]

Github user apiri commented on a diff in the pull request:

https://github.com/apache/nifi-minifi-cpp/pull/41#discussion_r98259083
  
--- Diff: cmake/FindOpenSSL.cmake ---
@@ -0,0 +1,28 @@
+#  OPENSSL_ROOT_DIR - Set this variable to the root installation of OpenSSL
--- End diff --

I believe this should be unneeded as cmake has a built in FindOpenSSL 
module.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp pull request #41: MINIFI-184: Add Security Support

[apiri]

Github user apiri commented on a diff in the pull request:

https://github.com/apache/nifi-minifi-cpp/pull/41#discussion_r98476688
  
--- Diff: libminifi/src/Site2SitePeer.cpp ---
@@ -237,12 +271,31 @@ int Site2SitePeer::readData(uint8_t *buf, int buflen, 
CRC32 *crc)
Close();
return status;
}
-   status = recv(_socket, buf, buflen, 0);
-   if (status <= 0)
+   if (!_ssl)
{
-   Close();
-   // this->yield();
-   return status;
+   status = recv(_socket, buf, buflen, 0);
+   if (status <= 0)
+   {
+   Close();
+   // this->yield();
--- End diff --

should this be removed?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp pull request #41: MINIFI-184: Add Security Support

[apiri]

Github user apiri commented on a diff in the pull request:

https://github.com/apache/nifi-minifi-cpp/pull/41#discussion_r98260232
  
--- Diff: libminifi/src/Configure.cpp ---
@@ -29,6 +29,12 @@ const char *Configure::nifi_server_report_interval= 
"nifi.server.report.interval
 const char *Configure::nifi_provenance_repository_max_storage_size = 
"nifi.provenance.repository.max.storage.size";
 const char *Configure::nifi_provenance_repository_max_storage_time = 
"nifi.provenance.repository.max.storage.time";
 const char *Configure::nifi_provenance_repository_directory_default = 
"nifi.provenance.repository.directory.default";
+const char *Configure::nifi_remote_input_secure = 
"nifi.remote.input.secure";
+const char *Configure::nifi_security_need_ClientAuth = 
"nifi.security.need.ClientAuth";
+const char *Configure::nifi_security_client_certificate = 
"nifi.security.client.certificate";
+const char *Configure::nifi_security_client_private_key = 
"nifi.security.client.private.key";
+const char *Configure::nifi_security_client_pass_phase = 
"nifi.security.client.pass.phase";
--- End diff --

likely should just be passphrase


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp pull request #41: MINIFI-184: Add Security Support

[apiri]

Github user apiri commented on a diff in the pull request:

https://github.com/apache/nifi-minifi-cpp/pull/41#discussion_r98517708
  
--- Diff: README.md ---
@@ -243,6 +245,26 @@ Additionally, users can utilize the MiNiFi Toolkit 
Converter (version 0.0.1 - sc
 Port: 10001
 Host Name: localhost
 
+### Site2Site Security Configuration
+
+in minifi.properties 
--- End diff --

We should stub these out as defaults in minifi.properties.  No values, but 
at least provide a quick way of having them be readily available.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp pull request #41: MINIFI-184: Add Security Support

[apiri]

Github user apiri commented on a diff in the pull request:

https://github.com/apache/nifi-minifi-cpp/pull/41#discussion_r98259141
  
--- Diff: libminifi/src/Configure.cpp ---
@@ -29,6 +29,12 @@ const char *Configure::nifi_server_report_interval= 
"nifi.server.report.interval
 const char *Configure::nifi_provenance_repository_max_storage_size = 
"nifi.provenance.repository.max.storage.size";
 const char *Configure::nifi_provenance_repository_max_storage_time = 
"nifi.provenance.repository.max.storage.time";
 const char *Configure::nifi_provenance_repository_directory_default = 
"nifi.provenance.repository.directory.default";
+const char *Configure::nifi_remote_input_secure = 
"nifi.remote.input.secure";
+const char *Configure::nifi_security_need_ClientAuth = 
"nifi.security.need.ClientAuth";
+const char *Configure::nifi_security_client_certificate = 
"nifi.security.client.certificate";
+const char *Configure::nifi_security_client_private_key = 
"nifi.security.client.private.key";
+const char *Configure::nifi_security_client_pass_phase = 
"nifi.security.client.pass.phase";
+const char *Configure::nifi_security_client_ca_certificate = 
"nif.security.client.ca.certificate";
--- End diff --

typo for nifi


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp pull request #41: MINIFI-184: Add Security Support

[apiri]

Github user apiri commented on a diff in the pull request:

https://github.com/apache/nifi-minifi-cpp/pull/41#discussion_r98476667
  
--- Diff: libminifi/src/Site2SitePeer.cpp ---
@@ -237,12 +271,31 @@ int Site2SitePeer::readData(uint8_t *buf, int buflen, 
CRC32 *crc)
Close();
return status;
}
-   status = recv(_socket, buf, buflen, 0);
-   if (status <= 0)
+   if (!_ssl)
{
-   Close();
-   // this->yield();
-   return status;
+   status = recv(_socket, buf, buflen, 0);
+   if (status <= 0)
+   {
+   Close();
+   // this->yield();
+   return status;
+   }
+   }
+   else
+   {
+   // for SSL, wait for the TLS IO is completed
+   int sslStatus;
+   do {
+   status = SSL_read(_ssl, buf, buflen);
+   sslStatus = SSL_get_error(_ssl, status);
+   }
+   while (status < 0 && sslStatus == SSL_ERROR_WANT_READ);
+   if (status <= 0)
+   {
+   Close();
+   // this->yield();
--- End diff --

should this be removed?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi-minifi-cpp pull request #41: MINIFI-184: Add Security Support

[benqiu2016]

GitHub user benqiu2016 opened a pull request:

https://github.com/apache/nifi-minifi-cpp/pull/41

MINIFI-184: Add Security Support



You can merge this pull request into a Git repository by running:

$ git pull https://github.com/benqiu2016/nifi-minifi-cpp master

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/nifi-minifi-cpp/pull/41.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #41


commit dc96f2ad7dce8a6934516d4485ed92f38caf3de4
Author: Bin Qiu 
Date:   2016-10-28T16:48:57Z

Provenance Support

commit b0ee74792dd67b61d7e09d6abfb7d4eb05dfc2df
Author: Bin Qiu 
Date:   2016-10-28T16:53:20Z

Provenance Support

commit 351fab8f9a7b629ec16986f54e909e34e2cf0b1e
Author: Bin Qiu 
Date:   2016-11-14T17:21:31Z

MINIFI-131: Provenance Support

commit 4e6d1eec360bebd0b63422159ea1ef17b088b879
Author: Bin Qiu 
Date:   2016-11-14T17:26:21Z

MINIFI-131: Provenance Support

commit 836e4f3993aed01a647327b20212569527b66dbf
Author: Bin Qiu 
Date:   2016-11-23T04:51:12Z

MINIFI-114: Set default stateFile for TailFile

commit c41021ddb837b9db414ed03817aefb4d6f070a58
Author: Bin Qiu 
Date:   2017-01-03T05:02:51Z

sync head

commit c1279d8063ad9ad469065e63d1c028878d787d97
Author: Bin Qiu 
Date:   2017-01-22T18:10:34Z

MINIFI-184: Add Security Support




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---