[ https://issues.apache.org/jira/browse/NIFI-2119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15364838#comment-15364838 ]
ASF GitHub Bot commented on NIFI-2119: -------------------------------------- GitHub user alopresto opened a pull request: https://github.com/apache/nifi/pull/611 NIFI-2119 Fixed 0.7.0 release blocker for cluster secure communications The client and server sockets were being treated the same when attempting to extract the peer certificate DN (server sockets should not be subject to the influence of `nifi.security.needClientAuth` in `nifi.properties`). This has been tested on 2- and 3-node clusters with `needClientAuth` set to both *true* and *false*. You can merge this pull request into a Git repository by running: $ git pull https://github.com/alopresto/nifi NIFI-2119 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi/pull/611.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #611 ---- commit 361e07a78cd0abd52b5ab144b7cdeba60af17ede Author: Andy LoPresto <alopre...@apache.org> Date: 2016-07-05T04:05:58Z NIFI-2119 Refactored CertificateUtils to separate logic for DN extraction from server/client sockets. Added logic to detect server/client mode encapsulated in exposed method. Added unit tests for DN extraction. Corrected typo in Javadoc. commit bed4bb3046e97aa719624df846a2c2b86015fe6d Author: Andy LoPresto <alopre...@apache.org> Date: 2016-07-06T17:05:44Z NIFI-2119 Switched server/client socket logic for certificate extraction -- when the local socket is in client/server mode, the peer is necessarily the inverse. Fixed unit tests. Moved lazy-loading authentication access out of isDebugEnabled() control branch. ---- > Secure clustering returning bad request response > ------------------------------------------------ > > Key: NIFI-2119 > URL: https://issues.apache.org/jira/browse/NIFI-2119 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework > Reporter: Joseph Witt > Fix For: 0.7.0 > > > Cannot get a secured cluster working that worked well on 0.6.0. After > upgrading now seeing the following line. It either means I upgraded > incorrectly, or we're missing critical migration guidance, or we have > introduced a new bug. > 2016-06-25 14:19:12,017 INFO [NiFi Web Server-23] > o.a.n.w.a.c.IllegalArgumentExceptionMapper > java.lang.IllegalArgumentException: User account already created > CN=box1.testing.org, OU=NIFI, O=Apache-NiFi, L=Here, ST=There, C=EVERYWHERE. > Returning Bad Request response. > Speaking with [~mcgilman] about this he looked into it and says > "the socket used for cluster communications is configured with an sslContext > that has client auth set to none... which seems to be why the we're not > getting the NCM DN during connection > i think the issue is this part of this commit.... > https://github.com/apache/nifi/commit/7b5583f3a8c8e3f62e2985059a3466a5bb36f4e8#diff-a14f46a45c394fbd82a2b99730e04bcbR68" -- This message was sent by Atlassian JIRA (v6.3.4#6332)