[jira] [Updated] (NIFI-10425) nifi.security.autoreload.enabled feature doesn't work with symlink

Thu, 01 Sep 2022 07:00:15 -0700 


     [ 
https://issues.apache.org/jira/browse/NIFI-10425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Julien G. updated NIFI-10425:
-----------------------------
    Fix Version/s:     (was: 1.18.0)

> nifi.security.autoreload.enabled feature doesn't work with symlink
> ------------------------------------------------------------------
>
>                 Key: NIFI-10425
>                 URL: https://issues.apache.org/jira/browse/NIFI-10425
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: Julien G.
>            Priority: Major
>
>  On a NiFi running on K8S. The certificates are provided by a secret to the 
> pods, so to allow NiFi to reload them when they are updated, I set the 
> {{nifi.security.autoreload.enabled}} flag to {{true}}. But the secret 
> mounting mechanism makes that there is a set of symlink and the scanner that 
> keeps track of the certificates considers that the certificates are deleted 
> and not updated. Because instead of keeping track of the file through the 
> symlink it keeps track of the file pointed by the symlink.  So when the 
> secret is updated the certificates is deleted and created into another folder 
> and the symlink is updated. But for the Scanner the file has been deleted. So 
> it stops keeping track of it and does not reload the certificate.
> To illustrate my point:
>  * At the start, the pyramid is like that: {{truststore.jks}} [Symlink] -> 
> {{..data/truststore.jks}}  [Symlink] -> 
> {{..2022_08_31_19_45_44.079808492/truststore.jks}}
>  * After the update, the pyramid is like that:  {{truststore.jks}} [Symlink] 
> -> {{..data/truststore.jks}}  [Symlink] -> 
> {{..<NEW_TIMESTAMP>/truststore.jks}}
> The symlink still references a right file but as the "real" file changed of 
> directory the scanner considers that the file has been deleted and therefore 
> stop keeping track of it.
> The Scanner from Jetty will by default have the parameter {{reportRealPaths}} 
> set to {{true}}. If set to true, the listenesr used by the Scanner are called 
> with the real path of scanned files. So the parameter should be set to 
> {{false}}.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to