[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs

[Andy LoPresto (JIRA)]

    [ 
https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16539026#comment-16539026
 ] 

Andy LoPresto commented on NIFI-5370:
-------------------------------------

[~prashanv] I understand why it would be easier to deploy in a 
horizontally-scaling environment with a single wildcard cert. I'm sympathetic 
to those needs, but that doesn't mean wildcard certs are supported now because 
of the issues I outlined above. There are follow-on efforts to improve the 
usability with wildcard certificates. 

That said, the issues you are encountering have better solutions right now:
* "To my knowledge in NiFi, if we are using uniquely identified certificates we 
have to add 'Initial User Identity' and 'Node Identity' in authorizers.xml file 
for every new node in cluster. So if we are scaling out  we have to update the 
authorizers.xml file in all nodes that results in restart of existing nodes" -- 
you need to prepopulate the {{authorizers.xml}} with the node identities when 
you first start a cluster, but I believe you can scale the cluster out without 
restarting any running nodes. To do this, simply add a new user via the NiFi 
UI/API with the DN of the node hostname, and be sure to give it {{W}} 
permission on the {{/proxy}} resource. This is what the 
{{FileAccessPolicyProvider}} does during startup (see 
[FileAccessPolicyProvider#605|https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java#L605]).
 In this way, you should be able to add new nodes to the cluster without 
restarting existing nodes. If you run into issues with this, please open a new 
Jira against 1.8+ describing what you're doing and the actual result vs. 
expected result. We can improve the documentation in the Admin Guide to help 
people understand this process. 

> Cluster request replication failing with wildcard certs
> -------------------------------------------------------
>
>                 Key: NIFI-5370
>                 URL: https://issues.apache.org/jira/browse/NIFI-5370
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>    Affects Versions: 1.7.0
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>            Priority: Major
>              Labels: certificate, cluster, security, tls, wildcard
>             Fix For: 1.8.0
>
>
> From the users mailing list:
> {quote}
> Team,
>  
> NiFi secured cluster throws below error with wildcarded self-signed 
> standalone certificate.  Just a brief background, we are deploying nifi in 
> Kubernetes  where we have to use wildcarded certificates. Till nifi 1.6.0, it 
> was working fine.
> Also I tried bringing up NiFi in linux VM in secured cluster mode with 
> wildcarded certs, I am getting same error.
>  
> Toolkit command to generate certs:
> bin/tls-toolkit.sh standalone -n 
> '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o 
> <targetfolder>
>  
> Logs:
> 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] 
> o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET 
> /nifi-api/flow/current-user to 
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to 
> javax.net.ssl.SSLPeerUnverifiedException: Hostname 
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified:
>     certificate: sha256/########################################
>     DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI
>     subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local]
> 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] 
> o.a.n.c.c.h.r.ThreadPoolRequestReplicator
> javax.net.ssl.SSLPeerUnverifiedException: Hostname 
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified:
>     certificate: sha256/########################################
>     DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI
>     subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local]
>         at 
> okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316)
>  
> Please help me in resolving this.
>  
> Note: Same certificates is working for single mode setup.
> {quote}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)