Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2956#discussion_r221672221
--- Diff:
nifi-nar-bundles/nifi-neo4j-bundle/nifi-neo4j-processors/src/main/java/org/apache/nifi/processors/neo4j/AbstractNeo4JCypherExecutor.java
---
@@ -0,0 +1,281 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.processors.neo4j;
+
+import java.io.File;
+import java.util.concurrent.TimeUnit;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.annotation.lifecycle.OnScheduled;
+import org.apache.nifi.annotation.lifecycle.OnStopped;
+import org.apache.nifi.components.AllowableValue;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.PropertyValue;
+import org.apache.nifi.expression.ExpressionLanguageScope;
+import org.apache.nifi.processor.AbstractProcessor;
+import org.apache.nifi.processor.ProcessContext;
+import org.apache.nifi.processor.Relationship;
+import org.apache.nifi.processor.exception.ProcessException;
+import org.apache.nifi.processor.util.StandardValidators;
+import org.neo4j.driver.v1.AuthTokens;
+import org.neo4j.driver.v1.Config;
+import org.neo4j.driver.v1.Config.ConfigBuilder;
+import org.neo4j.driver.v1.Config.LoadBalancingStrategy;
+import org.neo4j.driver.v1.Config.TrustStrategy;
+import org.neo4j.driver.v1.Driver;
+import org.neo4j.driver.v1.GraphDatabase;
+
+/**
+ * Abstract base class for Neo4JCypherExecutor processors
+ */
+abstract class AbstractNeo4JCypherExecutor extends AbstractProcessor {
+
+ protected static final PropertyDescriptor QUERY = new
PropertyDescriptor.Builder()
+ .name("neo4J-query")
+ .displayName("Neo4J Query")
+ .description("Specifies the Neo4j Query.")
+ .required(true)
+
.expressionLanguageSupported(ExpressionLanguageScope.FLOWFILE_ATTRIBUTES)
+ .addValidator(StandardValidators.NON_BLANK_VALIDATOR)
+ .build();
+
+ public static final PropertyDescriptor CONNECTION_URL = new
PropertyDescriptor.Builder()
+ .name("neo4j-connection-url")
+ .displayName("Neo4j Connection URL")
+ .description("Neo4J endpoing to connect to.")
+ .required(true)
+ .defaultValue("bolt://localhost:7687")
+
.expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
+ .addValidator(StandardValidators.NON_EMPTY_VALIDATOR)
+ .build();
+
+ public static final PropertyDescriptor USERNAME = new
PropertyDescriptor.Builder()
+ .name("neo4j-username")
+ .displayName("Username")
+ .description("Username for accessing Neo4J")
+ .required(true)
+
.expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
+ .addValidator(StandardValidators.NON_BLANK_VALIDATOR)
+ .build();
+
+ public static final PropertyDescriptor PASSWORD = new
PropertyDescriptor.Builder()
+ .name("neo4j-password")
+ .displayName("Password")
+ .description("Password for Neo4J user")
+ .required(true)
+ .sensitive(true)
+
.expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
+ .addValidator(StandardValidators.NON_BLANK_VALIDATOR)
+ .build();
+
+ public static AllowableValue LOAD_BALANCING_STRATEGY_ROUND_ROBIN = new
AllowableValue(LoadBalancingStrategy.ROUND_ROBIN.name(), "Round Robin", "Round
Robin Strategy");
+
+ public static AllowableValue LOAD_BALANCING_STRATEGY_LEAST_CONNECTED =
new AllowableValue(LoadBalancingStrategy.LEAST_CONNECTED.name(), "Least
Connected", "Least Connected Strategy");
+
+ protected static final PropertyDescriptor LOAD_BALANCING_STRATEGY =
new PropertyDescriptor.Builder()
+ .name("neo4j-load-balancing-strategy")
+ .displayName("Load Balancing Strategy")
+ .description("Load Balancing Strategy (Round Robin or Least
Connected)")
+ .required(false)
+ .defaultValue(LOAD_BALANCING_STRATEGY_ROUND_ROBIN.getValue())
+ .allowableValues(LOAD_BALANCING_STRATEGY_ROUND_ROBIN,
LOAD_BALANCING_STRATEGY_LEAST_CONNECTED)
+ .build();
+
+ public static final PropertyDescriptor CONNECTION_TIMEOUT = new
PropertyDescriptor.Builder()
+ .name("neo4j-max-connection-time-out")
+ .displayName("Neo4J Max Connection Time Out (seconds)")
+ .description("The maximum time for establishing connection to
the Neo4j")
+ .defaultValue("5 seconds")
+ .required(true)
+ .addValidator(StandardValidators.TIME_PERIOD_VALIDATOR)
+ .sensitive(false)
+ .build();
+
+ public static final PropertyDescriptor MAX_CONNECTION_POOL_SIZE = new
PropertyDescriptor.Builder()
+ .name("neo4j-max-connection-pool-size")
+ .displayName("Neo4J Max Connection Pool Size")
+ .description("The maximum connection pool size for Neo4j.")
+ .defaultValue("100")
+ .required(true)
+ .addValidator(StandardValidators.POSITIVE_INTEGER_VALIDATOR)
+ .sensitive(false)
+ .build();
+
+ public static final PropertyDescriptor
MAX_CONNECTION_ACQUISITION_TIMEOUT = new PropertyDescriptor.Builder()
+ .name("neo4j-max-connection-acquisition-timeout")
+ .displayName("Neo4J Max Connection Acquisition Timeout")
+ .description("The maximum connection acquisition timeout.")
+ .defaultValue("60 second")
+ .required(true)
+ .addValidator(StandardValidators.TIME_PERIOD_VALIDATOR)
+ .sensitive(false)
+ .build();
+
+ public static final PropertyDescriptor
IDLE_TIME_BEFORE_CONNECTION_TEST = new PropertyDescriptor.Builder()
+ .name("neo4j-idle-time-before-test")
+ .displayName("Neo4J Idle Time Before Connection Test")
+ .description("The idle time before connection test.")
+ .defaultValue("60 seconds")
+ .required(true)
+ .addValidator(StandardValidators.TIME_PERIOD_VALIDATOR)
+ .sensitive(false)
+ .build();
+
+ public static final PropertyDescriptor MAX_CONNECTION_LIFETIME = new
PropertyDescriptor.Builder()
+ .name("neo4j-max-connection-lifetime")
+ .displayName("Neo4J Max Connection Lifetime")
+ .description("The maximum connection lifetime")
+ .defaultValue("3600 seconds")
+ .required(true)
+ .addValidator(StandardValidators.TIME_PERIOD_VALIDATOR)
+ .sensitive(false)
+ .build();
+
+ public static final PropertyDescriptor ENCRYPTION = new
PropertyDescriptor.Builder()
+ .name("neo4j-encryption")
+ .displayName("Neo4J Encrytion")
+ .description("Is connection encrypted")
+ .defaultValue("true")
+ .required(true)
+ .allowableValues("true","false")
+ .addValidator(StandardValidators.BOOLEAN_VALIDATOR)
+ .sensitive(false)
+ .build();
+
+ public static AllowableValue TRUST_SYSTEM_CA_SIGNED_CERTIFICATES =
+ new
AllowableValue(TrustStrategy.Strategy.TRUST_SYSTEM_CA_SIGNED_CERTIFICATES.name(),
+ "Trust System CA Signed Certificates", "Trust system specified
CA signed certificates");
+
+ public static AllowableValue TRUST_CUSTOM_CA_SIGNED_CERTIFICATES =
+ new
AllowableValue(TrustStrategy.Strategy.TRUST_CUSTOM_CA_SIGNED_CERTIFICATES.name(),
+ "Trust Custom CA Signed Certificates", "Trust custom CA signed
certificates defined in the file");
+
+ public static AllowableValue TRUST_ALL_CERTIFICATES =
+ new
AllowableValue(TrustStrategy.Strategy.TRUST_ALL_CERTIFICATES.name(),
+ "Trust All Certificates", "Trust all certificate");
+
+ protected static final PropertyDescriptor TRUST_STRATEGY = new
PropertyDescriptor.Builder()
--- End diff --
I see value in that strategy, but I also have concerns that it limits the
number of NiFi developers who can support this because it differs from our
standard implementation. I also think that just because a target
service/library exposes an option means we must expose it to the user. There is
no rule that NiFi must support an offering if we deem it to be insecure, which
"trust all certificates" certainly is.
My preferred strategy would be to use the `SSLContextService` method and
have documentation immediately available that instructs users configuring this
service to either configure it with a custom truststore (functionally
equivalent to "trust custom CA signed certificates") or with the JRE CA
truststore (`$JAVA_HOME/jre/lib/security/cacerts` / password `changeit`;
functionally equivalent to "trust system CA signed certificates").
@mans2singh are you ok with that or do you still feel differently?
---
