Github user ijokarumawak commented on a diff in the pull request:
https://github.com/apache/nifi/pull/3110#discussion_r228386235
--- Diff:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/clustered/server/ClusterLoadBalanceAuthorizer.java
---
@@ -40,28 +42,23 @@ public ClusterLoadBalanceAuthorizer(final
ClusterCoordinator clusterCoordinator,
}
@Override
- public void authorize(final Collection<String> clientIdentities)
throws NotAuthorizedException {
- if (clientIdentities == null) {
- logger.debug("Client Identities is null, so assuming that Load
Balancing communications are not secure. Authorizing client to participate in
Load Balancing");
- return;
- }
-
- final Set<String> nodeIds =
clusterCoordinator.getNodeIdentifiers().stream()
+ public void authorize(final SSLSession sslSession) throws
NotAuthorizedException {
+ final List<String> nodeIds =
clusterCoordinator.getNodeIdentifiers().stream()
.map(NodeIdentifier::getApiAddress)
- .collect(Collectors.toSet());
+ .collect(Collectors.toList());
- for (final String clientId : clientIdentities) {
- if (nodeIds.contains(clientId)) {
- logger.debug("Client ID '{}' is in the list of Nodes in
the Cluster. Authorizing Client to Load Balance data", clientId);
+ for (final String nodeId : nodeIds) {
+ final HostnameVerifier verifier = new
DefaultHostnameVerifier();
+ if (verifier.verify(nodeId, sslSession)) {
+ logger.debug("Authorizing Client to Load Balance data");
--- End diff --
In a case where the cert contains exact nodeId, the `nodeId` is still
informative to be logged. I'd suggest logging message something like:
```suggestion
logger.debug("The request was verified with node ID '{}'.
Authorizing Client to Load Balance data", nodeId);
```
---
