[jira] [Commented] (NIFI-5752) Load balancing fails with wildcard certs

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/NIFI-5752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16664791#comment-16664791
 ] 

ASF GitHub Bot commented on NIFI-5752:
--------------------------------------

Github user kotarot commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/3110#discussion_r228428588
  
    --- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/clustered/server/ClusterLoadBalanceAuthorizer.java
 ---
    @@ -40,28 +42,23 @@ public ClusterLoadBalanceAuthorizer(final 
ClusterCoordinator clusterCoordinator,
         }
     
         @Override
    -    public void authorize(final Collection<String> clientIdentities) 
throws NotAuthorizedException {
    -        if (clientIdentities == null) {
    -            logger.debug("Client Identities is null, so assuming that Load 
Balancing communications are not secure. Authorizing client to participate in 
Load Balancing");
    -            return;
    -        }
    -
    -        final Set<String> nodeIds = 
clusterCoordinator.getNodeIdentifiers().stream()
    +    public void authorize(final SSLSession sslSession) throws 
NotAuthorizedException {
    +        final List<String> nodeIds = 
clusterCoordinator.getNodeIdentifiers().stream()
                     .map(NodeIdentifier::getApiAddress)
    -                .collect(Collectors.toSet());
    +                .collect(Collectors.toList());
     
    -        for (final String clientId : clientIdentities) {
    -            if (nodeIds.contains(clientId)) {
    -                logger.debug("Client ID '{}' is in the list of Nodes in 
the Cluster. Authorizing Client to Load Balance data", clientId);
    +        for (final String nodeId : nodeIds) {
    +            final HostnameVerifier verifier = new 
DefaultHostnameVerifier();
    +            if (verifier.verify(nodeId, sslSession)) {
    +                logger.debug("Authorizing Client to Load Balance data");
                     return;
    --- End diff --
    
    In my opinion, we just need to use HostnameVerifier to verify and use the 
hostname derived from the socket. The reason is that, anyway, HostnameVerifier 
could simply authorize a node using certs w/ or w/o wildcard, and I think the 
hostname derived from the socket is enough. If there are cases where the 
hostname derived from the socket and the hostname from Certificate Identities 
are different, please ignore my option.
    
    I'd also like to hear comment from @markap14 . Thank you.


> Load balancing fails with wildcard certs
> ----------------------------------------
>
>                 Key: NIFI-5752
>                 URL: https://issues.apache.org/jira/browse/NIFI-5752
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 1.8.0
>            Reporter: Kotaro Terada
>            Priority: Major
>
> Load balancing fails when we construct a secure cluster with wildcard certs.
> For example, assume that we have a valid wildcard cert for {{*.example.com}} 
> and a cluster consists of {{nf1.example.com}}, {{nf2.example.com}}, and 
> {{nf3.example.com}} . We cannot transfer a FlowFile between nodes for load 
> balancing because of the following authorization error:
> {noformat}
> 2018-10-25 19:05:13,520 WARN [Load Balance Server Thread-2] 
> o.a.n.c.q.c.s.ClusterLoadBalanceAuthorizer Authorization failed for Client 
> ID's [*.example.com] to Load Balance data because none of the ID's are known 
> Cluster Node Identifiers
> 2018-10-25 19:05:13,521 ERROR [Load Balance Server Thread-2] 
> o.a.n.c.q.c.s.ConnectionLoadBalanceServer Failed to communicate with Peer 
> /xxx.xxx.xxx.xxx:xxxxx
> org.apache.nifi.controller.queue.clustered.server.NotAuthorizedException: 
> Client ID's [*.example.com] are not authorized to Load Balance data
>       at 
> org.apache.nifi.controller.queue.clustered.server.ClusterLoadBalanceAuthorizer.authorize(ClusterLoadBalanceAuthorizer.java:65)
>       at 
> org.apache.nifi.controller.queue.clustered.server.StandardLoadBalanceProtocol.receiveFlowFiles(StandardLoadBalanceProtocol.java:142)
>       at 
> org.apache.nifi.controller.queue.clustered.server.ConnectionLoadBalanceServer$CommunicateAction.run(ConnectionLoadBalanceServer.java:176)
>       at 
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>       at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>       at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
>       at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>       at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>       at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>       at java.lang.Thread.run(Thread.java:748)
> {noformat}
> This problem occurs because in {{authorize}} method in 
> {{ClusterLoadBalanceAuthorizer}} class, authorization is tried by just 
> matching strings.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)