[jira] [Commented] (NIFI-5752) Load balancing fails with wildcard certs

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/NIFI-5752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16674681#comment-16674681
 ] 

ASF GitHub Bot commented on NIFI-5752:
--------------------------------------

Github user kotarot commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/3110#discussion_r230637213
  
    --- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/clustered/server/ClusterLoadBalanceAuthorizer.java
 ---
    @@ -33,14 +42,27 @@
     
         private final ClusterCoordinator clusterCoordinator;
         private final EventReporter eventReporter;
    +    private final HostnameVerifier hostnameVerifier;
     
         public ClusterLoadBalanceAuthorizer(final ClusterCoordinator 
clusterCoordinator, final EventReporter eventReporter) {
             this.clusterCoordinator = clusterCoordinator;
             this.eventReporter = eventReporter;
    +        this.hostnameVerifier = new DefaultHostnameVerifier();
         }
     
         @Override
    -    public String authorize(final Collection<String> clientIdentities) 
throws NotAuthorizedException {
    +    public String authorize(SSLSocket sslSocket) throws 
NotAuthorizedException, IOException {
    +        final SSLSession sslSession = sslSocket.getSession();
    +
    +        final Set<String> clientIdentities;
    +        try {
    +            clientIdentities = getCertificateIdentities(sslSession);
    +        } catch (final CertificateException e) {
    +            throw new IOException("Failed to extract Client Certificate", 
e);
    +        }
    +
    +        logger.debug("Will perform authorization against Client Identities 
'{}'", clientIdentities);
    +
             if (clientIdentities == null) {
    --- End diff --
    
    Do you mean the block L66-69? Do we always guarantee `clientIdentities` is 
not null if the socket is a SSLSocket? I suppose we still need this.


> Load balancing fails with wildcard certs
> ----------------------------------------
>
>                 Key: NIFI-5752
>                 URL: https://issues.apache.org/jira/browse/NIFI-5752
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 1.8.0
>            Reporter: Kotaro Terada
>            Assignee: Kotaro Terada
>            Priority: Major
>
> Load balancing fails when we construct a secure cluster with wildcard certs.
> For example, assume that we have a valid wildcard cert for {{*.example.com}} 
> and a cluster consists of {{nf1.example.com}}, {{nf2.example.com}}, and 
> {{nf3.example.com}} . We cannot transfer a FlowFile between nodes for load 
> balancing because of the following authorization error:
> {noformat}
> 2018-10-25 19:05:13,520 WARN [Load Balance Server Thread-2] 
> o.a.n.c.q.c.s.ClusterLoadBalanceAuthorizer Authorization failed for Client 
> ID's [*.example.com] to Load Balance data because none of the ID's are known 
> Cluster Node Identifiers
> 2018-10-25 19:05:13,521 ERROR [Load Balance Server Thread-2] 
> o.a.n.c.q.c.s.ConnectionLoadBalanceServer Failed to communicate with Peer 
> /xxx.xxx.xxx.xxx:xxxxx
> org.apache.nifi.controller.queue.clustered.server.NotAuthorizedException: 
> Client ID's [*.example.com] are not authorized to Load Balance data
>       at 
> org.apache.nifi.controller.queue.clustered.server.ClusterLoadBalanceAuthorizer.authorize(ClusterLoadBalanceAuthorizer.java:65)
>       at 
> org.apache.nifi.controller.queue.clustered.server.StandardLoadBalanceProtocol.receiveFlowFiles(StandardLoadBalanceProtocol.java:142)
>       at 
> org.apache.nifi.controller.queue.clustered.server.ConnectionLoadBalanceServer$CommunicateAction.run(ConnectionLoadBalanceServer.java:176)
>       at 
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>       at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>       at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
>       at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>       at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>       at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>       at java.lang.Thread.run(Thread.java:748)
> {noformat}
> This problem occurs because in {{authorize}} method in 
> {{ClusterLoadBalanceAuthorizer}} class, authorization is tried by just 
> matching strings.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)