[jira] [Commented] (NIFI-5752) Load balancing fails with wildcard certs

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/NIFI-5752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16676231#comment-16676231
 ] 

ASF GitHub Bot commented on NIFI-5752:
--------------------------------------

Github user ijokarumawak commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/3110#discussion_r231011542
  
    --- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/clustered/server/ClusterLoadBalanceAuthorizer.java
 ---
    @@ -33,14 +42,27 @@
     
         private final ClusterCoordinator clusterCoordinator;
         private final EventReporter eventReporter;
    +    private final HostnameVerifier hostnameVerifier;
     
         public ClusterLoadBalanceAuthorizer(final ClusterCoordinator 
clusterCoordinator, final EventReporter eventReporter) {
             this.clusterCoordinator = clusterCoordinator;
             this.eventReporter = eventReporter;
    +        this.hostnameVerifier = new DefaultHostnameVerifier();
         }
     
         @Override
    -    public String authorize(final Collection<String> clientIdentities) 
throws NotAuthorizedException {
    +    public String authorize(SSLSocket sslSocket) throws 
NotAuthorizedException, IOException {
    +        final SSLSession sslSession = sslSocket.getSession();
    +
    +        final Set<String> clientIdentities;
    +        try {
    +            clientIdentities = getCertificateIdentities(sslSession);
    +        } catch (final CertificateException e) {
    +            throw new IOException("Failed to extract Client Certificate", 
e);
    +        }
    +
    +        logger.debug("Will perform authorization against Client Identities 
'{}'", clientIdentities);
    +
             if (clientIdentities == null) {
    --- End diff --
    
    The existing log message indicating that this block is meant for the case 
where NiFi clustering is not secured (not sending data via SSLSocket). This 
block contradicts with the other block such as following 
getCertificateIdentities method:
    ```
            final Certificate[] certs = sslSession.getPeerCertificates();
            if (certs == null || certs.length == 0) {
                throw new SSLPeerUnverifiedException("No certificates found");
            }
    
    ```
    
    If we care about `clientIdentities` being null, then we should throw 
`SSLPeerUnverifiedException("No client identities found");` instead of 
authorizing it. Having said that, I believe removing this block is safe as 
`clientIdentities` are populated using `Collectors.toSet`. If no SAN is found, 
the value will be an empty set instead of null.


> Load balancing fails with wildcard certs
> ----------------------------------------
>
>                 Key: NIFI-5752
>                 URL: https://issues.apache.org/jira/browse/NIFI-5752
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 1.8.0
>            Reporter: Kotaro Terada
>            Assignee: Kotaro Terada
>            Priority: Major
>
> Load balancing fails when we construct a secure cluster with wildcard certs.
> For example, assume that we have a valid wildcard cert for {{*.example.com}} 
> and a cluster consists of {{nf1.example.com}}, {{nf2.example.com}}, and 
> {{nf3.example.com}} . We cannot transfer a FlowFile between nodes for load 
> balancing because of the following authorization error:
> {noformat}
> 2018-10-25 19:05:13,520 WARN [Load Balance Server Thread-2] 
> o.a.n.c.q.c.s.ClusterLoadBalanceAuthorizer Authorization failed for Client 
> ID's [*.example.com] to Load Balance data because none of the ID's are known 
> Cluster Node Identifiers
> 2018-10-25 19:05:13,521 ERROR [Load Balance Server Thread-2] 
> o.a.n.c.q.c.s.ConnectionLoadBalanceServer Failed to communicate with Peer 
> /xxx.xxx.xxx.xxx:xxxxx
> org.apache.nifi.controller.queue.clustered.server.NotAuthorizedException: 
> Client ID's [*.example.com] are not authorized to Load Balance data
>       at 
> org.apache.nifi.controller.queue.clustered.server.ClusterLoadBalanceAuthorizer.authorize(ClusterLoadBalanceAuthorizer.java:65)
>       at 
> org.apache.nifi.controller.queue.clustered.server.StandardLoadBalanceProtocol.receiveFlowFiles(StandardLoadBalanceProtocol.java:142)
>       at 
> org.apache.nifi.controller.queue.clustered.server.ConnectionLoadBalanceServer$CommunicateAction.run(ConnectionLoadBalanceServer.java:176)
>       at 
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>       at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>       at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
>       at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>       at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>       at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>       at java.lang.Thread.run(Thread.java:748)
> {noformat}
> This problem occurs because in {{authorize}} method in 
> {{ClusterLoadBalanceAuthorizer}} class, authorization is tried by just 
> matching strings.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)