[GitHub] MikeThomsen commented on a change in pull request #3126: NIFI-5753 Add SSL support to HortonworksSchemaRegistry service

Tue, 19 Feb 2019 08:49:10 -0800 

MikeThomsen commented on a change in pull request #3126: NIFI-5753 Add SSL 
support to HortonworksSchemaRegistry service
URL: https://github.com/apache/nifi/pull/3126#discussion_r258129710
 
 

 ##########
 File path: 
nifi-nar-bundles/nifi-standard-services/nifi-hwx-schema-registry-bundle/nifi-hwx-schema-registry-service/src/main/java/org/apache/nifi/schemaregistry/hortonworks/HortonworksSchemaRegistry.java
 ##########
 @@ -120,9 +131,31 @@ public void enable(final ConfigurationContext context) 
throws InitializationExce
         
schemaRegistryConfig.put(SchemaRegistryClient.Configuration.CLASSLOADER_CACHE_EXPIRY_INTERVAL_SECS.name(),
 context.getProperty(CACHE_EXPIRATION).asTimePeriod(TimeUnit.SECONDS));
         
schemaRegistryConfig.put(SchemaRegistryClient.Configuration.SCHEMA_VERSION_CACHE_SIZE.name(),
 context.getProperty(CACHE_SIZE).asInteger());
         
schemaRegistryConfig.put(SchemaRegistryClient.Configuration.SCHEMA_VERSION_CACHE_EXPIRY_INTERVAL_SECS.name(),
 context.getProperty(CACHE_EXPIRATION).asTimePeriod(TimeUnit.SECONDS));
+        Map<String, String> sslProperties = buildSslProperties(context);
+        if (!sslProperties.isEmpty()) {
+            schemaRegistryConfig.put(CLIENT_SSL_PROPERTY_PREFIX, 
sslProperties);
+        }
     }
 
-
+    private Map<String, String> buildSslProperties(final ConfigurationContext 
context) {
+        final SSLContextService sslContextService = 
context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
+        ImmutableMap.Builder<String, String> propertiesBuilder = 
ImmutableMap.builder();
+        if (sslContextService != null) {
+            propertiesBuilder.put("protocol", 
sslContextService.getSslAlgorithm());
+            propertiesBuilder.put("keyPassword", 
sslContextService.getKeyPassword());
+            if (sslContextService.isKeyStoreConfigured()) {
 
 Review comment:
   The registry client appears to be pretty temperamental about you not 
supplying both a keystore and a trust store. So I think you're going to need to 
add a `customValidate` validation step to verify that the SSL context is set up 
the way that the HWX registry is expecting. You can search the code and find 
examples, but they look like this on the method signature:
   
   ```
   protected Collection<ValidationResult> customValidate(ValidationContext 
context) {
   
   }
   ```

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to