Hi Ara, To follow up, I just opened a Jira [1] to remove that property entirely. It was created in a legacy environment and isn’t a good solution anymore. The TLS certificates should be properly configured (we can help with that if you need it), but Trusted Hostname isn’t a secure behavior, as Bryan mentioned. There was an existing Jira for adding Expression Language support to that property, which I have closed as “Won’t Fix” [2].
[1] https://issues.apache.org/jira/browse/NIFI-6019 <https://issues.apache.org/jira/browse/NIFI-6019> [2] https://issues.apache.org/jira/browse/NIFI-3435 Andy LoPresto alopre...@apache.org alopresto.apa...@gmail.com PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Feb 12, 2019, at 7:31 AM, Bryan Bende <bbe...@gmail.com> wrote: > > Hello, > > It looks like InvokeHttp creates an instance of the OkHttp client in > the onScheduled method which is called when the processor is started, > and when it creates the client it will specify a hostname verifier to > always accept whatever the trusted hostname is. So the issue is that > if trusted hostname were to support EL from flow file attributes, then > you could no longer create the client instance in onScheduled, you > would have to lazily create it per flow file with some type of cache > from trusted hostname to client instance, making the logic of the > processor a bit more complex. > > I suspect the expectation was that trusted hostname should be used > very sparingly since it is really a bit of a hack to bypass a proper > TLS configuration, and so maybe it was not expected that you would > need to specify many different trusted hostnames, but I'm only > guessing. > > I think it would be very easy to allow a comma separated list, or > possibly a regex. You would just have to modify the hostname verifier > here: > > https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/InvokeHTTP.java#L1213-L1230 > > - Bryan > > On Tue, Feb 12, 2019 at 10:06 AM ara m. <arama...@gmail.com> wrote: >> >> In the InvokeHTTP processor, the Remote URL property supports Expression >> Language but the Trusted Hostname does not. I can't use any form of stars, >> *.*.my.expected.domain.com, and i cant use comma-separated values. >> >> You can see this is a huge problem as domain name difference will cause >> errors when we pass down varying Remote URL's and the Trusted Host stays the >> same. For one of them I can use a variable, and the other is stuck. >> Why was this implemented this way, was it an oversight? What is the work >> around for this? Create custom processor and import all the libs required >> for the code? Or modify nifi processor itself and rebuild nifi jars? >> What is your recommendation? And thank you ahead of time. >> >> >> >> -- >> Sent from: http://apache-nifi-users-list.2361937.n4.nabble.com/
