thenatog commented on pull request #4592: URL: https://github.com/apache/nifi/pull/4592#issuecomment-706276736
This shouldn't be merged until https://github.com/apache/nifi/pull/4250 is merged. For testing, you can download/clone Zookeeper 3.5.5+ and export the key and trust stores as environment variables: ``` export SERVER_JVMFLAGS=" -Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory -Dzookeeper.ssl.keyStore.location=conf/security/keystore.jks -Dzookeeper.ssl.keyStore.password=keystorePassword -Dzookeeper.ssl.trustStore.location=conf/security/truststore.jks -Dzookeeper.ssl.trustStore.password=truststorePassword" ``` Set the zoo.cfg as follows: ``` tickTime=2000 initLimit=10 syncLimit=5 dataDir=/tmp/zookeeper secureClientPort=2281 ``` Then run ./bin/zkServer.sh You can then set the nifi.properties TLS configuration using the 2281 client port for Zookeeper: ``` nifi.zookeeper.connect.string=localhost:2281 nifi.zookeeper.connect.timeout=10 secs nifi.zookeeper.session.timeout=10 secs nifi.zookeeper.root.node=/nifi nifi.zookeeper.client.secure=true nifi.zookeeper.security.keystore=./conf/keystore.jks nifi.zookeeper.security.keystoreType=JKS nifi.zookeeper.security.keystorePasswd=keystorePassword nifi.zookeeper.security.truststore=./conf/truststore.jks nifi.zookeeper.security.truststoreType=JKS nifi.zookeeper.security.truststorePasswd=truststorePassword ``` and the state-management.xml ``` <cluster-provider> <id>zk-provider</id> <class>org.apache.nifi.controller.state.providers.zookeeper.ZooKeeperStateProvider</class> <property name="Connect String">localhost:2281</property> <property name="Root Node">/nifi</property> <property name="Session Timeout">10 seconds</property> <property name="Keystore Filepath">./conf/keystore.jks</property> <property name="Keystore Password">keystorePassword</property> <property name="Keystore Type">JKS</property> <property name="Truststore Filepath">./conf/truststore.jks</property> <property name="Truststore Password">truststorePassword</property> <property name="Truststore Type">JKS</property> </cluster-provider> ``` You should then be able to run a secure cluster, and the leader election and state management will operate over TLS. I used a ListSFTP processor to check the state management was working as expected, checked the values in Zookeeper with the bin/zkCli.sh, and used Wireshark on TCP port 2281 to see the TLS negotiation and traffic. I also verified no traffic was passing on TCP 2181. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
