exceptionfactory commented on a change in pull request #4594:
URL: https://github.com/apache/nifi/pull/4594#discussion_r503306827
##########
File path:
nifi-nar-bundles/nifi-cdc/nifi-cdc-mysql-bundle/nifi-cdc-mysql-processors/src/main/java/org/apache/nifi/cdc/mysql/processors/CaptureChangeMySQL.java
##########
@@ -362,6 +377,23 @@
.expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
.build();
+ public static final PropertyDescriptor SSL_CONTEXT_SERVICE = new
PropertyDescriptor.Builder()
+ .name("SSL Context Service")
+ .displayName("SSL Context Service")
+ .description("SSL Context Service supporting encrypted socket
communication")
+ .required(false)
+ .identifiesControllerService(SSLContextService.class)
+ .build();
+
+ public static final PropertyDescriptor SSL_MODE = new
PropertyDescriptor.Builder()
+ .name("SSL Mode")
+ .displayName("SSL Mode")
+ .description("SSL Mode used when SSL Context Service configured
supporting certificate verification options")
+ .required(true)
+ .defaultValue(SSLMode.DISABLED.toString())
+ .allowableValues(SSL_MODES)
+ .build();
+
Review comment:
Although there is some similarity, the SSLMode options control the
flexibility of the MySQL Binary Log client during TLS negotiation, whereas
ClientAuth influences how an SSL Server Socket would respond. Since the Binary
Log connection is a client, the ClientAuth options are not necessarily
applicable.
SSLMode provides some more lenient connection options, such as PREFERRED,
where the Binary Log client will request SSL, but will still connect and
function if the MySQL server does not support SSL. The VERIFY_IDENTITY option
is a special case that causes the Binary Log client to use a custom
TlsHostnameVerifier to compare the network connected hostname to the
certificate presented. The REQUIRED and VERIFY_CA options result in
essentially the same behavior for the purposes of CaptureChangeMySQL since
SSLContextService always provides the SSLSocketFactory instead of having the
Binary Log client use it's own preconfigured factories.
Another option would be attempting to translate ClientAuth values to an
applicable SSLMode, but there isn't a direct correlation, and I think that
would end up being more confusing. Based on how the Binary Log client uses
SSLMode, it might make sense to limit the allowable values to DISABLED,
PREFERRED, REQUIRED, and VERIFY_IDENTITY. As mentioned, the VERIFY_IDENTITY
option is a special case that would be more restrictive than REQUIRED due to
the custom hostname verification. If that sounds too confusing, then it would
be best to simply remove the SSL Mode property and use the presence of an
SSLContextService to set REQUIRED.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
