[GitHub] [nifi] thenatog commented on a change in pull request #4753: NIFI-7356 - Enable TLS for embedded Zookeeper when NiFi has TLS enabled

[GitBox]

thenatog commented on a change in pull request #4753:
URL: https://github.com/apache/nifi/pull/4753#discussion_r558418712



##########
File path: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/state/server/ZooKeeperStateServer.java
##########
@@ -36,11 +36,33 @@
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.net.InetSocketAddress;
+import java.util.HashMap;
+import java.util.Map;
 import java.util.Properties;
 
 public class ZooKeeperStateServer extends ZooKeeperServerMain {
     private static final Logger logger = 
LoggerFactory.getLogger(ZooKeeperStateServer.class);
 
+    static final int MIN_AVAILABLE_PORT = 2288;
+    static final String SERVER_CNXN_FACTORY = 
"org.apache.zookeeper.server.NettyServerCnxnFactory";
+    static final String ZOOKEEPER_SSL_QUORUM = "sslQuorum";
+    static final String ZOOKEEPER_PORT_UNIFICATION = "portUnification";
+
+    static final Map<String, String> ZOOKEEPER_TLS_TO_NIFI_PROPERTIES = new 
HashMap<String, String>() {{
+        put("keyStore.location", "security.keystore");
+        put("keyStore.password", "security.keystorePasswd");
+        put("keyStore.type", "security.keystoreType");
+        put("trustStore.location", "security.truststore");
+        put("trustStore.password", "security.truststorePasswd");
+        put("trustStore.type", "security.truststoreType");

Review comment:
       Okay so I've updated with a new commit. Let me know what you think now. 
It's still a little less than ideal - the issue is that when I initialize the 
ZooKeeper server, it is looking for ssl.keyStore.location, 
ssl.quorum.keyStore.location etc, but when I use the X509Util it is setting it 
as zookeeper.ssl.keyStore.location which on testing wasn't making the server 
secured. I'm not seeing in the ZooKeeper source code why exactly this is the 
case, or any X509Util which doesn't set the "zookeeper." prefix.. So I added 
two of my own implementations which set these. I'm all ears for other options.
   
   ZooKeeper docs:
   
   > ssl.keyStore.location and ssl.keyStore.password and 
ssl.quorum.keyStore.location and ssl.quorum.keyStore.password : (Java system 
properties: zookeeper.ssl.keyStore.location and zookeeper.ssl.keyStore.password 
and zookeeper.ssl.quorum.keyStore.location and 
zookeeper.ssl.quorum.keyStore.password) New in 3.5.5: Specifies the file path 
to a Java keystore containing the local credentials to be used for client and 
quorum TLS connections, and the password to unlock the file.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org