thenatog commented on pull request #4753: URL: https://github.com/apache/nifi/pull/4753#issuecomment-763753967
Addressing your first two points: > - TLS is required for the embedded ZK when cluster TLS is enabled but NiFi won't try to connect securely unless nifi.zookeeper.client.secure is set to true in nifi.properties. > - Similarly, the embedded ZK won't actually run with TLS enabled unless secureClientPort is set in zookeeper.properties. It appears that clientPort is successfully removed but secureClientPort doesn't get added. I have put in configuration logic that will stop NiFi from starting if secureClientPort is configured in zookeeper.properties but nifi.zookeeper.client.secure=false. The requirement being that they will need to configure zookeeper.properties with a clientPort value instead. When starting securely, the intent is to remove any additional clientPort that may allow insecure connections. In contrast, secureClientPort will not be added if clientPort was set but everything else should be secure. The user will need to manually edit the zookeeper.properties file to set secureClientPort. Let me know what you think of the latest set of commits. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
