thenatog commented on a change in pull request #4753:
URL: https://github.com/apache/nifi/pull/4753#discussion_r561219030
##########
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/state/server/ZooKeeperStateServer.java
##########
@@ -198,6 +219,144 @@ public static ZooKeeperStateServer create(final
NiFiProperties properties) throw
zkProperties.load(bis);
}
- return new ZooKeeperStateServer(zkProperties);
+ return new ZooKeeperStateServer(reconcileProperties(properties,
zkProperties));
+ }
+
+ /**
+ * Reconcile properties between the nifi.properties and
zookeeper.properties (zoo.cfg) files. Most of the ZooKeeper server properties
are derived from
+ * the zookeeper.properties file, while the TLS key/truststore properties
are taken from nifi.properties.
+ * @param niFiProperties NiFiProperties file containing ZooKeeper client
and TLS configuration
+ * @param zkProperties The zookeeper.properties file containing Zookeeper
server configuration
+ * @return A reconciled QuorumPeerConfig which will include TLS properties
set if they are available.
+ * @throws IOException If configuration files fail to parse.
+ * @throws ConfigException If secure configuration is not as expected.
Check administration documentation.
+ */
+ private static QuorumPeerConfig reconcileProperties(NiFiProperties
niFiProperties, Properties zkProperties) throws IOException, ConfigException {
+ QuorumPeerConfig peerConfig = new QuorumPeerConfig();
+ peerConfig.parseProperties(zkProperties);
+
+ final boolean niFiConfigIsSecure =
isNiFiConfigSecureForZooKeeper(niFiProperties);
+ final boolean zooKeeperConfigIsSecure =
isZooKeeperConfigSecure(peerConfig);
+
+ if (!zooKeeperConfigIsSecure && !niFiConfigIsSecure) {
+ logger.info("{} property is set to false or is not present, and
zookeeper.properties file does not contain secureClientPort property, so
embedded ZooKeeper will be started without TLS.",
+ NiFiProperties.ZOOKEEPER_CLIENT_SECURE);
+ return peerConfig;
+ }
+
+ // If secureClientPort is set but no TLS config is set, fail to start.
+ if (zooKeeperConfigIsSecure && !niFiConfigIsSecure) {
+ throw new ConfigException(
+ String.format("Zookeeper properties file %s was configured
to be secure but there was no valid TLS config present in nifi.properties or " +
+ "nifi.zookeeper.client.secure was set to
false. Check the administration guide.",
+
niFiProperties.getProperty(NiFiProperties.STATE_MANAGEMENT_ZOOKEEPER_PROPERTIES)));
+ }
+
+ // Remove any insecure ports if they were set in zookeeper.properties
+ ensureOnlySecurePortsAreEnabled(peerConfig, zkProperties);
+
+ // Set base ZooKeeper TLS server properties
+ setTlsProperties(zkProperties, new ZooKeeperServerX509Util(),
niFiProperties);
+ // Set quorum ZooKeeper TLS server properties
+ setTlsProperties(zkProperties, new ZooKeeperQuorumX509Util(),
niFiProperties);
+ // Set TLS client port:
+ zkProperties.setProperty("secureClientPort",
getSecurePort(peerConfig));
+
+ // Set the required connection factory for TLS
+ zkProperties.setProperty(ZOOKEEPER_SERVER_CNXN_FACTORY,
NettyServerCnxnFactory.class.getName());
+ zkProperties.setProperty(ZOOKEEPER_SSL_QUORUM,
Boolean.TRUE.toString());
Review comment:
setTlsProperties() is setting the 'system' level properties for the
keystores ie. ssl.keyStore.location and ssl.quorum.keyStore.location. These
above properties are only set once and do not use the same property naming
scheme.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
