[GitHub] [nifi] jfrazee commented on a change in pull request #4753: NIFI-7356 - Enable TLS for embedded Zookeeper when NiFi has TLS enabled

Wed, 20 Jan 2021 11:33:57 -0800 


jfrazee commented on a change in pull request #4753:
URL: https://github.com/apache/nifi/pull/4753#discussion_r561224503



##########
File path: nifi-docs/src/main/asciidoc/administration-guide.adoc
##########
@@ -2246,6 +2246,53 @@ _true_. Once Netty is enabled, you should see log 
messages like the following in
 2020-02-24 23:37:54,082 INFO [nioEventLoopGroup-3-1] 
o.apache.zookeeper.ClientCnxnSocketNetty SSL handler added for channel: [id: 
0xa831f9c3]
 2020-02-24 23:37:54,104 INFO [nioEventLoopGroup-3-1] 
o.apache.zookeeper.ClientCnxnSocketNetty channel is connected: [id: 0xa831f9c3, 
L:/172.17.0.4:56510 - R:8e38869cd1d1/172.17.0.3:2281]
 
+=== Embedded ZooKeeper with TLS
+
+A NiFi cluster can also be deployed using a ZooKeeper instance(s) embedded in 
NiFi itself which all nodes can communicate with. Communication between nodes 
and this embedded ZooKeeper can also be secured with TLS. The configuration for 
the client side of the connection will operate in the same way as an external 
ZooKeeper. That is, it will use the `+nifi.security.*+` properties from the 
nifi.properties file by default, unless you specifiy explicit ZooKeeper 
keystore/truststore properties with `+nifi.zookeeper.security.*+` as described 
above.
+
+The server configuration will operate in the same way as an insecure embedded 
server, but with the `+secureClientPort+` set (typically port `+2281+`).
+

Review comment:
       We should add something like this:
   ```suggestion
   NOTE: When using a secure server, the secure embedded ZooKeeper server 
ignores any +clientPort+ or +clientPortAddress+ specified in 
_$NIFI_HOME/conf/zookeeper.properties_. I.e., if the NiFi-embedded ZooKeeper 
exposes a +secureClientPort+ it will not expose an insecure +clientPort+ 
regardless of configuration. This is a behavioral difference between the 
embedded server and an external ZooKeeper server.
   
   ```




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to