-
Notifications
You must be signed in to change notification settings - Fork 2.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
NIFI-11536 Corrected Keystore and Truststore auto-reloading
- Replaced Jetty KeyStoreScanner and custom TrustStoreScanner with shared StoreScanner - New StoreScanner uses TLS Configuration to reload SSLContext instead of relying on Jetty SslContextFactory properties This closes #7446 Signed-off-by: David Handermann <exceptionfactory@apache.org>
- Loading branch information
1 parent
d24318c
commit a85ef2c
Showing
6 changed files
with
308 additions
and
247 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
158 changes: 158 additions & 0 deletions
158
...ework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/util/StoreScanner.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,158 @@ | ||
/* | ||
* Licensed to the Apache Software Foundation (ASF) under one or more | ||
* contributor license agreements. See the NOTICE file distributed with | ||
* this work for additional information regarding copyright ownership. | ||
* The ASF licenses this file to You under the Apache License, Version 2.0 | ||
* (the "License"); you may not use this file except in compliance with | ||
* the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
package org.apache.nifi.web.server.util; | ||
|
||
import org.apache.nifi.security.util.TlsConfiguration; | ||
import org.apache.nifi.security.util.TlsException; | ||
import org.eclipse.jetty.util.Scanner; | ||
import org.eclipse.jetty.util.annotation.ManagedAttribute; | ||
import org.eclipse.jetty.util.annotation.ManagedOperation; | ||
import org.eclipse.jetty.util.component.ContainerLifeCycle; | ||
import org.eclipse.jetty.util.log.Log; | ||
import org.eclipse.jetty.util.log.Logger; | ||
import org.eclipse.jetty.util.resource.Resource; | ||
import org.eclipse.jetty.util.ssl.SslContextFactory; | ||
|
||
import javax.net.ssl.SSLContext; | ||
import java.io.File; | ||
import java.io.IOException; | ||
import java.util.Collections; | ||
|
||
import static org.apache.nifi.security.util.SslContextFactory.createSslContext; | ||
|
||
/** | ||
* File Scanner for Keystore or Truststore reloading using provided TLS Configuration | ||
*/ | ||
public class StoreScanner extends ContainerLifeCycle implements Scanner.DiscreteListener { | ||
private static final Logger LOG = Log.getLogger(StoreScanner.class); | ||
|
||
private final SslContextFactory sslContextFactory; | ||
private final TlsConfiguration tlsConfiguration; | ||
private final File file; | ||
private final Scanner scanner; | ||
private final String resourceName; | ||
|
||
public StoreScanner(final SslContextFactory sslContextFactory, | ||
final TlsConfiguration tlsConfiguration, | ||
final Resource resource) { | ||
this.sslContextFactory = sslContextFactory; | ||
this.tlsConfiguration = tlsConfiguration; | ||
this.resourceName = resource.getName(); | ||
try { | ||
File monitoredFile = resource.getFile(); | ||
if (monitoredFile == null || !monitoredFile.exists()) { | ||
throw new IllegalArgumentException(String.format("%s file does not exist", resourceName)); | ||
} | ||
if (monitoredFile.isDirectory()) { | ||
throw new IllegalArgumentException(String.format("expected %s file not directory", resourceName)); | ||
} | ||
|
||
if (resource.getAlias() != null) { | ||
// this resource has an alias, use the alias, as that's what's returned in the Scanner | ||
monitoredFile = new File(resource.getAlias()); | ||
} | ||
|
||
file = monitoredFile; | ||
if (LOG.isDebugEnabled()) { | ||
LOG.debug("File monitoring started {} [{}]", resourceName, monitoredFile); | ||
} | ||
} catch (final IOException e) { | ||
throw new IllegalArgumentException(String.format("could not obtain %s file", resourceName), e); | ||
} | ||
|
||
File parentFile = file.getParentFile(); | ||
if (!parentFile.exists() || !parentFile.isDirectory()) { | ||
throw new IllegalArgumentException(String.format("error obtaining %s dir", resourceName)); | ||
} | ||
|
||
scanner = new Scanner(); | ||
scanner.setScanDirs(Collections.singletonList(parentFile)); | ||
scanner.setScanInterval(1); | ||
scanner.setReportDirs(false); | ||
scanner.setReportExistingFilesOnStartup(false); | ||
scanner.setScanDepth(1); | ||
scanner.addListener(this); | ||
addBean(scanner); | ||
} | ||
|
||
@Override | ||
public void fileAdded(final String filename) { | ||
LOG.debug("Resource [{}] File [{}] added", resourceName, filename); | ||
reloadMatched(filename); | ||
} | ||
|
||
@Override | ||
public void fileChanged(final String filename) { | ||
LOG.debug("Resource [{}] File [{}] changed", resourceName, filename); | ||
reloadMatched(filename); | ||
} | ||
|
||
@Override | ||
public void fileRemoved(final String filename) { | ||
LOG.debug("Resource [{}] File [{}] removed", resourceName, filename); | ||
reloadMatched(filename); | ||
} | ||
|
||
@ManagedOperation( | ||
value = "Scan for changes in the SSL Keystore/Truststore", | ||
impact = "ACTION" | ||
) | ||
public void scan() { | ||
LOG.debug("Resource [{}] scanning started", resourceName); | ||
|
||
this.scanner.scan(); | ||
this.scanner.scan(); | ||
} | ||
|
||
@ManagedOperation( | ||
value = "Reload the SSL Keystore/Truststore", | ||
impact = "ACTION" | ||
) | ||
public void reload() { | ||
LOG.debug("File [{}] reload started", file); | ||
|
||
try { | ||
this.sslContextFactory.reload(contextFactory -> contextFactory.setSslContext(createContext())); | ||
LOG.info("File [{}] reload completed", file); | ||
} catch (final Throwable t) { | ||
LOG.warn("File [{}] reload failed", file, t); | ||
} | ||
} | ||
|
||
@ManagedAttribute("scanning interval to detect changes which need reloaded") | ||
public int getScanInterval() { | ||
return this.scanner.getScanInterval(); | ||
} | ||
|
||
public void setScanInterval(int scanInterval) { | ||
this.scanner.setScanInterval(scanInterval); | ||
} | ||
|
||
private void reloadMatched(final String filename) { | ||
if (file.toPath().toString().equals(filename)) { | ||
reload(); | ||
} | ||
} | ||
|
||
private SSLContext createContext() { | ||
try { | ||
return createSslContext(tlsConfiguration); | ||
} catch (final TlsException e) { | ||
throw new IllegalArgumentException("Failed to create SSL context with the TLS configuration", e); | ||
} | ||
} | ||
} |
151 changes: 0 additions & 151 deletions
151
.../nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/util/TrustStoreScanner.java
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.