NIFI-4255 - added flag to allow migration of existing (source) acls#2065
NIFI-4255 - added flag to allow migration of existing (source) acls#2065YolandaMDavis wants to merge 1 commit intoapache:masterfrom
Conversation
|
Reviewing... |
| return migratedNode; | ||
| } | ||
|
|
||
| private List<ACL> determineNodeACL(DataStatAclNode node, AuthMode destinationAuthMode, boolean useExistingACL){ |
There was a problem hiding this comment.
Rather than having this method get invoked from transformNode, can you do this as a stage in the completable future before transformNode is invoked? I'd like to keep all the method coordination controlled by the CompletableFuture stages rather than having methods invoke each other.
There was a problem hiding this comment.
Sure no problem
There was a problem hiding this comment.
@jtstorck Rather than have a separate stage I ended up combining this with the previous method. Didn't really see the value of me having it separated out in the first place .
|
spoke with @jtstorck offline and we discussed refactoring a bit to ensure that the logic for determining acls are externalized and staged within the CompletableFuture chain. Committing those changes shortly |
…o destination, update to documentation
YolandaMDavis
force-pushed
the
NIFI-4255
branch
from
332be41 to
cf36ec2
Compare
|
+1 LGTM Made a few minor formatting changes, and moved the spock spec from src/test/java to src/test/groovy. To test this, I ran a KDC and ZK server in a docker container with two principals. I created a node using principal1 that was sasl-secured via principal1, and used the zk migrator to export it to a json file. Then, I manually modified the json file to change the ACL on the node I created to set the owner to principal2. I then used the zk migrator to send the updated json to ZK, using the --ignore-source and --use-existing-acl options. After attempting to access the node as principal1 (which failed as expected), I was able to access the node as princopal2 (as expected). |
|
thank you @jtstorck ! |
2 participants
Testing Recommendations:
Using a secured Zookeeper instance with predefined paths/znodes use the ZK Migrator to first export a json file containing nodes information. Then that json file can be edited to alter or add acls to existing paths. The file can then be reapplied to the source ZK server using the following example command:
./zk-migrator.sh -s -z <zookeeper-server>:2181/nifi -f <zk-node-acl-json-file> -k <client-jaas-file> --ignore-source --use-existing-aclConfirm that acls are applied as expected using the zkCli.sh (or some other ZK Client tool)
Thank you for submitting a contribution to Apache NiFi.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
For all changes:
Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
[ x] Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
Has your PR been rebased against the latest commit within the target branch (typically master)?
Is your initial contribution a single, squashed commit?
For code changes:
For documentation related changes:
Note:
Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.