Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NIFI-8096 Deprecated ClientAuth references in SSLContextService #4737

Closed
wants to merge 2 commits into from
Closed

NIFI-8096 Deprecated ClientAuth references in SSLContextService #4737

wants to merge 2 commits into from

Conversation

exceptionfactory
Copy link
Contributor

Description of PR

NIFI-8096 Deprecates createSSLContext() methods in SSLContextService and adds a createContext() method that does not use the ClientAuth enumeration. Updated extension components to use SSLContextService.createContext() in place of deprecated methods.

Removed references to ClientAuth from internal SslContextFactory class, and refactored framework classes to eliminate unnecessary usage of ClientAuth.

Updated ListenHTTP to call SslContextBuilder.Server.setNeedClientAuth(true) when the Client Authentication property is REQUIRED and call setWantClientAuth(true) when the Client Authentication property is WANT.

These changes remove attempts in SslContextFactory to modify the default SSLParameters object, which is a read-only representation for the Java Virtual Machine configuration. Deprecating methods on SSLContextService that use ClientAuth is necessary to clarify component behavior.

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

For all changes:

  • Is there a JIRA ticket associated with this PR? Is it referenced
    in the commit message?

  • Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.

  • Has your PR been rebased against the latest commit within the target branch (typically main)?

  • Is your initial contribution a single, squashed commit? Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not squash or use --force when pushing to allow for clean monitoring of changes.

For code changes:

  • Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder?
  • Have you written or updated unit tests to verify your changes?
  • Have you verified that the full build is successful on JDK 8?
  • Have you verified that the full build is successful on JDK 11?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly?
  • If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly?
  • If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties?

For documentation related changes:

  • Have you ensured that format looks appropriate for the output in which it is rendered?

Note:

Please ensure that once the PR is submitted, you check GitHub Actions CI for build issues and submit an update to your PR as soon as possible.

@exceptionfactory
NIFI-8096 Deprecated ClientAuth references in SSLContextService
3d06174 
- Added SSLContextService.createContext() and refactored referencing components
- Removed references to ClientAuth from SslContextFactory methods
markap14
markap14 requested changes Jan 6, 2021
View reviewed changes
Copy link
Contributor

@markap14 markap14 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @exceptionfactory for the update. Definitely cleans up a lot of code that wasn't necessary! I did have one concern though, with changing the default value on ListenHTTP from REQUIRE to WANT client auth. We should remain as secure as possible by default.

...le/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java Show resolved Hide resolved
...le/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java Show resolved Hide resolved
...rvices/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java Show resolved Hide resolved
...rvices/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java Show resolved Hide resolved
...e/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenHTTP.java Outdated
@@ -193,7 +193,7 @@
.description("Client Authentication policy for TLS connections. Required when SSL Context Service configured.")
.required(false)
.allowableValues(ClientAuth.values())
.defaultValue(ClientAuth.REQUIRED.name())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we want to make this change. The default value should always lean toward being more secure, not less secure. And if I set an SSL Context on the processor, I would assume mutual auth is going to happen unless i explicitly change it. This is especially true, since that's always been the behavior in the past.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Previous behavior inferred requiring a client certificate when the SSLContextService was configured with trust store properties, falling back to wanting a client certificate in the absence of trust store properties. Making REQUIRED the default value going forward sounds like the best approach. Perhaps putting a comment in future release notes indicating this change in behavior would be worthwhile for users of ListenHTTP who do not require clients to provide certificates.

@exceptionfactory
Copy link
Contributor Author

Thanks for the review @markap14. I pushed an update to address your comments.

@markap14 markap14 closed this in 817f621 Jan 6, 2021
@markap14
Copy link
Contributor

markap14 commented Jan 6, 2021

Thanks @exceptionfactory! All looks good. +1 merged to main

driesva pushed a commit to driesva/nifi that referenced this pull request Mar 19, 2021
@exceptionfactory @driesva
NIFI-8096 Deprecated ClientAuth references in SSLContextService
1af9e5d 
- Added SSLContextService.createContext() and refactored referencing components
- Removed references to ClientAuth from SslContextFactory methods

This closes apache#4737.

Signed-off-by: Mark Payne <markap14@hotmail.com>
krisztina-zsihovszki pushed a commit to krisztina-zsihovszki/nifi that referenced this pull request Jun 28, 2022
@exceptionfactory @krisztina-zsihovszki
NIFI-8096 Deprecated ClientAuth references in SSLContextService
56c2552 
- Added SSLContextService.createContext() and refactored referencing components
- Removed references to ClientAuth from SslContextFactory methods

This closes apache#4737.

Signed-off-by: Mark Payne <markap14@hotmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markap14 markap14 Awaiting requested review from markap14

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@exceptionfactory @markap14