nifi/nifi-docker/dockerhub/sh/secure.sh

#!/bin/sh -e

#    Licensed to the Apache Software Foundation (ASF) under one or more
#    contributor license agreements.  See the NOTICE file distributed with
#    this work for additional information regarding copyright ownership.
#    The ASF licenses this file to You under the Apache License, Version 2.0
#    (the "License"); you may not use this file except in compliance with
#    the License.  You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS,
#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#    See the License for the specific language governing permissions and
#    limitations under the License.

[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh

# Perform idempotent changes of configuration to support secure environments
echo 'Configuring environment with SSL settings'

: ${KEYSTORE_PATH:?"Must specify an absolute path to the keystore being used."}
if [ ! -f "${KEYSTORE_PATH}" ]; then
    echo "Keystore file specified (${KEYSTORE_PATH}) does not exist."
    exit 1
fi
: ${KEYSTORE_TYPE:?"Must specify the type of keystore (JKS, PKCS12, PEM) of the keystore being used."}
: ${KEYSTORE_PASSWORD:?"Must specify the password of the keystore being used."}

: ${TRUSTSTORE_PATH:?"Must specify an absolute path to the truststore  being used."}
if [ ! -f "${TRUSTSTORE_PATH}" ]; then
    echo "Keystore file specified (${TRUSTSTORE_PATH}) does not exist."
    exit 1
fi
: ${TRUSTSTORE_TYPE:?"Need to set DEST non-empty"}
: ${TRUSTSTORE_PASSWORD:?"Need to set DEST non-empty"}

prop_replace 'nifi.security.keystore'           "${KEYSTORE_PATH}"
prop_replace 'nifi.security.keystoreType'       "${KEYSTORE_TYPE}"
prop_replace 'nifi.security.keystorePasswd'     "${KEYSTORE_PASSWORD}"
prop_replace 'nifi.security.truststore'         "${TRUSTSTORE_PATH}"
prop_replace 'nifi.security.truststoreType'     "${TRUSTSTORE_TYPE}"
prop_replace 'nifi.security.truststorePasswd'   "${TRUSTSTORE_PASSWORD}"

# Disable HTTP and enable HTTPS
prop_replace 'nifi.web.http.port'   ''
prop_replace 'nifi.web.http.host'   ''
prop_replace 'nifi.web.https.port'  '8443'
prop_replace 'nifi.web.https.host'  "${hostname}"
prop_replace 'nifi.remote.input.secure' 'true'

# Establish initial user and an associated admin identity
sed -i -e 's|<property name="Initial User Identity 1"></property>|<property name="Initial User Identity 1">'"${INITIAL_ADMIN_IDENTITY}"'</property>|'  ${NIFI_HOME}/conf/authorizers.xml
sed -i -e 's|<property name="Initial Admin Identity"></property>|<property name="Initial Admin Identity">'"${INITIAL_ADMIN_IDENTITY}"'</property>|'  ${NIFI_HOME}/conf/authorizers.xml
NIFI-4530: This closes #2329. Initial support for two-way SSL user authentication in the Docker image. Signed-off-by: joewitt <joewitt@apache.org> 2017-11-28 20:00:32 -05:00			`#!/bin/sh -e`

			`# Licensed to the Apache Software Foundation (ASF) under one or more`
			`# contributor license agreements. See the NOTICE file distributed with`
			`# this work for additional information regarding copyright ownership.`
			`# The ASF licenses this file to You under the Apache License, Version 2.0`
			`# (the "License"); you may not use this file except in compliance with`
			`# the License. You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`

			`[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh`

			`# Perform idempotent changes of configuration to support secure environments`
			`echo 'Configuring environment with SSL settings'`

			`: ${KEYSTORE_PATH:?"Must specify an absolute path to the keystore being used."}`
			`if [ ! -f "${KEYSTORE_PATH}" ]; then`
			`echo "Keystore file specified (${KEYSTORE_PATH}) does not exist."`
			`exit 1`
			`fi`
			`: ${KEYSTORE_TYPE:?"Must specify the type of keystore (JKS, PKCS12, PEM) of the keystore being used."}`
			`: ${KEYSTORE_PASSWORD:?"Must specify the password of the keystore being used."}`

			`: ${TRUSTSTORE_PATH:?"Must specify an absolute path to the truststore being used."}`
			`if [ ! -f "${TRUSTSTORE_PATH}" ]; then`
			`echo "Keystore file specified (${TRUSTSTORE_PATH}) does not exist."`
			`exit 1`
			`fi`
			`: ${TRUSTSTORE_TYPE:?"Need to set DEST non-empty"}`
			`: ${TRUSTSTORE_PASSWORD:?"Need to set DEST non-empty"}`

			`prop_replace 'nifi.security.keystore' "${KEYSTORE_PATH}"`
			`prop_replace 'nifi.security.keystoreType' "${KEYSTORE_TYPE}"`
			`prop_replace 'nifi.security.keystorePasswd' "${KEYSTORE_PASSWORD}"`
			`prop_replace 'nifi.security.truststore' "${TRUSTSTORE_PATH}"`
			`prop_replace 'nifi.security.truststoreType' "${TRUSTSTORE_TYPE}"`
			`prop_replace 'nifi.security.truststorePasswd' "${TRUSTSTORE_PASSWORD}"`

			`# Disable HTTP and enable HTTPS`
			`prop_replace 'nifi.web.http.port' ''`
			`prop_replace 'nifi.web.http.host' ''`
			`prop_replace 'nifi.web.https.port' '8443'`
			`prop_replace 'nifi.web.https.host' "${hostname}"`
			`prop_replace 'nifi.remote.input.secure' 'true'`

			`# Establish initial user and an associated admin identity`
			`sed -i -e 's\|<property name="Initial User Identity 1"></property>\|<property name="Initial User Identity 1">'"${INITIAL_ADMIN_IDENTITY}"'</property>\|' ${NIFI_HOME}/conf/authorizers.xml`
			`sed -i -e 's\|<property name="Initial Admin Identity"></property>\|<property name="Initial Admin Identity">'"${INITIAL_ADMIN_IDENTITY}"'</property>\|' ${NIFI_HOME}/conf/authorizers.xml`