NIFI-4530: This closes #2329. Initial support for two-way SSL user authentication in the Docker image.

Signed-off-by: joewitt <joewitt@apache.org>

nifi-docker/dockerhub/Dockerfile

@@ -17,7 +17,8 @@
 #
 
 FROM openjdk:8-jre
-LABEL maintainer "Apache NiFi <dev@nifi.apache.org>"
+LABEL maintainer="Apache NiFi <dev@nifi.apache.org>"
+LABEL site="https://nifi.apache.org"
 
 ARG UID=1000
 ARG GID=1000
@@ -25,29 +26,30 @@ ARG NIFI_VERSION=1.5.0
 ARG MIRROR=https://archive.apache.org/dist
 
 ENV NIFI_BASE_DIR /opt/nifi 
-ENV NIFI_HOME=$NIFI_BASE_DIR/nifi-$NIFI_VERSION \
-    NIFI_BINARY_URL=/nifi/$NIFI_VERSION/nifi-$NIFI_VERSION-bin.tar.gz
+ENV NIFI_HOME=${NIFI_BASE_DIR}/nifi-${NIFI_VERSION} \
+    NIFI_BINARY_URL=/nifi/${NIFI_VERSION}/nifi-${NIFI_VERSION}-bin.tar.gz
+
+ADD sh/ /opt/nifi/scripts/
 
 # Setup NiFi user
-RUN groupadd -g $GID nifi || groupmod -n nifi `getent group $GID | cut -d: -f1` \
-    && useradd --shell /bin/bash -u $UID -g $GID -m nifi \
-    && mkdir -p $NIFI_HOME/conf/templates \
-    && chown -R nifi:nifi $NIFI_BASE_DIR
+RUN groupadd -g ${GID} nifi || groupmod -n nifi `getent group ${GID} | cut -d: -f1` \
+    && useradd --shell /bin/bash -u ${UID} -g ${GID} -m nifi \
+    && mkdir -p ${NIFI_HOME}/conf/templates \
+    && chown -R nifi:nifi ${NIFI_BASE_DIR}
 
 USER nifi
 
 # Download, validate, and expand Apache NiFi binary.
-RUN curl -fSL $MIRROR/$NIFI_BINARY_URL -o $NIFI_BASE_DIR/nifi-$NIFI_VERSION-bin.tar.gz \
-    && echo "$(curl https://archive.apache.org/dist/$NIFI_BINARY_URL.sha256) *$NIFI_BASE_DIR/nifi-$NIFI_VERSION-bin.tar.gz" | sha256sum -c - \
-    && tar -xvzf $NIFI_BASE_DIR/nifi-$NIFI_VERSION-bin.tar.gz -C $NIFI_BASE_DIR \
-    && rm $NIFI_BASE_DIR/nifi-$NIFI_VERSION-bin.tar.gz \
-    && chown -R nifi:nifi $NIFI_HOME
+RUN curl -fSL ${MIRROR}/${NIFI_BINARY_URL} -o ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz \
+    && echo "$(curl https://archive.apache.org/dist/${NIFI_BINARY_URL}.sha256) *${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz" | sha256sum -c - \
+    && tar -xvzf ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz -C ${NIFI_BASE_DIR} \
+    && rm ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz \
+    && chown -R nifi:nifi ${NIFI_HOME}
 
-# Web HTTP Port & Remote Site-to-Site Ports
-EXPOSE 8080 8181
+# Web HTTP(s) & Socket Site-to-Site Ports
+EXPOSE 8080 8443 10000
 
-WORKDIR $NIFI_HOME
+WORKDIR ${NIFI_HOME}
 
-# Startup NiFi
-ENTRYPOINT ["bin/nifi.sh"]
-CMD ["run"]
+# Apply configuration and start NiFi
+CMD ${NIFI_BASE_DIR}/scripts/start.sh

nifi-docker/dockerhub/README.md

@@ -0,0 +1,91 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+      http://www.apache.org/licenses/LICENSE-2.0
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+# Docker Image Quickstart
+
+## Capabilities
+This image currently supports running in standalone mode either unsecured or with Two-Way SSL.
+
+More capabilities will continue to be added and made available from the 
+
+## Building
+The Docker image can be built using the following command:
+
+    docker build -t apache/nifi:latest .
+
+This build will result in an image tagged apache/nifi:latest
+
+    # user @ puter in ~/Development/code/apache/nifi/nifi-docker/dockerhub
+    $ docker images
+    REPOSITORY               TAG                 IMAGE ID            CREATED                 SIZE
+    apache/nifi              latest              f0f564eed149        A long, long time ago   1.62GB
+
+**Note**: The default version of NiFi specified by the Dockerfile is typically that of one that is unreleased if working from source.
+To build an image for a prior released version, one can override the `NIFI_VERSION` build-arg with the following command:
+    
+    docker build --build-arg=NIFI_VERSION={Desired NiFi Version} -t apache/nifi:latest .
+
+There is, however, no guarantee that older versions will work as properties have changed and evolved with subsequent releases.
+The configuration scripts are suitable for at least 1.4.0+.
+
+## Running a container
+
+### Standalone Instance, Unsecured
+The minimum to run a NiFi instance is as follows:
+
+    docker run --name nifi \
+      -p 18080:8080 \
+      -d \
+      apache/nifi:latest
+      
+This will provide a running instance, exposing the instance UI to the host system on at port 18080,
+viewable at `http://localhost:18080/nifi`.
+        
+### Standalone Instance, Two-Way SSL
+In this configuration, the user will need to provide certificates and the associated configuration information.
+Of particular note, is the `AUTH` environment variable which is set to `tls`.  Additionally, the user must provide an
+the DN as provided by an accessing client certificate in the `INITIAL_ADMIN_IDENTITY` environment variable.
+This value will be used to seed the instance with an initial user with administrative privileges.
+Finally, this command makes use of a volume to provide certificates on the host system to the container instance.
+
+    docker run --name nifi \
+      -v /User/dreynolds/certs/localhost:/opt/certs \
+      -p 18443:8443 \
+      -e AUTH=tls \
+      -e KEYSTORE_PATH=/opt/certs/keystore.jks \
+      -e KEYSTORE_TYPE=JKS \
+      -e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \
+      -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
+      -e TRUSTSTORE_PASSWORD=rHkWR1gDNW3R9hgbeRsT3OM3Ue0zwGtQqcFKJD2EXWE \
+      -e TRUSTSTORE_TYPE=JKS \
+      -e INITIAL_ADMIN_IDENTITY='CN=Random User, O=Apache, OU=NiFi, C=US' \
+      -d \
+      apache/nifi:latest
+
+
+## Configuration Information
+The following ports are specified by the Docker container for NiFi operation within the container and 
+can be published to the host.
+
+| Function                 | Property                      | Port  |
+|--------------------------|-------------------------------|-------|
+| HTTP Port                | nifi.web.http.port            | 8080  |
+| HTTPS Port               | nifi.web.https.port           | 8443  |
+| Remote Input Socket Port | nifi.remote.input.socket.port | 10000 |
+
+
+
+
+  

nifi-docker/dockerhub/sh/common.sh

@@ -0,0 +1,29 @@
+#!/bin/sh -e
+
+#    Licensed to the Apache Software Foundation (ASF) under one or more
+#    contributor license agreements.  See the NOTICE file distributed with
+#    this work for additional information regarding copyright ownership.
+#    The ASF licenses this file to You under the Apache License, Version 2.0
+#    (the "License"); you may not use this file except in compliance with
+#    the License.  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+
+# 1 - value to search for
+# 2 - value to replace
+# 3 - file to perform replacement inline
+prop_replace () {
+  target_file=${3:-${nifi_props_file}}
+  echo 'replacing target file ' ${target_file}
+  sed -i -e "s|^$1=.*$|$1=$2|"  ${target_file}
+}
+
+# NIFI_HOME is defined by an ENV command in the backing Dockerfile
+export nifi_props_file=${NIFI_HOME}/conf/nifi.properties
+export hostname=$(hostname)

nifi-docker/dockerhub/sh/secure.sh

@@ -0,0 +1,55 @@
+#!/bin/sh -e
+
+#    Licensed to the Apache Software Foundation (ASF) under one or more
+#    contributor license agreements.  See the NOTICE file distributed with
+#    this work for additional information regarding copyright ownership.
+#    The ASF licenses this file to You under the Apache License, Version 2.0
+#    (the "License"); you may not use this file except in compliance with
+#    the License.  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+
+[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh
+
+# Perform idempotent changes of configuration to support secure environments
+echo 'Configuring environment with SSL settings'
+
+: ${KEYSTORE_PATH:?"Must specify an absolute path to the keystore being used."}
+if [ ! -f "${KEYSTORE_PATH}" ]; then
+    echo "Keystore file specified (${KEYSTORE_PATH}) does not exist."
+    exit 1
+fi
+: ${KEYSTORE_TYPE:?"Must specify the type of keystore (JKS, PKCS12, PEM) of the keystore being used."}
+: ${KEYSTORE_PASSWORD:?"Must specify the password of the keystore being used."}
+
+: ${TRUSTSTORE_PATH:?"Must specify an absolute path to the truststore  being used."}
+if [ ! -f "${TRUSTSTORE_PATH}" ]; then
+    echo "Keystore file specified (${TRUSTSTORE_PATH}) does not exist."
+    exit 1
+fi
+: ${TRUSTSTORE_TYPE:?"Need to set DEST non-empty"}
+: ${TRUSTSTORE_PASSWORD:?"Need to set DEST non-empty"}
+
+prop_replace 'nifi.security.keystore'           "${KEYSTORE_PATH}"
+prop_replace 'nifi.security.keystoreType'       "${KEYSTORE_TYPE}"
+prop_replace 'nifi.security.keystorePasswd'     "${KEYSTORE_PASSWORD}"
+prop_replace 'nifi.security.truststore'         "${TRUSTSTORE_PATH}"
+prop_replace 'nifi.security.truststoreType'     "${TRUSTSTORE_TYPE}"
+prop_replace 'nifi.security.truststorePasswd'   "${TRUSTSTORE_PASSWORD}"
+
+# Disable HTTP and enable HTTPS
+prop_replace 'nifi.web.http.port'   ''
+prop_replace 'nifi.web.http.host'   ''
+prop_replace 'nifi.web.https.port'  '8443'
+prop_replace 'nifi.web.https.host'  "${hostname}"
+prop_replace 'nifi.remote.input.secure' 'true'
+
+# Establish initial user and an associated admin identity
+sed -i -e 's|<property name="Initial User Identity 1"></property>|<property name="Initial User Identity 1">'"${INITIAL_ADMIN_IDENTITY}"'</property>|'  ${NIFI_HOME}/conf/authorizers.xml
+sed -i -e 's|<property name="Initial Admin Identity"></property>|<property name="Initial Admin Identity">'"${INITIAL_ADMIN_IDENTITY}"'</property>|'  ${NIFI_HOME}/conf/authorizers.xml

nifi-docker/dockerhub/sh/start.sh

@@ -0,0 +1,43 @@
+#!/bin/sh -e
+
+#    Licensed to the Apache Software Foundation (ASF) under one or more
+#    contributor license agreements.  See the NOTICE file distributed with
+#    this work for additional information regarding copyright ownership.
+#    The ASF licenses this file to You under the Apache License, Version 2.0
+#    (the "License"); you may not use this file except in compliance with
+#    the License.  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+
+[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh
+
+# Establish baseline properties
+prop_replace 'nifi.web.http.port'  '8080'
+prop_replace 'nifi.web.http.host'  "${hostname}"
+prop_replace 'nifi.remote.input.host' "${hostname}"
+prop_replace 'nifi.remote.input.socket.port' '10000'
+prop_replace 'nifi.remote.input.secure' 'false'
+
+# Check if we are secured or unsecured
+case ${AUTH} in
+    tls)
+        echo 'Enabling Two-Way SSL user authentication'
+        . /opt/nifi/scripts/secure.sh
+        ;;
+esac
+
+# Continuously provide logs so that 'docker logs' can produce them
+tail -F ${NIFI_HOME}/logs/nifi-app.log &
+${NIFI_HOME}/bin/nifi.sh run &
+nifi_pid="$!"
+
+trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT;
+
+echo NiFi running with PID ${nifi_pid}.
+wait ${nifi_pid}

nifi-docker/dockermaven/Dockerfile

@@ -17,7 +17,7 @@
 #
 
 FROM openjdk:8-jre
-LABEL maintainer "Apache NiFi <dev@nifi.apache.org>"
+LABEL maintainer="Apache NiFi <dev@nifi.apache.org>"
 
 ARG UID=1000
 ARG GID=1000

nifi-nar-bundles/nifi-update-attribute-bundle/nifi-update-attribute-ui/nb-configuration.xml

@@ -1,18 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project-shared-configuration>
-    <!--
-This file contains additional configuration written by modules in the NetBeans IDE.
-The configuration is intended to be shared among all the users of project and
-therefore it is assumed to be part of version control checkout.
-Without this configuration present, some functionality in the IDE may be limited or fail altogether.
--->
-    <properties xmlns="http://www.netbeans.org/ns/maven-properties-data/1">
-        <!--
-Properties that influence various parts of the IDE, especially code formatting and the like. 
-You can copy and paste the single properties, into the pom.xml file and the IDE will pick them up.
-That way multiple projects can share the same settings (useful for formatting rules for example).
-Any value defined here will override the pom.xml file value but is only applicable to the current project.
--->
-        <org-netbeans-modules-maven-jaxws.rest_2e_config_2e_type>ide</org-netbeans-modules-maven-jaxws.rest_2e_config_2e_type>
-    </properties>
-</project-shared-configuration>