From c832a2ed7c74a648c84853f3682505a271afdf6f Mon Sep 17 00:00:00 2001 From: Aldrin Piri Date: Tue, 28 Nov 2017 20:00:32 -0500 Subject: [PATCH] NIFI-4530: This closes #2329. Initial support for two-way SSL user authentication in the Docker image. Signed-off-by: joewitt --- nifi-docker/dockerhub/Dockerfile | 38 ++++---- nifi-docker/dockerhub/README.md | 91 +++++++++++++++++++ nifi-docker/dockerhub/sh/common.sh | 29 ++++++ nifi-docker/dockerhub/sh/secure.sh | 55 +++++++++++ nifi-docker/dockerhub/sh/start.sh | 43 +++++++++ nifi-docker/dockermaven/Dockerfile | 2 +- .../nb-configuration.xml | 18 ---- 7 files changed, 239 insertions(+), 37 deletions(-) create mode 100644 nifi-docker/dockerhub/README.md create mode 100755 nifi-docker/dockerhub/sh/common.sh create mode 100644 nifi-docker/dockerhub/sh/secure.sh create mode 100755 nifi-docker/dockerhub/sh/start.sh delete mode 100644 nifi-nar-bundles/nifi-update-attribute-bundle/nifi-update-attribute-ui/nb-configuration.xml diff --git a/nifi-docker/dockerhub/Dockerfile b/nifi-docker/dockerhub/Dockerfile index a4049e229e..23418c046a 100644 --- a/nifi-docker/dockerhub/Dockerfile +++ b/nifi-docker/dockerhub/Dockerfile @@ -17,7 +17,8 @@ # FROM openjdk:8-jre -LABEL maintainer "Apache NiFi " +LABEL maintainer="Apache NiFi " +LABEL site="https://nifi.apache.org" ARG UID=1000 ARG GID=1000 @@ -25,29 +26,30 @@ ARG NIFI_VERSION=1.5.0 ARG MIRROR=https://archive.apache.org/dist ENV NIFI_BASE_DIR /opt/nifi -ENV NIFI_HOME=$NIFI_BASE_DIR/nifi-$NIFI_VERSION \ - NIFI_BINARY_URL=/nifi/$NIFI_VERSION/nifi-$NIFI_VERSION-bin.tar.gz +ENV NIFI_HOME=${NIFI_BASE_DIR}/nifi-${NIFI_VERSION} \ + NIFI_BINARY_URL=/nifi/${NIFI_VERSION}/nifi-${NIFI_VERSION}-bin.tar.gz + +ADD sh/ /opt/nifi/scripts/ # Setup NiFi user -RUN groupadd -g $GID nifi || groupmod -n nifi `getent group $GID | cut -d: -f1` \ - && useradd --shell /bin/bash -u $UID -g $GID -m nifi \ - && mkdir -p $NIFI_HOME/conf/templates \ - && chown -R nifi:nifi $NIFI_BASE_DIR +RUN groupadd -g ${GID} nifi || groupmod -n nifi `getent group ${GID} | cut -d: -f1` \ + && useradd --shell /bin/bash -u ${UID} -g ${GID} -m nifi \ + && mkdir -p ${NIFI_HOME}/conf/templates \ + && chown -R nifi:nifi ${NIFI_BASE_DIR} USER nifi # Download, validate, and expand Apache NiFi binary. -RUN curl -fSL $MIRROR/$NIFI_BINARY_URL -o $NIFI_BASE_DIR/nifi-$NIFI_VERSION-bin.tar.gz \ - && echo "$(curl https://archive.apache.org/dist/$NIFI_BINARY_URL.sha256) *$NIFI_BASE_DIR/nifi-$NIFI_VERSION-bin.tar.gz" | sha256sum -c - \ - && tar -xvzf $NIFI_BASE_DIR/nifi-$NIFI_VERSION-bin.tar.gz -C $NIFI_BASE_DIR \ - && rm $NIFI_BASE_DIR/nifi-$NIFI_VERSION-bin.tar.gz \ - && chown -R nifi:nifi $NIFI_HOME +RUN curl -fSL ${MIRROR}/${NIFI_BINARY_URL} -o ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz \ + && echo "$(curl https://archive.apache.org/dist/${NIFI_BINARY_URL}.sha256) *${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz" | sha256sum -c - \ + && tar -xvzf ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz -C ${NIFI_BASE_DIR} \ + && rm ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz \ + && chown -R nifi:nifi ${NIFI_HOME} -# Web HTTP Port & Remote Site-to-Site Ports -EXPOSE 8080 8181 +# Web HTTP(s) & Socket Site-to-Site Ports +EXPOSE 8080 8443 10000 -WORKDIR $NIFI_HOME +WORKDIR ${NIFI_HOME} -# Startup NiFi -ENTRYPOINT ["bin/nifi.sh"] -CMD ["run"] +# Apply configuration and start NiFi +CMD ${NIFI_BASE_DIR}/scripts/start.sh diff --git a/nifi-docker/dockerhub/README.md b/nifi-docker/dockerhub/README.md new file mode 100644 index 0000000000..657bc6dd2e --- /dev/null +++ b/nifi-docker/dockerhub/README.md @@ -0,0 +1,91 @@ + + +# Docker Image Quickstart + +## Capabilities +This image currently supports running in standalone mode either unsecured or with Two-Way SSL. + +More capabilities will continue to be added and made available from the + +## Building +The Docker image can be built using the following command: + + docker build -t apache/nifi:latest . + +This build will result in an image tagged apache/nifi:latest + + # user @ puter in ~/Development/code/apache/nifi/nifi-docker/dockerhub + $ docker images + REPOSITORY TAG IMAGE ID CREATED SIZE + apache/nifi latest f0f564eed149 A long, long time ago 1.62GB + +**Note**: The default version of NiFi specified by the Dockerfile is typically that of one that is unreleased if working from source. +To build an image for a prior released version, one can override the `NIFI_VERSION` build-arg with the following command: + + docker build --build-arg=NIFI_VERSION={Desired NiFi Version} -t apache/nifi:latest . + +There is, however, no guarantee that older versions will work as properties have changed and evolved with subsequent releases. +The configuration scripts are suitable for at least 1.4.0+. + +## Running a container + +### Standalone Instance, Unsecured +The minimum to run a NiFi instance is as follows: + + docker run --name nifi \ + -p 18080:8080 \ + -d \ + apache/nifi:latest + +This will provide a running instance, exposing the instance UI to the host system on at port 18080, +viewable at `http://localhost:18080/nifi`. + +### Standalone Instance, Two-Way SSL +In this configuration, the user will need to provide certificates and the associated configuration information. +Of particular note, is the `AUTH` environment variable which is set to `tls`. Additionally, the user must provide an +the DN as provided by an accessing client certificate in the `INITIAL_ADMIN_IDENTITY` environment variable. +This value will be used to seed the instance with an initial user with administrative privileges. +Finally, this command makes use of a volume to provide certificates on the host system to the container instance. + + docker run --name nifi \ + -v /User/dreynolds/certs/localhost:/opt/certs \ + -p 18443:8443 \ + -e AUTH=tls \ + -e KEYSTORE_PATH=/opt/certs/keystore.jks \ + -e KEYSTORE_TYPE=JKS \ + -e KEYSTORE_PASSWORD=QKZv1hSWAFQYZ+WU1jjF5ank+l4igeOfQRp+OSbkkrs \ + -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \ + -e TRUSTSTORE_PASSWORD=rHkWR1gDNW3R9hgbeRsT3OM3Ue0zwGtQqcFKJD2EXWE \ + -e TRUSTSTORE_TYPE=JKS \ + -e INITIAL_ADMIN_IDENTITY='CN=Random User, O=Apache, OU=NiFi, C=US' \ + -d \ + apache/nifi:latest + + +## Configuration Information +The following ports are specified by the Docker container for NiFi operation within the container and +can be published to the host. + +| Function | Property | Port | +|--------------------------|-------------------------------|-------| +| HTTP Port | nifi.web.http.port | 8080 | +| HTTPS Port | nifi.web.https.port | 8443 | +| Remote Input Socket Port | nifi.remote.input.socket.port | 10000 | + + + + + \ No newline at end of file diff --git a/nifi-docker/dockerhub/sh/common.sh b/nifi-docker/dockerhub/sh/common.sh new file mode 100755 index 0000000000..5d252bc11c --- /dev/null +++ b/nifi-docker/dockerhub/sh/common.sh @@ -0,0 +1,29 @@ +#!/bin/sh -e + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# 1 - value to search for +# 2 - value to replace +# 3 - file to perform replacement inline +prop_replace () { + target_file=${3:-${nifi_props_file}} + echo 'replacing target file ' ${target_file} + sed -i -e "s|^$1=.*$|$1=$2|" ${target_file} +} + +# NIFI_HOME is defined by an ENV command in the backing Dockerfile +export nifi_props_file=${NIFI_HOME}/conf/nifi.properties +export hostname=$(hostname) \ No newline at end of file diff --git a/nifi-docker/dockerhub/sh/secure.sh b/nifi-docker/dockerhub/sh/secure.sh new file mode 100644 index 0000000000..93e82670a2 --- /dev/null +++ b/nifi-docker/dockerhub/sh/secure.sh @@ -0,0 +1,55 @@ +#!/bin/sh -e + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh + +# Perform idempotent changes of configuration to support secure environments +echo 'Configuring environment with SSL settings' + +: ${KEYSTORE_PATH:?"Must specify an absolute path to the keystore being used."} +if [ ! -f "${KEYSTORE_PATH}" ]; then + echo "Keystore file specified (${KEYSTORE_PATH}) does not exist." + exit 1 +fi +: ${KEYSTORE_TYPE:?"Must specify the type of keystore (JKS, PKCS12, PEM) of the keystore being used."} +: ${KEYSTORE_PASSWORD:?"Must specify the password of the keystore being used."} + +: ${TRUSTSTORE_PATH:?"Must specify an absolute path to the truststore being used."} +if [ ! -f "${TRUSTSTORE_PATH}" ]; then + echo "Keystore file specified (${TRUSTSTORE_PATH}) does not exist." + exit 1 +fi +: ${TRUSTSTORE_TYPE:?"Need to set DEST non-empty"} +: ${TRUSTSTORE_PASSWORD:?"Need to set DEST non-empty"} + +prop_replace 'nifi.security.keystore' "${KEYSTORE_PATH}" +prop_replace 'nifi.security.keystoreType' "${KEYSTORE_TYPE}" +prop_replace 'nifi.security.keystorePasswd' "${KEYSTORE_PASSWORD}" +prop_replace 'nifi.security.truststore' "${TRUSTSTORE_PATH}" +prop_replace 'nifi.security.truststoreType' "${TRUSTSTORE_TYPE}" +prop_replace 'nifi.security.truststorePasswd' "${TRUSTSTORE_PASSWORD}" + +# Disable HTTP and enable HTTPS +prop_replace 'nifi.web.http.port' '' +prop_replace 'nifi.web.http.host' '' +prop_replace 'nifi.web.https.port' '8443' +prop_replace 'nifi.web.https.host' "${hostname}" +prop_replace 'nifi.remote.input.secure' 'true' + +# Establish initial user and an associated admin identity +sed -i -e 's||'"${INITIAL_ADMIN_IDENTITY}"'|' ${NIFI_HOME}/conf/authorizers.xml +sed -i -e 's||'"${INITIAL_ADMIN_IDENTITY}"'|' ${NIFI_HOME}/conf/authorizers.xml diff --git a/nifi-docker/dockerhub/sh/start.sh b/nifi-docker/dockerhub/sh/start.sh new file mode 100755 index 0000000000..178f30e4a6 --- /dev/null +++ b/nifi-docker/dockerhub/sh/start.sh @@ -0,0 +1,43 @@ +#!/bin/sh -e + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +[ -f /opt/nifi/scripts/common.sh ] && . /opt/nifi/scripts/common.sh + +# Establish baseline properties +prop_replace 'nifi.web.http.port' '8080' +prop_replace 'nifi.web.http.host' "${hostname}" +prop_replace 'nifi.remote.input.host' "${hostname}" +prop_replace 'nifi.remote.input.socket.port' '10000' +prop_replace 'nifi.remote.input.secure' 'false' + +# Check if we are secured or unsecured +case ${AUTH} in + tls) + echo 'Enabling Two-Way SSL user authentication' + . /opt/nifi/scripts/secure.sh + ;; +esac + +# Continuously provide logs so that 'docker logs' can produce them +tail -F ${NIFI_HOME}/logs/nifi-app.log & +${NIFI_HOME}/bin/nifi.sh run & +nifi_pid="$!" + +trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT; + +echo NiFi running with PID ${nifi_pid}. +wait ${nifi_pid} diff --git a/nifi-docker/dockermaven/Dockerfile b/nifi-docker/dockermaven/Dockerfile index daecdd976f..62dd03c2fc 100644 --- a/nifi-docker/dockermaven/Dockerfile +++ b/nifi-docker/dockermaven/Dockerfile @@ -17,7 +17,7 @@ # FROM openjdk:8-jre -LABEL maintainer "Apache NiFi " +LABEL maintainer="Apache NiFi " ARG UID=1000 ARG GID=1000 diff --git a/nifi-nar-bundles/nifi-update-attribute-bundle/nifi-update-attribute-ui/nb-configuration.xml b/nifi-nar-bundles/nifi-update-attribute-bundle/nifi-update-attribute-ui/nb-configuration.xml deleted file mode 100644 index 4da1f6c9b1..0000000000 --- a/nifi-nar-bundles/nifi-update-attribute-bundle/nifi-update-attribute-ui/nb-configuration.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - - ide - -