Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-25113

Nifi Registry Service Check - TLS Error

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 2.6.1
    • None
    • stacks
    • None

    Description

      When Nifi Registry is configured with TLS, health checks fail:

       

      2019-01-18 15:55:07,125 - File['/var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35/bin/tls-toolkit.sh'] {'mode': 0755}
2019-01-18 15:55:07,126 - File['/var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35/bin/encrypt-config.sh'] {'mode': 0755}
2019-01-18 15:55:08,832 - Executing: ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.8 /var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35/bin/tls-toolkit.sh status -u https://server.example.com:12345 -ks /etc/pki/tls/private/abcd.jks -kst JKS -ksp *** -kp -ts /etc/pki/java/cacerts -tst JKS -tsp changeit
2019-01-18 15:55:09,158 - Will retry 28 time(s), caught exception: Call to tls-toolkit encountered error: No keystore or truststore was provided
usage: org.apache.nifi.toolkit.tls.TlsToolkitMain [-h] [-kp <arg>] [-ks <arg>] [-ksp <arg>] [-kst <arg>] [-p <arg>] [-ts <arg>] [-tsp <arg>] [-tst <arg>] [-u
<arg>]
Checks the status of an HTTPS endpoint by making a GET request using a supplied keystore and truststore.
-h,--help Print help and exit.
-kp,--keyPassword <arg> The key password of the key store being used
-ks,--keyStore <arg> The key store to use
-ksp,--keyStorePassword <arg> The password of the key store being used
-kst,--keyStoreType <arg> The type of key store being used (PKCS12 or JKS) (default: JKS)
-p,--protocol <arg> The protocol to use (default: TLS)
-ts,--trustStore <arg> The trust store being used
-tsp,--trustStorePassword <arg> The password of the trust store being used
-tst,--trustStoreType <arg> The type of trust store being used (PKCS12 or JKS) (default: JKS)
-u,--url <arg> The full url to connect to, for example: https://localhost:8443/v1/api
Java home: /usr/jdk64/jdk1.8
NiFi Toolkit home: /var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35
2019/01/18 15:55:09 ERROR [main] org.apache.nifi.toolkit.tls.status.TlsToolkitGetStatusCommandLine: No keystore or truststore was provided
org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException: No keystore or truststore was provided
at org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine.printUsageAndThrow(BaseCommandLine.java:72)
at org.apache.nifi.toolkit.tls.status.TlsToolkitGetStatusCommandLine.postParse(TlsToolkitGetStatusCommandLine.java:142)
at org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine.doParse(BaseCommandLine.java:91)
at org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine.parse(BaseCommandLine.java:109)
at org.apache.nifi.toolkit.tls.status.TlsToolkitGetStatusCommandLine.main(TlsToolkitGetStatusCommandLine.java:72)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.nifi.toolkit.tls.TlsToolkitMain.doMain(TlsToolkitMain.java:109)
at org.apache.nifi.toolkit.tls.TlsToolkitMain.main(TlsToolkitMain.java:55)

       
      When checking the health of a tls enabled Nifi Registry, only the trust store parameters are required.  The following Keystore related parameters are not required:

      • kp,-keyPassword <arg> The key password of the key store being used
      • ks,-keyStore <arg> The key store to use
      • ksp,-keyStorePassword <arg> The password of the key store being used
      • kst,-keyStoreType <arg> The type of key store being used (PKCS12 or JKS) (default: JKS)

      The following patch allows the health check to operated as expected:

       

      --- /var/lib/ambari-server/resources/common-services/NIFI_REGISTRY/0.1.0/package/scripts/service_check.py.original 2019-01-18 15:46:41.867390249 -0500
+++ /var/lib/ambari-server/resources/common-services/NIFI_REGISTRY/0.1.0/package/scripts/service_check.py 2019-01-18 16:03:43.750582415 -0500
@@ -105,7 +105,7 @@
 truststoreType = nifi_registry_props['nifi.registry.security.truststoreType']
 truststorePasswd = nifi_registry_props['nifi.registry.security.truststorePasswd']
- command = 'ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' '+ tls_toolkit_script + ' status -u ' + url + ' -ks ' + keystore + ' -kst ' + keystoreType + ' -ksp ' + keystorePasswd + ' -kp ' + keyPasswd + ' -ts ' + truststore + ' -tst ' + truststoreType + ' -tsp ' + truststorePasswd
+ command = 'ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' '+ tls_toolkit_script + ' status -u ' + url + ' -ts ' + truststore + ' -tst ' + truststoreType + ' -tsp ' + truststorePasswd
# Only uncomment for debugging, otherwise the passwords will get logged
 #Logger.info("Executing: " + command)

       

      It may be worth noting that the JKS used by Nifi, Nifi Registry, etc. contains a JKS password, but not a key password.

      In any case, a keystore isn't required by this utility to do an http get/check https endpoint in any case I can see.

      This issue only manifest in cases where Nifi Registry has tls/ssl enabled.  If tls/ssl is not enabled on the Nifi Registry, a different branch is used to check Nifi Registry's http endpoint availability in:

      /var/lib/ambari-server/resources/common-services/NIFI_REGISTRY/0.1.0/package/scripts/service_check.py

      Attachments

        Activity

          People

            apappu@hortonworks.com amarnath reddy pappu
            agrams Axton Grams
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: