Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
0.6.1
-
None
Description
Some users and organizations would like to provide different certificates for identification of the same NiFi instance when acting in different roles (for example, one certificate to identify the server for the API / UI interaction, and another to identify the server in cluster communications and/or site-to-site communications). A preliminary list of roles is:
- API / UI host
- remote authorization / authentication repositories (communicating with Ranger, LDAP, KDC, etc.)
- cluster (node/NCM/Zookeeper)
- site-to-site
- client when connecting to remote services during data flow (InvokeHTTP, PutSQL, etc.)
This should be implemented in a manner that does not break the default operation (i.e. a keystore with a single certificate value) but allows easy overriding for one or more of the roles listed above.
Attachments
Issue Links
- depends upon
-
NIFI-1478 Audit SSLContextFactory and SSLSocketFactory usage throughout application
- Resolved
- Is contained by
-
NIFI-5458 Improve NiFi TLS and certificate management
- Resolved
- is depended upon by
-
NIFI-5586 Add capability to generate ECDSA keys to TLS Toolkit
- Resolved
- is related to
-
NIFI-1990 Implement consistent security controls for cluster, site-to-site, and API communications
- Open
-
NIFI-1981 Cluster communication requires client certificates even if needClientAuth set to false
- Resolved
- relates to
-
NIFI-3890 Create Key Management Controller Service
- Resolved