Skip to content

Add support for mTLS #382

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 4, 2025
Merged

Add support for mTLS #382

merged 3 commits into from
Mar 4, 2025

Conversation

Chaffelson
Copy link
Owner

  • Added Python3.10 as it historically had urllib3 changes that caused issues.
  • Renamed the 'secure' test mode to 'secure-ldap' distinguish it from 'secure-mtls'.
  • Added 'secure-mtls' test mode with docker configuration and pytest setup.
  • Added including 'reporting tasks' to some controller functions as the management controllers fall into that group and the SSL Context controller required for secure registry falls into that category.
  • Changed the default_proxy_user in config.py to user1 instead of localhost to match the certs.
  • Added optional 'purpose' overide to security/set_service_ssl_context to handle certificates needing to be either CLIENT or SERVER auth. Should fix issue Cannot connect with TLS secured NiFi 2.x using nipyapi.security.set_service_ssl_context and Python 3.12 #370.
  • bootstrap_security_policies changed to read system_diagnostics and policies by default.
  • Added default registry policy setup for the nifi proxy user.
  • Added security.py function to create_ssl_context_controller_service which is required to create the registry client in an mTLS environment.
  • Updated utils/set_endpoint to handle correctly setting the SSL Context for mTLS when login is not requested, and not just LDAPS. This allows easy mTLS usage as shown in conftest.
  • Updated versioning/create_registry_client to accept an SSL Context Service to setup the secure registry connection under mTLS.
  • Locked latest for testing to be 1.28.1 for this branch of NiPyAPI as testing against 2.x is not a full test suite.
  • pytest now has an additional mode secure_mtls, which clones the secure_ldap setup. You can only use either mtls or ldap concurrently as they share network names in the certificates.

Tested all test modes using Docker Desktop on Windows10

@Chaffelson
Add support for mTLS.
f1c4408 
Added Python3.10 as it historically had urllib3 changes that caused issues.
renamed the 'secure' test mode to 'secure-ldap' distinguish it from 'secure-mtls'.
Added 'secure-mtls' test mode with docker configuration and pytest setup.
Added including 'reporting tasks' to some controller functions as the management controllers fall into that group and the SSL Context controller required for secure registry falls into that category.
Changed the default_proxy_user in config.py to user1 instead of localhost to match the certs.
Added optional 'purpose' overide to security/set_service_ssl_context to handle certificates needing to be either CLIENT or SERVER auth. Should fix issue #370.
bootstrap_security_policies changed to read system_diagnostics and policies by default. Added mtls handling. Added default registry policy setup for the nifi proxy user.
Added security.py function to create_ssl_context_controller_service which is required to create the registry client in an mTLS environment.
Updated utils/set_endpoint to handle correctly setting the SSL Context for mTLS when login is not requested, and not just LDAPS. This allows easy mTLS usage as shown in conftest.
updated versioning/create_registry_client to accept an SSL Context Service to setup the secure registry connection under mTLS.
Locked latest for testing to be 1.28.1 for this branch of NiPyAPI as testing against 2.x is not a full test suite.
pytest now has an additional mode secure_mtls, which clones the secure_ldap setup. You can only use either mtls or ldap concurrently as they share network names in the certificates.
@Chaffelson Chaffelson requested a review from ottobackwards March 3, 2025 14:35
@Chaffelson Chaffelson self-assigned this Mar 3, 2025
ottobackwards
ottobackwards reviewed Mar 3, 2025
View reviewed changes
Copy link
Collaborator

@ottobackwards ottobackwards left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a small question

ChrisSamo632
ChrisSamo632 reviewed Mar 3, 2025
View reviewed changes
ChrisSamo632
ChrisSamo632 approved these changes Mar 4, 2025
View reviewed changes
Copy link
Contributor

@ChrisSamo632 ChrisSamo632 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @Chaffelson 👍

@Chaffelson Chaffelson merged commit 18d3afd into main Mar 4, 2025
1 check passed
@Chaffelson Chaffelson deleted the mtls_support branch March 7, 2025 09:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ottobackwards ottobackwards ottobackwards approved these changes

@ChrisSamo632 ChrisSamo632 ChrisSamo632 approved these changes

Assignees

@Chaffelson Chaffelson

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Chaffelson @ottobackwards @ChrisSamo632