Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Now Live: Explore expert insights and technical deep dives on the new Cloudera Community BlogsRead the Announcement
Solved Go to solution

How should I use the SSLContext controller in a multi-tenant cluster?

Labels:
avatar
author-rank david_miller
New Member

Created ‎05-29-2018 08:13 PM

The Background:

I have multitenant clusters. My organization has delivered me a combined truststore and keystore jks file.

I will have users who need to hit various external-to-nifi services using SSL/TLS. It is tempting to create an sslcontext controller service at nifi root and let all my users use this service when they need SSL. One problem with this approach that I see is that if I let all my users use the hosts' certs, (keystore and truststore) they could just use a GetHTTP processor and talk to the nifi rest api with full priveleges (or at least whatever privs the node has)

So to prevent this I figure that I should get my root CA certs into a separate truststore that is not password protected, and only use this.

The question:

Should I create an sslcontext service at the root flow with only a truststore, and ask my users to all use the same controller service? Or should I just notify my users of the path to the truststore and have them create controllers within their process groups as needed, what are the pros and cons of each approach?

1,964 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank alopresto author-rank
Guru

Created ‎06-02-2018 02:35 AM

David,

I would recommend you create an SSLContextService at root which only uses the truststore and ask your users to select that controller service when necessary. If they have requirements to connect to external services which require mutual authentication via TLS client certificates, you may have to create additional controller services with limited keystore access and provide those on a per-instance/user basis. If these are globally-accessible external services (aka not organizationally-signed), you could also provide a generic controller service which uses the Java CA truststore (something like $JAVA_HOME/jre/lib/security/cacerts with default password "changeit").

View solution in original post

1,861 Views
0 Kudos
1 REPLY 1

avatar
author-rank alopresto author-rank
Guru

Created ‎06-02-2018 02:35 AM

David,

I would recommend you create an SSLContextService at root which only uses the truststore and ask your users to select that controller service when necessary. If they have requirements to connect to external services which require mutual authentication via TLS client certificates, you may have to create additional controller services with limited keystore access and provide those on a per-instance/user basis. If these are globally-accessible external services (aka not organizationally-signed), you could also provide a generic controller service which uses the Java CA truststore (something like $JAVA_HOME/jre/lib/security/cacerts with default password "changeit").

1,862 Views
0 Kudos
Announcements
Community Announcements
Announcing the Launch of Cloudera Community Blogs
Community Announcements
October / November 2025 Community Highlights
What's New @ Cloudera
Announcing Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
Announcing Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
Welcome to the Cloudera Community!
View More Announcements